Biometrics Not Quite Ready for the Enterprise

Passwords have long been a security problem. But if the answer is biometrics, how long before the technology makes it to corporate desktops?
Little yellow sticky notes cling to computer screens throughout American offices, displaying users' passwords for coworkers, bosses... and possibly hackers to see.

The passwords, generally as simple as a relative's birthday or a pet's name, have long been too easy to steal, and they're just not working anymore, analysts say.

What's the solution?

Biometrics and smartcards are the best solution, according to industry watchers. But don't throw your password away quite yet. For now, just keep changing it every few months and rip that sticky note off your monitor because the biometric industry may need up to five years to work out all of the kinks.

With passwords continuing to become more of an IT security nightmare, analysts agree something needs to change because too much vital corporate information is at risk simply because of weak passwords. Analysts are looking at smartcards, along with biometrics -- authentication techniques that check a person's physical characteristics, like a fingerprint or iris pattern -- and some behavioral aspects like keystroke patterns.

''The password is becoming obsolete and hackable,'' says Mike Miley, vice president and chief technology officer for Science Applications International Corporation (SAIC), a research and engineering company based in San Diego, Calif. ''You never want to rely on any one identity anymore.''

With passwords wearing out their welcome, biometrics and smartcards are next in line.

Biometrics are just further down the road. Analysts agree that smartcards will be more widely utilized in 2005 than biometrics. But they say the combination of the two identity verification methods will be the most effective way to access networks in the next five years.

Smartcards the first step

''The (smartcard) industry is a slowly building industry,'' says Earl Perkins, vice president of security strategies with META Group, an industry analyst firm based in Stamford, Conn. ''Many computer companies are starting to install contact or contactless readers for smartcards right into PCs.''

But credit cards, drivers licenses and other forms of ID are lost everyday. The smartcard holder, however, will have an easier way to get their card back, quickly.

''You need an easy way to re-enroll or get a new card,'' says David Fisch, a consultant with the International Biometric Group, LLC, a biometric security consulting and services firm with bases in New York and London. ''The template takes random parts of the fingerprint and stores it so the user can easily get a new one.''

This use of multiple forms of identification is the key to securing privacy, analysts say.

''Combining something you have, something you know and who you are is much stronger than anything else,'' says Miley.

Richard Fleming, chief technology officer and co-founder of Digital Defense, Inc., a security services firm based in Dallas, says biometrics are the pinnacle of authentication.

''You are identifying the individual person by the fact that you know that this is your thumbprint attached to your warm body. It is a step up and beyond all other authentication methods.''

Miley says the next five years will see a large focus on identity proofing, using the combined powers of smartcards and biometrics. He says the cost of installing biometric tools onto PCs is coming down, which is greatly due to the U.S. government's interest in the industry.

''The government is dedicated to testing biometrics for large- scale deployment,'' says Miley, noting that the U.S. is interested in using biometrics in areas such as immigration and Homeland Security.

With the government pouring money into the research and development of biometrics, analysts say, the technology will become cheaper and more widely used by the year 2010.

The Financial Angle

A major driver in the deployment of smartcards this year will be money, according to industry observers.

While a smartcard with a Simchip will cost a company about $10 to $15, a biometric devise, such as a fingerprint reader, runs at about $80 to $200 per user, Perkins says. ''When you multiply the (biometrics) costs by 10 or 30 employees, it is just not cost effective.''

Fleming says the high cost of biometrics has been prohibitive.

''Biometrics have been increasingly expensive to date,'' Fleming says. ''The security component of IT budgets will increase over the next two years to 18 months, and will continue to increase after that.''

But Fleming says the cost for companies to install biometrics has already started to decline, and will continue in the same direction.

Fleming says the biggest challenges for biometrics at this point remain in infrastructure and levels of standardization.

''People may not want to buy another devise and install it onto their computer,'' Fleming says. ''The industry will have to agree on what kind of technology to deploy. If users don't know what to use and when, they may just decide to do without.''

Miley says while there will always be privacy concerns, the ability to use biometrics as protection will become commonplace.

''There are lots of efforts now to use biometrics as a way to protect one's privacy, not as an invasion of privacy,'' Miley says. ''In five years, we will see biometrics as a primary component of security management.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.