A fingerprint reader is a type of biometrics device. A biometrics device authenticates based on a physical characteristic of the user. It's one of the three factors of authentication: something you know, something you have and something you are. Something you know would be a piece of knowledge the user memorizes, like a password. Something you have would be something the user carries, like a smart card or a one-time password (OTP) token. Something you are is a physical characteristic, like someone's fingerprint, voice or facial features.
Biometrics are considered the strongest of the authentication factors because they're the most difficult to copy and spoof, unlike user IDs and passwords, which can be easily guessed or even outright stolen by being sniffed over the Web. The other promise of biometrics is ease of use. Users don't have to remember passwords; they're always carrying their authentication devices with them. They can't leave their fingerprint at home, or forget where they put it.
Until recently, however, biometrics devices were also the most expensive and difficult forms of authentication to deploy. Software controls, like user IDs and passwords, don't require extra hardware or installation like a biometrics device. Because of these hardware requirements, biometrics remains the most difficult of the three authentication factors to deploy, and should only be considered for protecting high-risk systems and applications. Do a thorough risk analysis of what is to be protected before considering biometrics.
Still, fingerprint readers, which are the oldest and most common biometrics devices, are now lightweight, often the size of an OTP token. Today, many laptops and desktops can be ordered with built-in fingerprint readers.
As for pre-boot authentication, there are products like SafeBoot, which was acquired by McAfee Inc. last year. SafeBoot protects computers by encrypting their hard drives. It can be used to prevent malicious access to data on a stolen laptop, for example. SafeBoot works by requiring users to authenticate at the hardware level before the operating system boots up. This prevents a malicious user from bypassing the operating system password with a boot CD.
If the idea is to require biometrics for pre-boot authentication, then SafeBoot is one product that can do the trick. Although by default it uses a standard user ID and password, it can also work with the other authentication factors previously mentioned. Other hard-drive encryption products with similar capabilities are PGP Corp.'s Whole Disk Encryption, SecurStar GmbH's Drive Pack and Utimaco Safeware MG's SafeGuard.
This was first published in August 2008