Print this Page E-mail this URL

Multiple, competing standards proposals confuse the market and pose a problem for vendors. Which standard should you require in the products you buy? To what API or APIs should vendors port? Fortunately, there appears to be movement toward a single family of APIs (not a single API definition) that will provide compatibility. Unfortunately, as is always the case with standards, progress is slow.

Buying Into Biometrics
Let's say you're looking to purchase a solution for deployment throughout your internal organization to control access to desktops and network servers. Of course, you want to know how easy the device is to use and install.

You also need to find a biometric system that will suit your environment. Retinal scanning is inappropriate if your workers must wear goggles or are in an environment that's subject to a great deal of motion, such as the bridge of a battleship. Facial recognition is not useful if the user sometimes wears a mask (operating room). And voice recognition won't work well on a loud factory floor.

Determining if the system employs user-acceptable devices is a must. Retinal and cornea scanning are two of the most accurate mechanisms for individual identification. But many people are uneasy about putting their eye up against a viewer for scanning.

Does the device work with the applications you intend to use? Integration with intended applications is an absolute must; unfortunately, it's not always clear what solutions work with which products. You must decide which applications are critical and which require strong biometric authentication.

Operating systems must provide the hooks that let biometric systems be used in place of the typical OS authentication. This requires an API. It also requires the ability to replace the standard login screen with another provided by the biometric verification product. Basically, wherever user authentication is supported--access to the OS, access to protected files and local, as well as network (domain) authentication--should have hooks that allow the typical user name and password prompt to be replaced with a biometrics query.

How easily will the intended technology integrate into the computers in use? Will you have to purchase video cameras for every PC? What about finger scanners? Neither are very expensive, but it is important to know if one or both will fit into the work environment. Do the computers have the required communications ports available? Some organizations standardize on two different types of biometric methods--for example voice and finger, or facial and finger. And some workspaces don't have room for other devices. On the other hand, some vendors are rolling out keyboards with integrated finger scanners and most PCs are equipped with sound cards.

You'll also need to consider transaction time. How long will it take for the device to authenticate a user to an application? You don't want to unnecessarily delay your users so you may want to test transaction times before you make a commitment. (See "Six Biometric Devices Point the Finger at Network Security," www.networkcomputing.com/910/910r1.html for the results of our tests of biometric devices.)

What is the security architecture of the biometric product? Find out if it protects all user template and sample data during registration and use. Learn how and where it protects the information as the hardware device communicates with the biometric software. Most vendors do this with encryption, which should be performed along the entire communication path, including along the cable that leads from the device to the PC. Encryption is also important on the database that contains the biometric information. The bottom line is that you need the entire path to be secure, so ask your vendor just to be sure.

And finally, can intruders thwart the authentication device by rebooting the PC or copying a datastream from a fingerprint reader to a server and later replaying it? If getting around your biometric device is this easy, you won't be happy.

Recommendations
Although the biometric market is relatively immature, biometric technology is mature and usable. If you have a business or other operation that requires strong user authentication, you can start testing now. Answer all the questions we've posed here. Read up on the subject further by visiting Web sites dedicated to biometric systems (see "BioBodies: Biometric Industry Organizations," at left). Finally, consult the Association for Biometrics (www.afb.org. uk/); it provides some excellent guidelines for selecting and implementing a biometric system.

Frederick M. Avolio is a computer- and network-security consultant. Send your comments on this article to him at fred@avolio.com.