In-Depth

Q&A: Are Fingerprints the Next Smart Card?

More organizations are using fingerprints for logging onto PCs and into sensitive applications.

• By Mathew Schwartz
• 07/06/2005

While smart card use still dominates when it comes to multiple-factor authentication, use of biometrics and PKI (among other options) are growing. When it comes to convenience, nothing beats fingerprints.

The Department of Defense, Rite Aid, and Cargill are among the organizations using fingerprints for logging onto PCs and into sensitive applications. To discuss the trend, Security Strategies spoke with Vance Bjorn, chief technology officer of biometrics provider DigitalPersona Inc. in Redwood City, Calif.

How secure are passwords today?

As computing power has increased, it’s now so easy for someone to crack any password. If I choose a five- or 10-character password, a hacker can cycle through that in seconds. … There’s been a lot of technology out there to raise the bar, but it’s never gotten adopted because it was too costly. Now, however, we’re seeing some of the big players put their name behind [biometrics], including Microsoft and IBM. …

What’s the difference between using a fingerprint and a password?

The use of the fingerprint is a more sound policy than the use of a password. The user can’t write it down, or use the same password for everything. I bet a lot of people use the same password for a free contest online as they use to sign in to the enterprise.

Another factor is just the cost. People forget passwords, or if they follow the password policies, then they probably have very lengthy passwords they write down, so they call the help desk, which creates problems.

Then all these compliance initiatives have auditors swarming around IT managers, saying you have to prove to us who accessed that patient record, who accessed that financial system, who fulfilled that pharmacy order, which researcher did the research or sent this e-mail. So there’s a lot more attention now to these backend audit logs, and as a result, if those audit logs are to be trusted, you need a much stronger way of doing identity.

So fingerprints are a way to prove the person logging on was a person, not just a username?

A person can just say, "That wasn’t me that e-mailed out the database of 5,000 Social Security numbers." So those types of things are driving fingerprints to be used in enterprises. And I think there’s a strong need out there, as I just described, and that’s coming at a point now where the technology is really hitting stride

Why are enterprises adopting biometrics in particular?

Interestingly, it comes down to convenience. All the issues I mentioned—the cost or loss—are usual for passwords.

When IT managers seek alternatives, they’re faced with things like RSA tokens, smart cards, PKI, and fingerprints. In that list, all but fingerprints give a user more burden—they’re things you can forget, or lose and have to pay to replace. A fingerprint has this nice balance between security and convenience. You’re raising the bar and improving enterprise security, but you’re also giving users something. They don’t have to remember a password now, or remember to carry a token. So that’s why people are moving more toward fingerprints than some of these other ones.

How many passwords, on average, must today’s enterprise users remember?

We have a large brokerage firm, one of the largest in the world, with 20,0000 seats, and a typical user there had an average of 13 passwords. That was a real mess to manage when you have all those IDs around. By deploying our system, when a user comes in, in the morning, they put down their finger down [on the biometric sensor, to login to the network]. Then when they go to any application, they put their finger down [to login].

What’s the accuracy of fingerprint recognition?

We set our system at a one in 100,000 chance of a false accept, and we’ve tested it to that, and it’s set to be the default. [Then] there’s a 1.2 percent chance of false rejects, which means if you’re a legitimate user, you might have to put your finger down a second time.

We find in a typical enterprise, that’s a pretty high bar. It’s not like a password cracker where you can cycle through all passwords. This one, because of the end-to-end security with the server, you’d really need to have 100,000 fingerprints before it could be broken into, and that’s not something the average person in the cubicle next door can do.

What kind of fingerprint information does your system store?

In any of our technology, we never store the fingerprint image, we only store the minutia points, or the features of the fingerprint, in a 300-byte file, which is unlike government applications for forensics, or law enforcement, or border control. In those cases they actually are taking an image, and they’ll archive that.

Why even store a whole image, if minutia points can validate someone?

Indeed, there are tradeoffs. We would love to store the image, I suppose, if we had infinite space, if there weren’t privacy concerns about storing the image, or costs associated with that, but right now our systems just don’t do that. There certainly would be benefits to doing that, but there are risks [as well]. I don’t think people would feel quite as comfortable coming in and knowing their employer could store their fingerprint.

Do any of your customers use additional authentication, beyond biometrics?

Yes, we actually have some pretty big deployments [doing that], but that’s mostly on the government side. … We have a deployment in the Pentagon of about 6,000 seats in the office of the Secretary of Defense, where they had deployed smartcards, and they had started to use them for login to their PCs and signing e-mails, and things like that. But what happened was people were forgetting their PIN, and it sounds like a minor thing, but the PIN is stored on the card, and it’s harder for an administrator to deal with that. Actually, Pentagon regulations required that [a user] go to an office of provisioning. In the Pentagon, that could be a mile away.

So now … the user will use a fingerprint to log into the smartcard, and the smartcard would login to Windows. So you get two-factor [authentication]: something you have, and something you are. We don’t see that that is a very prevalent sort of application in typical corporate America, but for very high-security requirements that would be found in the Secretary of Defense’s office, we do see that.

Related Article:

Touching SAP Data: User Access and Biometrics
http://esj.com/security/article.aspx?EditorialsID=886