First, let's review where biometric technology sits in the pecking order of authentication. The recording of biometric data is considered a multifactor authentication mechanism. In authentication, there are three factors: something you know, as in a user ID and a password; something you have, such as a smart card or a onetime password (OTP) token; or something you are, like in a physical characteristic.
Biometric authentication tools record a unique physical characteristic of the user, such as a fingerprint, iris scan or facial pattern. Typically the user will have a user ID and password in addition to a biometric logon. Here is a textbook example of two-factor authentication: something you know combined with something you are. Biometrics is then part of a defense-in-depth strategy that protects system access. If one factor is cracked, the other, hopefully, will still block malicious access.
But fingerprints can be spoofed, and images of them can be stolen, just like user IDs and passwords. The same can be said for a system based on facial recognition. A photograph of the user could be used to fake out the system, if the machinery is not properly configured.
There are other barriers to the growth of biometric authentication. First, it's difficult to compare systems equally, particular for analyzing costs and implementation in an enterprise architecture. A fingerprint reader, for example, is set up differently than a voice recognition system or an iris scanning machine. Biometric technology is difficult to implement and requires a heavy investment in hardware and software, more so than simple password systems. Third, there is the question of customer acceptance and ease of use. Many people would be squeamish about looking into a beam that measures the iris.
Security observers say user IDs and passwords are obsolete and can be cracked with readily available online tools. But the same could be said about locks and keys for homes and offices. In some cases, a lock and key are adequate for some homes, just as the combination of a user ID and password is adequate protection for some computer systems.
The answer is in the level of risk. Before implementing any authentication system, a thorough risk assessment should be conducted to determine the business impact and costs of a data breach or malicious access. Biometric authentication is only warranted for high-risk systems where the cost of the breach would be greater than the cost of the system, If there is a system with large amounts of customer information or high-value money transfers, then biometric devices may be appropriate.
Biometrics may slowly get a foothold, but old-fashioned passwords aren't fading away any time soon.
This was first published in February 2007