Giving your computer the finger

With interest in computer security rising, don’t be offended if employees or customers give you the finger.  A fingerprint, after all, is a very effective means of identifying or authenticating a user of a computer system. 

The field of biometric technologies has advanced rapidly in the past decade, making these technologies both effective and affordable.  If you’ve looked at biometrics before and thought they weren’t right for your company, perhaps it’s time to look again.  More and more companies are deploying such technologies to control access to individual PCs, to networks or shared applications, or to e-commerce tools that use the Internet backbone.

Biometric technologies are defined as “automated methods of identifying or authenticating the identity of a living person based on a physiological or behavioral characteristic.”  This characteristic can be something unchangeable, such as a fingerprint, an iris pattern, or a hand silhouette, or it can be a part of a person’s behavior that is fairly reliable for identification purposes, such as a voice pattern, a signature, or even keyboard usage.  When a biometric system is deployed properly, using such characteristics for identification is far more effective than a simple password or PIN.

In his informative white paper “Everything You Need to Know About Biometrics,” Erik Bowman of Identix, a biometric technology company, says there are three major components of a biometric system.  First, you must have a mechanism to scan and capture a digital or analog image of a living personal characteristic (e.g., fingerprint or voice pattern).  Second, you must be able to compress, process and compare the image to other images in your control database.  Finally, you need an interface to the application, whether the “application” is something as simple as a door lock, or a computer application such as a payroll system.

As described in the definition above, biometrics can rely on identification (“Do I know you?”) or authentication (“Are you who you say you are?”).  The identification process involves taking one image and checking it against a database of many records, as is the case in law enforcement when a suspect’s fingerprints are checked against a large database, thus (hopefully) identifying him.  Authentication measures the user’s characteristics against a stored image of the person he claims to be, such as when a laptop user confirms his identity to his PC before it will grant him access to files and applications.

I mentioned that biometrics technologies have advanced rapidly in the past 10 years.  In the context of using biometrics to enable access to computing systems, the Trusted Computing Platform has been a real boon to increasing the reliability and effectiveness of authentication.  A Trusted Computing Platform, sometimes called a trusted PC, has embedded security features defined by the Trusted Computing Group that reduce the likelihood that the authentication process can be usurped or spoofed by hackers.  Further information on this subject can be found in the HP research paper “A Trusted Biometric System,” by Liqun Chen, Siani Pearson and Athanasios Vamvakas.

As you can imagine, biometric systems are far too complex a topic to address in a short newsletter like this.  But, there is lots of good information online, and there are good organizations focused on biometrics that can help you sort through the hype and the reality.  Check out the links below for a few places to start.  Then tell your boss you want to give him the finger…for identification purposes, of course.

Linda Musthaler is vice president of Currid & Company.  You can write to her at mailto:Linda.Musthaler@currid.com