Biometric security was the stuff of Hollywood in the 20th century, but it's been a reality for years today. (Actually, here are a few Windows IT Pro articles from the early 2000's, if you're interested: Biometric Identification and Biometric Security: Fingerprints Don't Always Suffice.)
And yet despite all this, its use is still very minimal, for a variety of factors: lack of awareness, cost, and some very legitimate security concerns.
However, biometric security technologies are starting to make a comeback. And why? I'd surmise that the constant growth of identity theft, phishing schemes, computer hacking, and general security mockery has something to do with it. Oh, and that all of our current authentication methods seem to fall completely flat. Strong passwords are a huge nuisance, and only protect against dictionary attacks, not against phishing attacks that track keystrokes. (Orin Thomas gives a great opine on passwords.) Smart cards ramp up security a notch, but can be easily lost and are not necessarily practical for use with a variety of functions. (Who wants to carry five smart cards around?)
Given these limitations, biometric security has been a sort of holy grail, a fledgling technology stared at in the distance but not taken that seriously. One of its strongest advantages is convenience—you don't have to remember any passwords or PINs! The other advantage is that it's relatively difficult to fool, in theory. However, one point of contention that many security experts rightfully bring up is that while the data might be harder to copy, the stakes are much higher when your fingerprints, retina scans, or other genetic data are being used. (If a criminal controls this type of information on you, there are very few repercussions for regaining control, short of burning off your fingerprints with acid like The Joker in "The Dark Knight.")
Let's take a look at three biometrically secured devices, and I'll leave it up to you to decide if they make sense for you.
Device 1: Biometric Flash Drive
USB flash drives are an amazing little technology or a security nightmare, depending on your perspective. Truly, you can stop by any local technology store today and for about $15, pick up a nifty little stick that can store just about anything you need and drop the files off at any laptop or desktop you choose. They're fantastic for taking files to a local printer, transferring some schoolwork between home and the university computer lab, or a hundred other uses.
And yet, these devices' simplicity and convenience pose significant dangers. In my relatively short life, I've already lost two flash drives. Granted, their cost was low and the data was relatively useless, but still! Two devices? Let that be a reminder never to leave me with anything small and valuable. Beyond losing the devices, they're also completely unsecured and can infect your corporate network with all varieties of yucky stuff.
The latter security conundrum has led some organizations to implement USB endpoint security solutions. (Check out this USB endpoint security buyer's guide for a list of available products.) And these certainly do the trick, by restricting users from plugging in those USB sticks into company machines from the get go. That way, if they want to keep losing the devices, it's not your problem.
One solution to the lost flash drive problem is a biometric flash drive. These devices work with a fairly basic fingerprint scanner on them, so you have to get a positive read on your fingerprint when you plug it into a computer to access the files. It seems to generally work, though many users have complained that it's not perfect, and does spit false positives. (Oh, and I guess most of them don’t work on Macs.)
In order to make these devices affordable, the downside is that the security is subpar. But if you do lose your USB device and a layperson finds it, there's a decent chance they won't be able to get in, which is something. Of course, the devices cost about two to three times the cost of a standard device, so you have to weight the extra $20 against whatever data you're lugging around.
One final use for a biometric flash drive is if you give friends and family your flash drive to deliver files. Most of these devices will let you designate some data to the biometrically secured level, and have other data open like a normal drive. So you can keep a few sensitive files on hand but also distribute the device liberally.
The highest-rated biometric flash drive I could find is the Transcend JetFlash 220, which costs about $40 for 8GB and $60 for 16GB.
On the next page, we'll take a look at biometric security for computers and printers.
Device 2: PalmSecure for Laptops and Desktops
Fujitsu's PalmSecure offers a higher level of security than the flash drives by scanning the vein patterns in your hand, rather than taking a fingerprint, the latter of which can be stolen more easily CSI-style.
It works like this: you purchase a PalmSecure device with your laptop or desktop, and then you scan your palm when you turn the computer on to effectively log in. The technology is pretty accurate—after testing, it ranked with a false rejection rate (legitimate users getting locked out) of 1 percent, and a false acceptance rate (illegitimate users getting in) of .5 percent. According to Fujitsu, the biggest struggle with the technology is accounting for the fact that the veins in a person's hand move around every day.
So, pretty easy to use, and pretty secure. The only drawback? Cost. Fujitsu doesn't release the actual prices for its products on the customer-facing website, but through searching on Google Shopping, I was able to glean what I believe to be fairly accurate estimates. Fujitsu's most recent PalmSecure technology, the PalmSecure LT for SSO, seems to weigh in at around $350, but is probably only sold in group rates to businesses and the cost might be lower in those cases. An older technology, the PalmSecure mouse (secures your PC and works as a mouse), looks to be about $450. Please don't hold me to those numbers, but I just wanted to give you an idea.
Device 3: Biometric Printer
I was curious what other technologies might exist. Unfortunately, a lot of the technologies available are targeted at wealthy individuals interested in home security. Go figure: I guess famous entrepreneurs, politicians, and entertainers have more excess cash than today's corporate IT departments? Who would've thought.
Nonetheless, I did find this technology: The SecurePrint Kit from Silex Technology. For $499 (according to a review from a few years ago), the device requires you to scan your fingerprint before approving your files to print, preventing the office printer from firing off your 401K data before you're at the printer and ready to take it, for instance.
It's a nice idea for healthcare and financial industries, where the data being printed is not only private and sensitive, but the absence of it remaining private has very real legal ramifications.
The cons to this technology are the high cost and inconvenience. I can image five people printing to the printer at once, and then each person needing to come up and put their finger down to get their files to print. (That is, versus today's office scenario, which looks more like: "Who printed the cute animal pictures forward? Oh, you? Great. And who's the employment application for competitor XYZ? Ah, well, good luck with that." And so on.)
Will Biometric Security Continue to Grow, or Plateau?
Hopefully you don't expect me to actually answer the above question. In all honesty, it's hard to say. Because on one hand, biometric security is the logical next step in an age where passwords and smart cards fall short, and user frustration over remembering a bunch of silly character combinations is at a fever pitch. Biometric solutions are simple and relatively seamless, but they often come at a high cost and have some pretty scary security risks, should this all-too-precious data be confiscated by the wrong individuals.
I think basic fingerprint scans will go the way of the dodo, but some of the more advanced scanning techniques—such as the vein scans—will probably find their way into more uses in government and enterprises. One thing is for sure: security threats aren't going anywhere, so we should expect security measures to continue to evolve in response.
- 6 Potential Security Risks in Virtualization
- Preventing Security Holes From Social Networks
- Security Recommendations for Microsoft's .NET Framework 4.0
- McAfee's svchost.exe SNAFU
- IT Security Wishlist for the 2010's