Biometrics: Best practices, future trends

While biometrics products are better and more finely tuned than they used to be, and the classic problems they used to have of false readings and high error rates are diminishing, it still requires careful consideration and planning to implement. It's not magical protection for your network. Like any other authentication tool, there are best practices and pitfalls to watch out for.

Biometrics systems can be costly and are more complicated to implement than other effective traditional two-factor authentication systems (tokens, smart cards and one-time passwords). Also, the market is splintered. There are fingerprint readers, iris scanners and face recognition systems among the hundreds of biometrics products available and each is different and requires different implementation. So it's not easy to compare them, which leaves IT purchasing managers without a single focal point when evaluating the different products coming across their desks. This doesn't mean biometrics should be ruled out, but that it requires more careful planning up front before deployment than other traditional authentication systems with longer track records.

More biometrics information Find out how biometrics and smart cards can be fooled. Learn about the strengths and weaknesses of biometric security systems. Submit a question to ID and access management expert Joel Dubin.

The RSA vendors included the conventional, like fingerprint readers, and the off-beat, like the device that builds a physiological profile of the user and another that captures the user's typing speed. The following is a sampling of some these offerings:

Aladdin, better known for its AV software, displayed a prototype of the BioDynamic Reader. This consists of a mouse with two tiny pads -- one for each of two fingers -- that the user touches to register and gain access. The device builds a profile based on electrophysiological signals captured from the user. The BioDynamic Reader is scheduled for release sometime in 2007.

Another unusual product, the BioPassword, measures the user's keystroke speed and typing style. A new user has to type in their password about a dozen times to build a keystroke profile. After that, the user just types in their user ID and password and the system "knows" who is typing by their keystroke style. If it's someone other than the registered user, access is denied. The BioPassword can be fine-tuned and adjusted by a system administrator, as needed.

Traditional fingerprint scanners, some on USB thumb drives, others embedded into laptops, were more the norm among other biometrics vendors. Two examples were ClipDrive Bio from Memory Experts International and the BioPass 3000 from Feitan. Another fingerprint scanner company, BIO-key International, developed a neat software interface that builds the scanned fingerprint on the screen of the user's laptop as they are logging in. The software requires a fingerprint reader, either a USB token or a built-in reader on the laptop.

Here are some best practices and things to consider for implementing biometrics systems:

• Do a thorough risk analysis of your systems. In some cases, biometrics may be overkill, in others, it may be just what you need to access systems with sensitive customer data or that process high-risk transactions. Only consider using biometrics if the level of risk warrants it.
• Consider customer acceptance when used for logging on to company Web sites. Most home users aren't quite ready to install biometrics on their home computers to do their online banking.
• Be mindful of where the digital data or templates generated by biometric devices will be stored. All raw biometric data from any reader -- whether a face recognition system or a keystroke profiler -- is analog and must be digitized for consumption by a computer. This data needs to be protected on a dedicated and secure server to prevent it from being stolen and replayed against the system for malicious access.
• Ensure secure transmission of biometric data from the reader, such as a USB token. Encrypt all data to prevent its theft in transit between the reader and the data store.
• Just like any other authentication data, biometric data needs a home. Therefore, ensure interoperability with existing databases for storing authentication data, such as Active Directory or LDAP.

About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP whose specialty is Web and application security and the author of The Little Black Book of Computer Security available from Amazon.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Security Buyer's Guide,   Enterprise Identity and Access Management,   User Authentication Services,   Biometric Technology,   Security Token and Smart Card Technology,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Buyer's Guide Keystroke dynamics makes BioPassword Internet Edition a viable authentication option Access security with KoolSpan's SecurEdge NetChk Protect 5.5 2006 Products of the Year: Emerging Technologies Secure Sphere 2.0 Scan & Deliver: SLAs force service providers and outsources to hit the mark ... or hit the road Secure remote access: SSH Tectia Manager Spycatcher Enterprise 3.2 Configuresoft's Enterprise Configuration Manager v4.7 Websense Enterprise 5.5 Biometric Technology Group to shed light on secure identity management threats Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reader biometric authentication for health care, financials Exploring authentication methods: How to develop secure systems Biometric authentication know-how: Devices, systems and implementation Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometric Technology Research Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary biometric payment  (SearchSecurity.com) electro-optical fingerprint recognition  (SearchSecurity.com) false acceptance  (SearchSecurity.com) finger vein ID  (SearchSecurity.com) fingernail storage  (SearchSecurity.com) keystroke dynamics  (SearchSecurity.com) live capture  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) password hardening  (SearchSecurity.com) ridge  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.