Little yellow sticky notes cling to computer screens throughout American
offices, displaying users’ passwords for coworkers, bosses… and
possibly hackers to see.
The passwords, generally as simple as a relative’s birthday or a pet’s
name, have long been too easy to steal, and they’re just not working
anymore, analysts say.
What’s the solution?
Biometrics and smartcards are the best solution, according to industry
watchers. But don’t throw your password away quite yet. For now, just
keep changing it every few months and rip that sticky note off your
monitor because the biometric industry may need up to five years to work
out all of the kinks.
With passwords continuing to become more of an IT security nightmare,
analysts agree something needs to change because too much vital corporate
information is at risk simply because of weak passwords. Analysts are
looking at smartcards, along with biometrics — authentication techniques
that check a person’s physical characteristics, like a fingerprint or
iris pattern — and some behavioral aspects like keystroke patterns.
”The password is becoming obsolete and hackable,” says Mike Miley, vice
president and chief technology officer for Science Applications
International Corporation (SAIC), a research and engineering company
based in San Diego, Calif. ”You never want to rely on any one identity
anymore.”
With passwords wearing out their welcome, biometrics and smartcards are
next in line.
Biometrics are just further down the road. Analysts agree that smartcards
will be more widely utilized in 2005 than biometrics. But they say the
combination of the two identity verification methods will be the most
effective way to access networks in the next five years.
Smartcards the first step
”The (smartcard) industry is a slowly building industry,” says Earl
Perkins, vice president of security strategies with META Group, an
industry analyst firm based in Stamford, Conn. ”Many computer companies
are starting to install contact or contactless readers for smartcards
right into PCs.”
But credit cards, drivers licenses and other forms of ID are lost
everyday. The smartcard holder, however, will have an easier way to get
their card back, quickly.
”You need an easy way to re-enroll or get a new card,” says David
Fisch, a consultant with the International Biometric Group, LLC, a
biometric security consulting and services firm with bases in New York
and London. ”The template takes random parts of the fingerprint and
stores it so the user can easily get a new one.”
This use of multiple forms of identification is the key to securing
privacy, analysts say.
”Combining something you have, something you know and who you are is
much stronger than anything else,” says Miley.
Richard Fleming, chief technology officer and co-founder of Digital
Defense, Inc., a security services firm based in Dallas, says biometrics
are the pinnacle of authentication.
”You are identifying the individual person by the fact that you know
that this is your thumbprint attached to your warm body. It is a step up
and beyond all other authentication methods.”
Miley says the next five years will see a large focus on identity
proofing, using the combined powers of smartcards and biometrics. He says
the cost of installing biometric tools onto PCs is coming down, which is
greatly due to the U.S. government’s interest in the industry.
”The government is dedicated to testing biometrics for large- scale
deployment,” says Miley, noting that the U.S. is interested in using
biometrics in areas such as immigration and Homeland Security.
With the government pouring money into the research and development of
biometrics, analysts say, the technology will become cheaper and more
widely used by the year 2010.
The Financial Angle
A major driver in the deployment of smartcards this year will be money,
according to industry observers.
While a smartcard with a Simchip will cost a company about $10 to $15, a
biometric devise, such as a fingerprint reader, runs at about $80 to $200
per user, Perkins says. ”When you multiply the (biometrics) costs by 10
or 30 employees, it is just not cost effective.”
Fleming says the high cost of biometrics has been prohibitive.
”Biometrics have been increasingly expensive to date,” Fleming says.
”The security component of IT budgets will increase over the next two
years to 18 months, and will continue to increase after that.”
But Fleming says the cost for companies to install biometrics has already
started to decline, and will continue in the same direction.
Fleming says the biggest challenges for biometrics at this point remain
in infrastructure and levels of standardization.
”People may not want to buy another devise and install it onto their
computer,” Fleming says. ”The industry will have to agree on what kind
of technology to deploy. If users don’t know what to use and when, they
may just decide to do without.”
Miley says while there will always be privacy concerns, the ability to
use biometrics as protection will become commonplace.
”There are lots of efforts now to use biometrics as a way to protect
one’s privacy, not as an invasion of privacy,” Miley says. ”In five
years, we will see biometrics as a primary component of security
management.”