The executives at my enterprise have extremely sensitive information on their laptops. I'm considering deploying biometric authentication on these devices. My question is, if I use biometrics, how useful or necessary is full-disk encryption?
Actually, you've asked about two separate functions for protecting a laptop: strong authentication and encryption. While these two can be used in conjunction, they don't provide the same protection schemes.
Biometric authentication is used to positively identify the user at login. Full disk encryption prevents unauthorized users from accessing the system data. If you put biometric authentication on the laptop and it's stolen, without full disk encryption, there's nothing to prevent someone from pulling the disk drive out of the laptop, putting it in an external case and reading the data on another system.
It's worth noting that while it may seem like biometric authentication is superior to password-based systems, that's not necessarily true. Studies suggest that biometric authentication is in many ways easier to break. Your fingerprint "password" can be lifted from a door knob on the outside of a locked office, a coffee mug or even a keyboard left at a cubical. Even if you use optical recognition, the invention of 15 megapixel cameras may allow that group photo taken at the company outing, once blown up, to have enough detail to fool the optical eye scanner on a laptop.
It should also be pointed out that both biometrics and full disk encryption don't do any good if someone walks away from his or her laptop without logging out first (it takes little time to go to an active laptop, plug in a thumb drive and download many megabytes of information). My advice is use both full disk encryption and biometric authentication (ideally as part of a multifactor authentication scheme) whenever possible. The combination will ensure a high level of security for authentication and data protection. You can use biometrics as a "something I have" authentication method, but I wouldn't uninstall the full disk encryption software anytime soon.
Should open source disc-encryption software be used?
Learn more about biometrics devices, systems and implementations
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.