What is biometrics?
Biometrics is an authentication method that uses fingerprint or facial scans and iris or voice recognition to identify users. A biometric scanning device takes a user's biometric data, such as an iris pattern or fingerprint scan, and converts it into digital information a computer can interpret and verify. Since it is more difficult for a malicious hacker to gain access to a person's biometric data, and it is unlikely that a user will...
misplace or misuse his or her biometric data, this form of technology a greater level of assurance than other methods of identification.
Biometrics can be used for both physical access to corporate buildings and internal access to enterprise computers and systems. Biometrics is most often used as a form of authentication in a broader two-factor or multifactor authentication system, since most biometric implementations also require employees to enter user IDs and passwords.
Biometric devices and systems
There are a plethora of biometric devices available -- including fingerprint scanners, face and voice recognition, iris scans and keystroke dynamics -- and it is important for an enterprise to choose a device that fits and addresses its specific needs, such as business infrastructure, system vulnerabilities and user access. Below is a brief description of some of the most popular biometric authentication devices and systems to help security managers learn the pros and cons and how to know if they are right for an organization.
Fingerprint scanners are one of the oldest forms of biometrics and have been largely reliable when is comes to authentication. These systems are easy to use, which makes them favorable among users, but like all authentication products they have some weaknesses. Fingerprints can be copied from a user's calculator or coffee mug, for example, for malicious access. They can also be troublesome if a user's fingerprint is damaged or altered (i.e. a cut or burned finger).
Face and voice recognition systems are similar to fingerprint scanners. Their ease of use makes them favorable, but a user's voice can be recorded and a face can be copied from a photograph, in some cases enabling third-party malicious access to systems.
Iris and retinal scans are considered to be a more secure form of biometric authentication, since copying a person's retinal pattern is a much more difficult task than copying a fingerprint.
Using a keystroke dynamics-based authentication system is another option. This technology measures a users keystroke style and speed -- words typed per minute, common errors, letter sequence -- and stores that information in a system directory to be used in the future to authenticate a user. BioPassword Inc., Aladdin Knowledge Systems Ltd. and Deepnet Security Ltd. are three vendors that offer keystroke dynamics products.
Implementation of biometric systems can be tricky and expensive, requiring corporate spending on hardware and software. The implementation and deployment processes varies for different biometric systems, so organizations must first carefully consider which type of system to deploy, and then meticulously plan the process.
Biometrics is an advanced technology intended to protect extremely sensitive data, so it should only be considered for highly sensitive material. Using biometrics for any other type of data would be a waste of time and money. Organizations should do a thorough risk analysis of their systems to determine what information is in need of protection via biometric technology, i.e. a customer's credit card information.
Exploring authentication methods
ID and password authentication
Biometric authentication devices and systems
Enterprise single sign-on: Easing the authentication process
PKI and digital certificate authentication and implementation
Security token and smart card authentication
Organizations must also ensure secure transmission and storage of biometric data. Although biometric systems are considered one of the most advanced forms of authentication, they do have certain flaws. For instance, some people think it is impossible to duplicate a user's biometric information, but when it is converted into digital data, it can be stolen by a hacker as it transmitted through insecure networks and later replayed.
As stated earlier, organizations can decrease the likelihood of hackers gaining access to a users' biometric information by using data that is more difficult to copy, but the risk is still there. Considering, it is essential that enterprises take several precautions to ensure that the data is transmitted, gathered and stored properly.
Organizations must make sure that all information transmitted from the biometric reader to the authenticating server is gathered on a secure device, sent over an encrypted channel and stored in an encrypted database. Both Active Directory and LDAP can perform these actions. Finally, any servers running biometric applications must be patched and hardened.
Lastly, whichever product an organization decides to implement, it is important to run the product in a test environment first to weed out bugs that could present themselves during implementation and to figure out how to minimize user-acceptance issues.