Biometrics: Best practices, future trends

While biometrics products are better and more finely tuned than they used to be, and the classic problems they used to have of false readings and high error rates are diminishing, it still requires careful consideration and planning to implement. It's not magical protection for your network. Like any other authentication tool, there are best practices and pitfalls to watch out for.

Biometrics systems can be costly and are more complicated to implement than other effective traditional two-factor authentication systems (tokens, smart cards and one-time passwords). Also, the market is splintered. There are fingerprint readers, iris scanners and face recognition systems among the hundreds of biometrics products available and each is different and requires different implementation. So it's not easy to compare them, which leaves IT purchasing managers without a single focal point when evaluating the different products coming across their desks. This doesn't mean biometrics should be ruled out, but that it requires more careful planning up front before deployment than other traditional authentication systems with longer track records.

More biometrics information Find out how biometrics and smart cards can be fooled. Learn about the strengths and weaknesses of biometric security systems. Submit a question to ID and access management expert Joel Dubin.

The RSA vendors included the conventional, like fingerprint readers, and the off-beat, like the device that builds a physiological profile of the user and another that captures the user's typing speed. The following is a sampling of some these offerings:

Aladdin, better known for its AV software, displayed a prototype of the BioDynamic Reader. This consists of a mouse with two tiny pads -- one for each of two fingers -- that the user touches to register and gain access. The device builds a profile based on electrophysiological signals captured from the user. The BioDynamic Reader is scheduled for release sometime in 2007.

Another unusual product, the BioPassword, measures the user's keystroke speed and typing style. A new user has to type in their password about a dozen times to build a keystroke profile. After that, the user just types in their user ID and password and the system "knows" who is typing by their keystroke style. If it's someone other than the registered user, access is denied. The BioPassword can be fine-tuned and adjusted by a system administrator, as needed.

Traditional fingerprint scanners, some on USB thumb drives, others embedded into laptops, were more the norm among other biometrics vendors. Two examples were ClipDrive Bio from Memory Experts International and the BioPass 3000 from Feitan. Another fingerprint scanner company, BIO-key International, developed a neat software interface that builds the scanned fingerprint on the screen of the user's laptop as they are logging in. The software requires a fingerprint reader, either a USB token or a built-in reader on the laptop.

Here are some best practices and things to consider for implementing biometrics systems:

• Do a thorough risk analysis of your systems. In some cases, biometrics may be overkill, in others, it may be just what you need to access systems with sensitive customer data or that process high-risk transactions. Only consider using biometrics if the level of risk warrants it.
• Consider customer acceptance when used for logging on to company Web sites. Most home users aren't quite ready to install biometrics on their home computers to do their online banking.
• Be mindful of where the digital data or templates generated by biometric devices will be stored. All raw biometric data from any reader -- whether a face recognition system or a keystroke profiler -- is analog and must be digitized for consumption by a computer. This data needs to be protected on a dedicated and secure server to prevent it from being stolen and replayed against the system for malicious access.
• Ensure secure transmission of biometric data from the reader, such as a USB token. Encrypt all data to prevent its theft in transit between the reader and the data store.
• Just like any other authentication data, biometric data needs a home. Therefore, ensure interoperability with existing databases for storing authentication data, such as Active Directory or LDAP.

About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP whose specialty is Web and application security and the author of The Little Black Book of Computer Security available from Amazon.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Buyer's Guide Keystroke dynamics makes BioPassword Internet Edition a viable authentication option Access security with KoolSpan's SecurEdge NetChk Protect 5.5 2006 Products of the Year: Emerging Technologies Secure Sphere 2.0 Scan & Deliver: SLAs force service providers and outsources to hit the mark ... or hit the road Secure remote access: SSH Tectia Manager Spycatcher Enterprise 3.2 Configuresoft's Enterprise Configuration Manager v4.7 Websense Enterprise 5.5 Biometrics Keystroke recognition aids online authentication at credit union Biometrics vs. biostatistics What precautions should be taken if biometric data is compromised? How to choose the right biometric security product Using fingerprint door locks in a network environment Where did the biometric device come from? How can the combination of biometrics and electrophysiological signals be used for authentication? What are the pros and cons of using keystroke dynamic-based authentication systems? What risks are associated with biometric data, and how can they be avoided? Is there any policy or regulation to help protect biometric data? Biometrics Research Tokens and Smart Cards Product review: Secure Computing SafeWord 2008 Video: Changes ahead for MIT Kerberos Consortium Kerberos: Authentication with some drawbacks What are the dangers of using radio frequency identification (RFID) tags? How to prevent hack attacks against smart card systems. Smart card deployment: How to know if it's smart for your enterprise Can tokenization of credit card numbers satisfy PCI requirements? Is there a way to bridge physical and logical security without using smart cards or biometrics? Preparing for integrated physical and logical access control: The common authenticator Are one-time password tokens susceptible to man-in-the-middle attacks? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary biometric payment  (SearchSecurity.com) electro-optical fingerprint recognition  (SearchSecurity.com) false acceptance  (SearchSecurity.com) finger vein ID  (SearchSecurity.com) fingernail storage  (SearchSecurity.com) keystroke dynamics  (SearchSecurity.com) live capture  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) password hardening  (SearchSecurity.com) ridge  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.