Security Advisor

The State of Biometric Authentication

After years of unfulfilled promises, biometrics products are finally entering the mainstream. Here's a look at some of the most common solutions offered and how they measure up against each other.

• By Joern Wettern
• 08/01/2005

After years of unfulfilled promises, biometrics products are finally entering the mainstream. Let's assess how viable some common solutions really are and how they can help you secure your computing environment.

Biometric devices can fulfill one of two functions: identification or authentication. When performing identification functions, they mainly improve the ease of use of an access control mechanism. Today, most companies use devices like that to make it easier for employees to identify themselves—placing your hand on a palm reader is often quicker and more convenient than digging out an access card or typing a username.

Making Mistakes
Biometric equipment used primarily for identification requires something else for authentication, such as a PIN. If you use biometrics to identify a user, but not as the only means of authentication, you give it some margin for error. The software may conclude from an iris scan that there's a 90 percent probability that the person in front of the camera is you, but that may be good enough to identify you and prompt you for a PIN, which then performs the authentication. This is good, because you wouldn't want to trust a technology that authenticates you and grants you access to company resources based on a 90 percent probability that you are indeed who you claim you are. Biometric authentication methods have to be more accurate than identification methods.

Until recently, biometric authentication wasn't reliable enough to trust. For example, in a well-known 2002 case, Japanese cryptographer Tsutomu Matsumoto demonstrated how most fingerprint readers on the market at the time could be fooled by using a plastic mold and some gelatin. This finding, widely publicized at the time, served as a wakeup call to the industry.

Since then, fingerprint recognition and other biometric technologies have advanced to the point that they can't be easily fooled. Still, you should read the fine print on vendors' claims about possible weaknesses; one rather gruesome example is an IBM white paper that estimates it can take as long as 15 minutes after a finger has been severed before its sensor no longer recognizes the finger.

And despite the advances, biometric devices must still be tuned to reduce both the false rejection and false acceptance rate. You want to minimize the number of instances where a user's biometric identification isn't recognized (false rejection). More importantly, you have to ensure that an impostor isn't identified as a legitimate user (false acceptance). Biometric hardware and software today performs well in this respect.

Different Strokes
Take Sony, for example, which sells its Puppy Fingerprint Identity Token to corporate customers. The company claims that the token's false acceptance rate is less than .001 percent when configured to comply with federal security standards. In other words, only in one out of every 100,000 cases does the device accept a fingerprint that it should reject. Combined with a mechanism that blocks the use of the device after a few unsuccessful attempts, it's no surprise that the Sony Puppy looked like a good solution to logon problems for one of my clients.

Even Microsoft (for whom I've done work in the past) has released biometric devices, such as the Microsoft Fingerprint Reader, and encourages home users to secure Web passwords with a fingerprint. Note that the product page on Microsoft's Web site states that “the Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks.”

That may be a surprising statement from a company trying to sell you a biometric device, but Microsoft is properly advising you about when the Fingerprint Reader may not be an appropriate solution. A device designed to protect a home user's Web site passwords from other family members doesn't need to meet the same security standard as a device enabling access to a corporate network. The Microsoft Fingerprint Reader isn't appropriate for corporate security for the same reason most other biometric solutions today aren't. Security is not only a function of the biometric scanning mechanism; it's also impacted by how biometric and other information is stored and how data flows from the device to the operating system. Being a consumer product, it likely wasn't developed according to the same security standards to which other Microsoft products, such as operating systems, must conform. While Microsoft hasn't elaborated about why its device shouldn't be used in a corporate environment, the reason is probably not the biometric hardware, but rather how data is transferred between the device and the program that stores and processes user credentials for Web sites.

Toshiba uses another type of biometric authentication for its Tablet PCs. Recognizing how tedious entering a long password with a stylus in “tablet” mode can be, the company provides a Tablet Access Code Logon utility. This program appears at logon and prompts the user to write a code, such as a signature or symbol, with the tablet pen. It then compares the writing style with samples that the user previously recorded.

What makes this utility unique is that it doesn't just compare whether the writing results match; it also analyzes writing style, such as stylus acceleration and pressure, which tends to be unique for each person. Unfortunately, Toshiba provides few details about this type of biometric authentication. Whether the program uses sound biometrics or not, the Tablet Access Code Logon utility is problematic from a security perspective because of how it connects with the operating system. It uses handwriting recognition to decrypt a user name and password combination stored on the computer and supplies it to Windows. Toshiba's Tablet PC documentation contains no information about how these credentials are stored or how they're supplied to Windows at logon. This is a problem, because while replacing the native Windows logon mechanism can be done securely, writing programs that interface with or replace the Windows logon routines are notoriously difficult to write. This, combined with the lack of technical documentation, provides little confidence for using the program in a security-conscious environment. Securing the Windows logon with handwriting style recognition is convenient and should provide protection against casual attacks. However, I don't consider it an adequate solution for Tablet PCs with sensitive data that needs protecting.

IBM was a pioneer in incorporating fingerprint readers in some of its ThinkPads. Lenovo, the new manufacturer, continues to include these devices in selected laptop models.

The ThinkPad fingerprint scanner communicates with a TPM (Trusted Platform Module) chip located on the motherboard. A TPM chip can store information more securely than software, as well as secure the hardware channel between the operating system and fingerprint reader.

ThinkPads also take advantage of the ability to use BIOS passwords to require authentication when starting the computer or accessing the hard drive. This means you can configure the TPM on a ThinkPad to use a fingerprint instead of a password to unlock the computer. The TPM can also encrypt and store Windows user names and passwords and provide them to Windows at logon, provided the user has been authenticated by the TPM and fingerprint scanner. The included software interacts with the Windows logon process, replacing some of Microsoft's files.

While the ThinkPad's biometric capabilities are outstanding, it has the same limitations as most biometric devices that are used for Windows authentication—the database of fingerprint samples is maintained locally. This means you have to separately train every computer you may use to recognize your fingerprints. This is a far cry from a true corporate solution, which would be able to authenticate users regardless of which computer is used to provide a fingerprint.

Two-Factor Authentication
Today's biometric security methods and devices can be a viable solution for the protection of relatively low-value data. Using a USB memory stick with a fingerprint reader to encrypt everyday business documents that you take home is probably adequate protection. On the other hand, using a fingerprint reader to log on to Windows or store the password you use to access your bank account is not; even the best fingerprint readers today occasionally make mistakes. To guard against this, insist on devices that can provide two-factor authentication, requiring a fingerprint and a PIN for example. You may think that insisting on two factors for authenticating users may undermine one of the main appeals of biometrics, which is relieving users from having to remember and type user names and password. Most users, though, can easily remember a four-digit PIN, and through combining two separate authentication methods you can achieve a high level of security.

Not Quite There Yet
I strongly encourage you to become familiar with biometric authentication products available today. Before spending too much time researching such solutions for your company, though, carefully consider the cost of administration. Most products available today provide little centralized administration, are fairly expensive and create an entirely new category of help desk calls. As promising as the technologies behind biometrics look, none of them is quite ready for easy, enterprise-wide deployment. This should happen in the Longhorn timeframe. Until then, most fingerprint readers, handwriting analysis and other forms of biometric authentication should be used as a convenience for users in environments that only have minor security requirements.