Based on his research, Hunt thinks bundling biometric authentication with a smart card is the way to go.
One of the cool technologies that we are seeing is the fingerprint reader built into or onto the smart card reader. Now, this is a new advance. A little company called Precise Biometrics out in Virginia, and ActivCard, have this dynamic duo of authentication, so that biometric data doesn't have to cross a wire of any length. The encrypted hash, or encrypted derivation, of the biometric signature is actually stored on the smart card, which you keep as a plastic card in your wallet, or as your building ID badge. If it's an ID badge, it probably has your picture on it. So it's virtually impossible to perform a fraudulent authentication. In fact, it's tantamount to having the person living and breathing right in front of you with a government-issued photo ID.
For logging into the computer, do you need to use a biometric today? No. You could probably get away with not using it for the next 20 years. But for some transactions, you may want to accompany the smart card with a biometric. So the point I'm making is that it's the smart card that is the key to our success, the key to the future. The smart card is the multifunctioning authentication form factor that enables a tremendous variety of usages. It's easy to transport, and requires no end user training because we're all familiar with carrying plastic cards in our wallet.
Despite the promises, biometric measures don't trump passwords, says Hunt.
In my view, biometrics, as cool as they are, suffer many of the shortcomings of passwords. Because you can lift them--just like you steal a password, you can steal a biometric signature or fingerprint or face. Passwords are often considered not private because people can figure out what those passwords are, or they're passing clear text across the wire. And faces and fingerprints are not private--you leave fingerprints all over the place, on everything you touch.
The bottom line is that biometrics suffer many of the same shortcomings as passwords, and they're a hell of a lot more expensive than passwords. So why use them? The answer is, you can use them in conjunction with a smart card.
Will using biometric smart cards save money over biometric data? Hunt says they won't, but that isn't what's important.
If you have a big $10,000 Unix box storing a bunch of biometrics with lots of expensive encryption and security hardware and software built into it, that's pretty darn expensive. And smart cards themselves are a pretty inexpensive commodity that can be produced and sold for fractions of a dollar apiece. The readers are priced very inexpensively. But when you start scaling them across a large number of employees or high-value customers, the cost might be about the same. But that's irrelevant ultimately, when you can spend $50,000 to have really bad security, or to have really good security. The cost is irrelevant. The quality of the solution is what we're measuring here.
I think smart cards are going to be widely adopted. By 2005, smart cards will be a standard authentication type and identification medium. But biometrics will be used in conjunction with those smart cards in a small percentage.
What additional authentication measures is your company considering? TalkBack below or e-mail us with your thoughts.
[an error occurred while processing this directive]
