Probably the number one type of challenge we as security professionals face today is identity. Intruders are successful because they can defeat our identification and authentication schemes. When a password is the means of authentication, it can be stolen, guessed or cracked. Because it is used repeatedly, there is no way to ensure that it is not abused by someone not authorized to use it. Strong authentication requires one of two possible things. First, it could use a one-time passcode of some type. Examples are the code-generation fobs (e.g., SecurID) that generate one-time passcodes that expire in a very short time period.
Even these tools have drawbacks, though. As good as they are for authentication, they can be equally as difficult to use and are subject to loss or breakage. Enter biometrics. The beauty of biometrics is that you are the authentication method. So unless someone cuts off the finger that you use on the fingerprint scanner, you're good. Given that this is a successful way to authenticate, why don't we use biometrics exclusively and dispose of passwords? That, actually, could happen in the foreseeable future. But for now there are some drawbacks.
The number one drawback in biometrics as a universal authentication tool is cost. While prices are coming way down, only fingerprint scanners are cheap enough to begin to go mainstream. That, unfortunately, has pegged fingerprint scanners as biometrics and biometrics as fingerprint scanners. We know that's not true, of course, but to the average user, that equation exists. The bad news is that many inexpensive fingerprint scanners also don't work very well. Thumb drives with fingerprint authentication, for example, may not recognize the user after a relatively short period. The problem of false negatives, while perhaps not as glaring as the problem of false positives, is the source of considerable frustration when the user has to roll his or her finger around to get it just right and get the scanner to recognize it.
Over the years, we have had some very interesting biometric products, and this year is no exception. We are beginning to see biometrics move from hardware that simply interfaces with another vendor's product, such as an identity management system, to offerings that are fully integrated into a full access management system that the biometric vendor produces itself. This shows a significant level of maturity.
We tested this year's products in a variety of ways. First, we were concerned with ease of use and deployment. Being hardware, these products usually require high-touch deployment, and that can be difficult in large, distributed enterprises. So we were interested in how the vendors addressed that challenge.
Finally, we wanted to see with which third-party products or, in some cases, systems the product could interface? If interoperability is a problem, or is limited, the usefulness of the biometric product may be limited. Since each product was different, we set up test cases - and in some cases separate test beds - for each product.
The bottom line for this year's collection of biometric devices is that the market is maturing nicely in several ways. First, cost is coming down. Second, ease of use and deployment is improving. Third, reliability is growing. At the same time, companies and technologies are being pulled into other companies and are becoming unrecognizable.
We are seeing a lot more biometrics in the mainstream - laptop manufacturers, for example, are including fingerprint scanners in their PCs as part of the login process. I have seen an increasing number of fingerprint/ PIN/swipe (or proximity) card readers lately. Run your card, touch the fingerprint reader and enter your PIN and you have three-factor authentication. That is about as powerful as it gets. Add robust logging and enterprise-wide management and you have the whole shebang. This is where biometric authentication is heading: single sign-on/door management all on one biometric device.