Biometrics is slowly making its way into the universe of authentication products for the enterprise. However, based on some new products on display at this year's RSA Conference in February, it's not just about fingerprint scanners and face recognition systems anymore. Biometrics is evolving into a range of science fiction-like systems that measure esoteric physical characteristics, like typing speed and electrophysiological signals...
-- to name two of many.
While biometrics products are better and more finely tuned than they used to be, and the classic problems they used to have of false readings and high error rates are diminishing, it still requires careful consideration and planning to implement. It's not magical protection for your network. Like any other authentication tool, there are best practices and pitfalls to watch out for.
Biometrics systems can be costly and are more complicated to implement than other effective traditional two-factor authentication systems (tokens, smart cards and one-time passwords). Also, the market is splintered. There are fingerprint readers, iris scanners and face recognition systems among the hundreds of biometrics products available and each is different and requires different implementation. So it's not easy to compare them, which leaves IT purchasing managers without a single focal point when evaluating the different products coming across their desks. This doesn't mean biometrics should be ruled out, but that it requires more careful planning up front before deployment than other traditional authentication systems with longer track records.
The RSA vendors included the conventional, like fingerprint readers, and the off-beat, like the device that builds a physiological profile of the user and another that captures the user's typing speed. The following is a sampling of some these offerings:
Aladdin, better known for its AV software, displayed a prototype of the BioDynamic Reader. This consists of a mouse with two tiny pads -- one for each of two fingers -- that the user touches to register and gain access. The device builds a profile based on electrophysiological signals captured from the user. The BioDynamic Reader is scheduled for release sometime in 2007.
Another unusual product, the BioPassword, measures the user's keystroke speed and typing style. A new user has to type in their password about a dozen times to build a keystroke profile. After that, the user just types in their user ID and password and the system "knows" who is typing by their keystroke style. If it's someone other than the registered user, access is denied. The BioPassword can be fine-tuned and adjusted by a system administrator, as needed.
Traditional fingerprint scanners, some on USB thumb drives, others embedded into laptops, were more the norm among other biometrics vendors. Two examples were ClipDrive Bio from Memory Experts International and the BioPass 3000 from Feitan. Another fingerprint scanner company, BIO-key International, developed a neat software interface that builds the scanned fingerprint on the screen of the user's laptop as they are logging in. The software requires a fingerprint reader, either a USB token or a built-in reader on the laptop.
Here are some best practices and things to consider for implementing biometrics systems:
- Do a thorough risk analysis of your systems. In some cases, biometrics may be overkill, in others, it may be just what you need to access systems with sensitive customer data or that process high-risk transactions. Only consider using biometrics if the level of risk warrants it.
- Consider customer acceptance when used for logging on to company Web sites. Most home users aren't quite ready to install biometrics on their home computers to do their online banking.
- Be mindful of where the digital data or templates generated by biometric devices will be stored. All raw biometric data from any reader -- whether a face recognition system or a keystroke profiler -- is analog and must be digitized for consumption by a computer. This data needs to be protected on a dedicated and secure server to prevent it from being stolen and replayed against the system for malicious access.
- Ensure secure transmission of biometric data from the reader, such as a USB token. Encrypt all data to prevent its theft in transit between the reader and the data store.
- Just like any other authentication data, biometric data needs a home. Therefore, ensure interoperability with existing databases for storing authentication data, such as Active Directory or LDAP.
The market for biometrics products is still growing and, as with any product in its infancy, hasn't succumbed yet to consolidation. With that in mind, keep shopping and don't settle for the latest cool product or fad. Think long-term and about what authentication systems fit best into your particular network before opening the corporate checkbook.
- Find out how biometrics and smart cards can be fooled.
- Learn about the strengths and weaknesses of biometric security systems.
- Submit a question to ID and access management expert Joel Dubin.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP whose specialty is Web and application security and the author of The Little Black Book of Computer Security available from Amazon.