In other words, there isn't a best product. It depends on a corporation's specific needs.
But, that said, here's a quick rundown of some common products and what to look for when shopping around for a solution.
Far and away, the most common biometrics devices are still fingerprint scanners. Despite a lot of new products on the market, including some rather esoteric ones, fingerprint scanners remain the old standby. This is partly because they were one of the first biometric technologies invented and partly because of their ease of use.
But that doesn't mean fingerprint scanners should be the only consideration for a company's first biometrics implementation. There are also face and voice recognition systems and iris and retinal scanners, as well as new devices that "learn" typing patterns or identify electrophysiological signals.
Each has its own strengths and weaknesses. Fingerprint scanners have been around for a while and have a good track record. But they can be defeated, sometimes by a putty mold of a fingerprint, for example. They're also prone to errors. If a fingerprint is damaged from an injury or smudged, the reader might not work. Face and voice recognition systems suffer from some of the same issues -- they can be recorded, copied or spoofed. Iris and retinal scanners suffer from lack of customer acceptance. Who wants a light beam shining on their eye?
On the more esoteric side, BioPassword uses what they call keystroke dynamics to measure and record a user's typing speed and style. Aladdin is piloting a device that measures electrophysiological signals, which are a combination of heart rate and other cardiovascular metrics that can be read through a fingertip put on a reader.
Whichever route you choose, make sure there is a clear business case. Biometrics of all types requires an investment in hardware. If the data being protected is of low risk, biometrics is overkill. It should only be considered for access to highly sensitive data and high-value transactions. Otherwise, stick to more traditional authentication systems.
Make sure the devices are compatible with your network architecture. Biometrics has had a renaissance lately because the devices have gotten smaller; some are the size of key fobs and plug into USB ports.
The next consideration is the security of the device and its supporting systems. Data from biometrics devices is sensitive, like any other authentication credential. It should be gathered on a tamper-proof device, transmitted over an encrypted channel and stored in an encrypted database. Both Active Directory and LDAP offer these capabilities, and it's a best practice to check if the device is compliant with either of these authentication directory systems.
Then, of course, user acceptance is key. Whether for employees on the job or customers outside the company, if users don't want it, or think it's too difficult to use, consider something other than biometrics.
For more information:
This was first published in December 2007