Body language: The new security

What barrier does your company have between a resourceful hacker with malicious intentions and the company's systems, applications, and databases? A password?

What barrier does your company have between a resourceful hacker with malicious intentions and the company's systems, applications, and databases? A password? A password that can be forgotten, guessed, or stolen? Good luck.

You can make your users change their passwords regularly and delete access privileges when an employee leaves the company, but password protection will never be fail-safe. Passwords are only as reliable as the people who have to remember and safeguard them. Rather than putting your trust in something so potentially unpredictable, you can beef up your security using biometrics technology and rely instead on your users' fingers, faces, eyes, and voices.

Joel Deitch has 15 years of experience marketing and writing about technology. Currently he is a senior marketing manager at an information security management organization and lives (securely) in Atlanta, Georgia.

Biometrics picks up where passwords leave off, identifying users by unique individual physical characteristics: fingerprints, voiceprints, facial patterns, or even the motion of signing a name. Biometrics converts a physical characteristic into a number and generates a digitally encoded identifier based on this number. Because it is almost impossible for any two individuals to have identical traits, these numbers and algorithms essentially guarantee that each profile works for only one user.

These identifiers are numbers, not the actual fingerprints, voice prints, image scans, or motion scans. This is important for employees to understand, because they may object to being "catalogued"--having their fingerprint or retinal information stored on the client or the network. In the end, the only information stored is the unique digital imprint created during enrollment.

The biometrics advantage
Biometrics provides several potential security improvements over passwords alone. First, physical characteristics can't be forgotten or left behind. Second, it's almost impossible to fake a fingerprint, a voiceprint, or a signature motion. With both biometric verification and a password required for login, it's very unlikely that someone can use a stolen password for unauthorized access, as long as the servers containing the digital profiles are properly protected.

For the most part, administrators determine the level of security for each user and device. For example, fingerprint scanners can be set to test the print of a single finger or require all ten digits before allowing access. Putting a lot of data in a user profile, however, means that login takes longer. On the other hand, the more complex a profile is, the harder it is to replicate or fake.

Current biometric products are less expensive, simpler to deploy, and easier to manage than their predecessors. Some manufacturers concentrate on providing the hardware and back-end software for biometrics. Other companies concentrate on integrating multiple biometric technologies with existing Windows security and general network management infrastructure. There is, of course, much overlap in these offerings. What's important is that biometrics now integrates cleanly and easily within an overall network security management practice, including turnkey server kits and professional services that greatly simplify deployment.

How much does it cost?
Biometric devices start at under $100 for a basic microphone or digital camera. Fingerprint scanners cost about the same. More specialized iris or retina scanners provide greater security but cost several hundred dollars per unit. Handwriting motion scanners require a digital drawing tablet (starting at around $150 per unit), plus client software (approximately $100 per seat) to work their magic.

Smaller organizations should look for devices that cleanly integrate with the security management already built into their operating system and allow for remote enrollment for offsite users. Larger organizations should expect to spend anywhere from $2,000 and up for each copy of server software plus client software and per-seat charges. Back-end administration and maintenance costs are comparable to any enterprisewide security management solution.

We evaluated three products that are representative of the primary biometric technologies. All of the products performed as advertised, but their significant differences may determine which technology is right for your company.

Digital Persona U.R.U fingerprint reader

Fingerprint reader
The Digital Persona U.Are.U reads your fingerprint through a clear oval window on its top. Windows 2000 immediately identified the small, gray USB device. The necessary drivers and software loaded seamlessly. Drag-and-drop utilities make it easy to set up fingertip logins to individual Web sites. While its red glow makes it look suitable for any technogeek, it may be a little off-putting for just plain folks.

Each user must commit to using U.Are.U to log on to the client PC, but traditional passwords are always available as an alternative. By assigning users' U.Are.U profiles to privilege sets, administrators can require biometric login for certain network resources. Users can add individual U.Are.U logins, including no-typing access to individual Web sites.

