Fingerprint readers. Voice-print identifiers. Retina or Iris scanners. Face-recognition systems. Those are the things that spy stories are made of. In most people's minds, they are the very essence of high-tech security, and everyone knows that no supersecret headquarters worth its salt is without its share of such devices.
But biometrics has extended its reach. It's not just for government agencies and arch-villains anymore.
Reduced manufacturing costs and heightened security concerns have brought a wide array of private-sector companies onto the biometrics playing field, ranging from tiny startups to major industry players like Compaq, Sony and Toshiba. The latest round of marketing places biometrics not merely within your customers' reach, but on the "soon to be a must-have technology" list. According to the hype, the technology improves ease of use and reduces user support costs while securing networks against all but the most formidable attackers.
Those claims are not entirely without merit. Information systems security depends on effective user authentication--the ability to verify that someone claiming to be a legitimate user is who he claims to be. But despite all of the advances made over the past three decades, most networks continue to rely on a centuries old, insecure, user-unfriendly technology: the password. Users hate passwords because they are time-consuming to use and difficult to remember. Security professionals hate passwords because they are easily guessed or stolen. Moreover, the harder it is to steal or guess a password, the harder it is to remember, as well.
Biometric technologies attempt to escape that dilemma by relying on unique physical characteristics, rather than a shared secret, to authenticate users . The system takes an initial set of measurements of the characteristic in question (fingerprint, voice, facial geometry, patterns in the iris or retina) during the user-enrollment process. The measurements are reduced to a template containing data unique to a given individual, but which typically cannot be used to recreate an image or facsimile of the characteristic. Whenever a user needs to be authenticated, the system takes a new measurement and compares it against the stored template; if the new measurement falls within an acceptable range of variation (no measurement is ever exactly the same), the user is granted access.
The authenticating factor is a part of the user's body, so he has nothing to forget or lose. Because the physical characteristics used are highly complex, they can be extremely difficult to falsify, and because they are permanently attached to the user, they can be difficult to steal. The perfect solution, right?
Not so fast. Implementing a biometrics solution involves making fundamental changes to a key element of a functioning network, integrating complex and security-sensitive hardware and software into the existing system, and relying on technologies still in their early-adopter stage. One false move, and your clients could end up paying more to extract themselves from a solution than they did to implement it.
