Biometrics move into the mix

Future role is likely to be supplemental to smart cards and passwords

As physical and IT security converges, biometric devices, which measure human characteristics such as fingerprints or retinas, have so far failed to win a role as stand-alone authentication credentials due to their perceived vulnerabilities. They are, however, gaining traction as a supplement to smart cards and passwords, which thieves can steal or falsify to gain unauthorized access to physical facilities and IT systems.

Biometrics offer advantages over smart cards in terms of convenience, says Novell Security Czar Ed Reed. “It’s easier to reach up and grab a fingerprint pad than to remove a smart card from a badge and slide it through a reader,” he explains, noting that companies are increasingly using biometric authentication to supplement smart cards in sensitive network environments.

But individual biometric techniques such as palm, iris, and fingerprint scans have their weaknesses, not least of which is the relative ease of spoofing. “You can make a gelatin mold of a fingerprint and use it to fool a fingerprint reader under certain circumstances,” explains Richard Hunter, research director at Gartner.

“None of this stuff is private. It’s not a secret,” agrees Sun’s Director of Java Card Business Peter Cattaneo. He notes that the simplest way to beat biometric authentication is to “get a digital copy [of the biometric] and inject it into the network behind the sensor.”

Gartner’s Hunter says another issue with biometrics is they may only work well under controlled conditions. Facial geometry scans, for example, can be done at a distance but only at certain angles of approach and lighting levels. Hunter also points out that for most biometric systems to work, a person’s data must already be accurately entered into the database.

“That question shows up in almost any authentication scheme: Can you be sure the authentication is issued based on accurate data?” Hunter explains.

Hunter expects biometrics to lag behind smart cards for enterprise authentication, except in high-security facilities, until a couple of high-profile government biometrics projects — such as the recently announced $10 billion US-Visit border security program — provide proof of concept and scalability.

Biometrics are expected to eventually live up to their long-awaited promise as the third pillar of the ultimate identity test: “something you have, something you know, something you are.” Ultimately, biometrics will be one of the most powerful and secure authentication credentials, experts say, but only in conjunction with other methods. “It won’t be enough to just say, ‘Here’s my fingerprint. Let me in,’ ” Novell’s Reed says.