How it works
Biometrics authenticates a person based on a physical or behavioral characteristic, including the face,
fingerprints, hand geometry, retinas, handwriting and voice. Many computer manufacturers are building
in swipe fingerprint readers onto the case of the computer or its keyboard.
At the same time, Trusted Computing Group (TCG) is driving the adoption of the Trusted Platform
Module (TPM) chip onto the motherboard of most business-class desktops, laptops and tablet computers.
Manufacturers like Dell, Fujitsu, Hewlett-Packard, Intel, Lenovo and Toshiba have joined TCG and
support the TPM module. The TPM chip is a microcontroller that stores cryptographic keys, passwords
and digital certificates, and is accessed via secure channels built into the client software. Combined
with built-in, swipe-based biometric readers, the TPM provides strong authentication and credential
storage.
Pros and cons
TPM adoption by the major PC vendors, combined with free client biometric software, is driving down
costs dramatically in this market and facilitating enterprise deployment. Standalone biometric readers
such as fingerprint, retina and handprint scanners have historically been in the $100 range plus
software costs. Currently, only fingerprint readers are being added to PCs at the point of
manufacture.
The biometric software typically converts the fingerprint into a series of data points that
mathematically represent the fingerprint, but cannot be used to recreate the fingerprint. Vendors vary
widely in their implementation of this measurement process. The crossover error rate is a good measure
of accuracy of the reader/software combination, but the readers themselves can be susceptible to
errors.
Other issues to consider before choosing this type of biometric solution are what's required to
effectively deploy and centrally control the required client software, and whether there is reporting
to a central server on security events such as unauthorized access. The answers to these questions
vary from manufacturer to manufacturer.
What to do
Look first to implement a built-in fingerprint reader/TPM solution for users that are accessing
high-value data such as mergers and acquisitions material, technical research and marketing plans.
Then consider deploying it in a measured way across the enterprise to other users, keeping in mind the
time it takes to deliver client software to thousands of desktops and to enroll users' fingerprints
with the readers.
Two-factor authentication options
Tokens
Smart cards
Biometrics
Certificates
Safe mode: Danger zone
About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group,
as well as a technical editor for Information Security magazine. Bowers, who holds the CISSP,
PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage
prevention, global enterprise information security architecture and ethical hacking. He is also the
president of the Philadelphia chapter of Infragard, the second largest chapter in the country with
more than 600 members.
This article originally appeared in Information Security magazine.
