Problem solve Get help with specific problems with your technologies, process and projects.

How to protect a laptop: Biometrics vs. encryption

How has biometrics changed the laptop security landscape? Is full disk encryption even necessary on a laptop with a biometric scanner? Learn more in this expert response.

The executives at my enterprise have extremely sensitive information on their laptops. I'm considering deploying...

biometric authentication on these devices. My question is, if I use biometrics, how useful or necessary is full-disk encryption?

Actually, you've asked about two separate functions for protecting a laptop: strong authentication and encryption. While these two can be used in conjunction, they don't provide the same protection schemes.

Biometric authentication is used to positively identify the user at login. Full disk encryption prevents unauthorized users from accessing the system data. If you put biometric authentication on the laptop and it's stolen, without full disk encryption, there's nothing to prevent someone from pulling the disk drive out of the laptop, putting it in an external case and reading the data on another system.

It's worth noting that while it may seem like biometric authentication is superior to password-based systems, that's not necessarily true. Studies suggest that biometric authentication is in many ways easier to break. Your fingerprint "password" can be lifted from a door knob on the outside of a locked office, a coffee mug or even a keyboard left at a cubical. Even if you use optical recognition, the invention of 15 megapixel cameras may allow that group photo taken at the company outing, once blown up, to have enough detail to fool the optical eye scanner on a laptop.

It should also be pointed out that both biometrics and full disk encryption don't do any good if someone walks away from his or her laptop without logging out first (it takes little time to go to an active laptop, plug in a thumb drive and download many megabytes of information). My advice is use both full disk encryption and biometric authentication (ideally as part of a multifactor authentication scheme) whenever possible. The combination will ensure a high level of security for authentication and data protection. You can use biometrics as a "something I have" authentication method, but I wouldn't uninstall the full disk encryption software anytime soon.

Next Steps

Should open source disc-encryption software be used?

Learn more about biometrics devices, systems and implementations

This was last published in December 2009

Dig Deeper on Biometric technology