Republished with permission from WatchGuard Technologies, Inc. .
Biometrics: Coming of Age
When it comes to user authentication, we want to identify an individual in a strong way. We define "strong way" to mean in a way that does indeed establish the validity of a claimed identity and is not vulnerable to a replay attack. Traditionally, in security, we talk of three ways to establish identity:
The Glossary of Biometric Terms by the Association for Biometrics and the ICSA defines the term "biometric" as "a measurable, unique physical characteristic or personal trait used to recognize the identity, or verify the claimed identity, of a person, through automated means."
We move towards strong authentication, when we combine more than one kind of authentication method. Something a person knows (for example, a password) is easily obtained through guessing or eavesdropping. However, combine that with something a person is (biometric information) and you have a much stronger combination.
The Growing Support for Biometrics
Biometric devices cover an array of different physical characteristics: fingerprint scanning, finger and hand geometry, palm print, facial and voice recognition, retinal and iris scanning, and recognition of signatures (the wet, written kind). Although early adopters of security solutions, including a few law enforcement agencies, have used some of these technologies for decades, the ICSA 1999 Biometrics Survey states, "The biometrics industry is in a strange predicament. On one hand, it has a great deal of potential. On the other lies an unerring need for expectations about biometrics to become fully realized. Faced with a degree of uncertainty about the industry's future and a misunderstanding about its intentions, the information security industry has historically looked at biometrics with an expression of bemusement. As a result, the case for biometrics really has yet to be won."
Yet biometrics shows evidence of being on the cusp of acceptance as part of a defense-in-depth security strategy. For one thing, biometric hardware devices are becoming affordable. Oh, not all of them, but certainly some, such as voice recognition, face recognition, and finger print scanning.
Secondly, just in the past year or so, biometric devices that easily interface to PCs have become available. Most biometric techniques require special equipment, but many are now easy to add on to a computer. Voice recognition works with a microphone and the sound cards resident in most of today's PCs. Face recognition uses a digital camera, an increasingly common device for a PC user. Fingerprint scanners, or eye scanners, need specialized hardware, but some vendors are now offering fingerprint-scanning keyboards.
Third, vendors are working actively to integrate biometric devices into real computer products. Formerly, biometric devices did not come with anything useful except a screensaver program interface (kind of a way to demo the technology without actually using it for much). But through the efforts of vendors along with industry standards bodies and consortia (see links below), work is progressing to smooth the integration of biometric technology into other, traditionally text-based, authentication mechanisms. Additionally, companies -- like BioNetrix (Tysons Corner, VA) -- are bridging the world of biometric products and authentication systems.
Because of these trends, it is time for most of us to start learning about biometric devices, and to think about using them -- to start playing with them, if you will. The Web sites listed below offer information about biometrics. You can use them to get acquainted with the technology, standards, companies, and products. Read about them, decide how they might fit into your current security plan, and figure out which product to obtain to experiment with. In the next couple of years, the use of biometrics will become the next logical security step.
Sites of Interest: