 |
||||
|
|
|
||
|
Contents 
Introduction
The world's easiest business case?
The big sticking point
Putting your finger on it
Sidebar: Getting a feel for biometrics |
|
||
|
|
||||
|
|
||||
Biometrics would seem to be a clear advantage when it comes to security, but there are a few things to consider before you jump into the technology:
- Measure your risk. Like all security technologies, each form of biometrics has its own risk profile. You must be comfortable with the risk exposure and benefits it provides, particularly in comparison with your existing authentication methods.
- What price, security? Fingerprint scanners have come down in price substantially, but other forms of biometrics still remain relatively expensive. Weigh the technology's likely cost against the value of the information you're protecting, and you'll have a good sense of whether it's worth the extra investment (it usually is).
- Assess your current costs. You may never have considered it, but maintaining passwords for employees is probably costing you a bundle. Work with the call centre manager to get some clear statistics about how much time is being spent servicing password change requests, and your business case for biometrics is likely to jump out at you.
- Consider a staged rollout. You don't have to jump straight into biometrics with both feet; be sure to trial it in small user groups to catch any problems before you expand its scope. It's easier to wean people off their passwords slowly than forcing them to go cold turkey. Use the onion approach. Security in layers can be even better than a completely new form of security. Rather than necessarily seeing biometrics as a complete password replacement, consider retaining passwords but allowing users to keep much easier-to-remember passwords.
- Get physical. Biometrics isn't just for securing systems access; many companies use expensive hand geometry scanners or iris scanners as super-strength door locks to physically secure sensitive parts of the business, but still use passwords for general systems access.
- Respect their privacy. Fingerprint and other scanning devices simply produce a string of numbers, but oh!, how contentious that string of numbers can be. You are not outside of your rights to implement biometric security, but be sure rollout plans are made with the full involvement of users, legal, business and technical representatives so nobody gets their nose out of bent later on.
- There are many benefits below the radar. Each form of biometric identification has its own level of intrusiveness. You may find employees balk at highly intrusive forms of authentication, but that your business can still get benefits by introducing non-intrusive voice authentication over the phone. This could be useful both for authenticating customers and, for example, confirming the identity of a purported employee who is calling an internal help desk for a password change.
- Single sign-on at last? One of the biggest benefits of non-repudiable authentication is its ability to enable single sign-on (SSO), that security nirvana in which one challenge-response authorisation is enough to provide employees with access to all of their various corporate applications. Biometrics are far more appropriate for SSO than passwords -- so now may be the chance to make SSO a reality.
- Plan for biometrics. Reliable fingerprint scanning technology has been available, and built into everything from mice to keyboards to PDAs, for years. However, most corporate IT buyers have ignored biometrics unless their needs demanded it -- and that has rarely been the case. With prices for fingerprint-capable devices now only nominally higher than those for ordinary devices, your next hardware refresh is a great time to consider rolling out ubiquitous biometrics. Once the hardware is in place, the apps will flow from there.
This article was first published in Technology & Business magazine.
Click here for subscription information.
You *** head travis