Iridian Authenticam iris recognition camera

Iris scan
The Iridian Authenticam iris recognition camera we checked out was a prototype model with preproduction software. The Authenticam looks like a normal Web camera (and can double as one) but has two additional apertures. The first contains a hologram that helps position the eye properly for registration or verification and performs the actual recognition. The second helps illuminate the eye to create an accurate image map of your eye. As with the U.Are.U system, enrollment is simple and straightforward. People wearing glasses need to take them off during enrollment, but they don't have to remove them later to be identified for login, according to the company.

Whereas fingerprint technology seems best suited for PC and network access, iris recognition can serve as the foundation for a much broader solution. In fact, Iridian makes more sophisticated cameras for controlling physical access to buildings or instantly identifying users at ATMs. Iridian works with hardware vendors to integrate iris recognition technology into comprehensive access-control solutions.

Iridian is in the process of updating its basic camera with a smaller, more capable unit. Our preproduction unit and pre-beta software used a parallel port interface rather than USB to make its basic connection. Given the vagaries of using parallel ports for such an important function, we would recommend that these biometrics be used only with Windows 98, Windows Me, or Windows 2000 clients with USB capability.

Voiceprint recognition
We also examined two Web-based authentication systems that use voiceprint recognition for access control. The first is JotterSAF, from SAFLink, which we downloaded and installed. To use this test version of JotterSAF, you must first generate a reliable print of your voice and register it with the sample Web portal. During that process, we ran into both the strength and weakness of voiceprint recognition.

Biometrics offers several distinct advantages over password-protected access control. This mature, cost-effective technology could improve and simplify access control. That said, biometrics carries a couple of liabilities that may delay its rapid acceptance.

Because laptops usually come with a microphone, voiceprint recognition is a strong option for mobile users. But in addition to the limitations that ambient noise poses, users may resist the technology because they feel awkward talking to a PC in public. The alternative--a camera or a fingerprint scanner--may not pose a problem for desktop users, but most of these devices are external. While you can't expect laptop users to be excited about having to carry yet another piece of equipment, some laptop vendors--including Acer and Compaq--now offer laptops with a built-in fingerprint scanner.

Some laptops and monitors now have built-in cameras, and desktop keyboards and pointing devices are now available with fingerprint scanners. The built-in biometric devices should increase the likelihood of acceptance among users and security administrators. If biometrics isn't quite ready for prime time, it's certainly waiting in the wings. It just needs improved hardware integration so that it's much easier and less expensive to deploy.

Don't throw away your passwords just yet; biometric systems aren't a cure-all. Hardware fails. Users upgrade to new systems. Either scenario may require you to rebuild each logon profile on the client one system at a time, unless that information has been backed up elsewhere.

Biometrics may provide a strong alternative to password authentication, but the client isn't the only way into your network. Back-end systems that host biometric security systems are just as susceptible to online sabotage as other technologies. If your servers go down or your registrations are damaged, your employees and customers can't log on. In a worst-case scenario, you will need to painstakingly rebuild all of your user profiles before full functionality can be restored.

Conclusion
The fingerprint scanner is the device we'd be most likely to carry on a business trip. It offers the best balance of convenience and usability and is compact enough that manufacturers are starting to build scanners into their laptops. But for more comprehensive solutions that require a high degree of integration--including PCs, ATMs, and building access--iris, retina, and face recognition make more sense. This option may be a more appropriate general-purpose solution when monitors and laptops with built-in cameras become commonplace. For now, voice recognition seems the best suited of the three for mobile use, even if it is a bit problematic. (Compare other biometrics products.)

In an ideal world, visual recognition systems would automatically register our identities when we enter our office buildings. This information would then be used to turn on our office lights and our PCs and download our e-mail and calendars. Laptops would have built-in fingerprint scanners for secure access to the computer and remote back-end services. Our cell phones and PDAs would be integrated into a single device with voice recognition, allowing us to log in to corporate telephony and mobile network services.

The technology to make this science fiction a reality is here today, although the integration is not yet truly transparent. Nonetheless, today's biometric security products work very well, are improving rapidly, and deserve a careful look.