Your body is your password

Most administrators don't need to look beyond an end user's workstation to find a potential security breach. I'm amazed at how easily I can discover a user's password when I'm seated at that person's workstation. When the user hasn't prominently displayed the phrase on a Post-it Note, I can usually figure out the password by glancing around the cubicle. My attempts to use account policies to tighten password requirements invariably lead to howls of user disapproval—not to mention a rash of locked-out accounts and forgotten passwords.

Until now, I've taken a typical approach to an intractable problem—I've ignored it, hoping a better solution would come along. And I might be in luck. Because of improved technology and lower prices, biometric identification is emerging as a viable alternative. Biometric solutions use unique biological or behavioral characteristics to verify identification, so a person's body literally becomes the password. Such characteristics can't be forgotten, and most are nearly impossible to reproduce, so the biometric method provides a potentially high level of security.

Biometric identification has become somewhat common in areas such as entry-access control. Now, several types of biometric- identification methods are available to secure network access. In most cases, these methods use a combination of hardware and software to identify biologically unique traits such as a user's fingerprint, voice, face, iris, or typing rhythm. (Other methods, such as retina and vein identification, have yet to cross over from securing a door to securing a network logon.)

Fingerprint solutions are the most numerous in today's market. These methods require a hardware device that scans a user's finger or thumb, as well as a software component that compares the scan to a stored image for positive identification. Voice-recognition systems use a sound card, microphone, and software to record and store voice patterns. To thwart intruders' attempts to use a digitally recorded voice, one of these products prompts the user to repeat a set of random digits. Face-recognition systems use a digital camera to capture an image of the user's face, then compare specific dimensions to a previously saved image of that user. Iris scanning uses a similar process but relies on the uniqueness of each person's iris to verify the user's identity.

The only biometric-identification method I've discovered that doesn't rely on additional hardware is Net Nanny Software International's BioPassword. This product recognizes a user's keystroke rhythms as the user types his or her username and password. Even if a password falls into the wrong hands, an intruder must exactly emulate the original user's typing rhythm to gain access.

Although biometric technology is still developing, it's already viable, and some organizations are deploying it. You need to answer several questions to determine whether this solution is right for your company. The most obvious question is whether your organization is willing to spend an additional $100 to $400 per seat—plus separate costs for deployment and training. Administrative overhead is also an unknown: Will biometric systems truly reduce Help desk calls or just change the nature of the calls? (For example, a forgotten password is easier to deal with than a buggy sound card that can't recognize a voice pattern.) What fallback procedure will you implement for logons in the event of hardware failure? Will that fallback procedure present a potential security breach? Can you integrate biometric solutions into the Windows security architecture to permit easy, centralized administration?

Biometric identification shows great promise for patching internal holes in our security fabric. As the technology improves and prices continue to drop, this method will surely become more attractive to more organizations.