Absolute security at your fingertips

If predictions come true, computer users might be saying a fond farewell to the multitude of login IDs and passwords tumbling around in their heads within the next five years. As if this notion doesn’t provoke enough glee, password-protection will be given up for an even more secure method of encryption.

With biometrics technology, you are your password. Whether the security measure is asking for a fingerprint scan or an iris scan, or measures a user’s typing rhythm, biometrics security is more reliable and less open to hacking, said Roger Kay, research manager at Framingham, Mass.-based International Data Corp.

“Hackers can generate programs that enter in combinations and fire away at operating systems that are not resistant,” Kay said. “They can brute force hammer the password entry. You can’t really do that with biometrics.”

According to Compaq Canada Inc.’s Michael Dodgson, marketing manager for commercial notebooks, biometrics technology cannot only protect data better, it can also save a company money by cutting down on the number of calls to technical support because of lost or forgotten passwords.

Approximately 40 per cent of all calls to tech support lines are about missing passwords, said Dodgson. In October, Compaq released its Biometrics PC Card for mobile personal computers, which can be installed in a PC card slot. The card has a tiny camera that scans a fingerprint image and translates it to a map (for instance, a string of ones and zeroes), which is then encrypted so that the user can log on securely and quickly. Together with Compaq’s BioLogon software, it’s a little pricier than a login ID and password at $259.

“The information I have received says this is an excellent way to uniquely identify people and there would not be similar enough fingerprints to cause [a] problem,” Dodgson said.

Hackers trying to find loopholes in the security of biometrics devices might end up frustrated. Cutting off a user’s finger or poking out an eyeball a la “Blade Runner” in the case of iris scanners, Kay and Dodgson agree that the scan would not likely work, although both also admit that they are not 100 per cent certain. Flashing a picture of the fingerprint in front of the scanner would also fail to get results, as the scanners are typically expecting certain types of contours on the finger.

As a security measure, biometrics technologies are only as effective as the company that makes them.

“What scares me is companies that don’t [think about the technology] in a mature fashion,” said Scott Loveland, a manager at KPMG Investigation and Security Inc. (KPMG ISI) in Toronto . One of the problems with biometrics security, he said, is that some companies do not encrypt the map extracted from the print when it is sent over the network. Sending a string of characters unencrypted over a network is just as bad as sending an unencrypted password over a network. If a hacker is watching, it’s very simple to plug in the string from another terminal and, voila, instant access. And once a fingerprint ID has been compromised, it’s not possible to ask for a new one.

On the other hand, Loveland said, as a security specialist, he is looking forward to the technology. With login IDs and passwords, they can be stolen or given out, but with a fingerprint or an iris, as long as the technology has been implemented properly, he knows absolutely who is logged in on a network.

Another important question, Kay said, is, where are these fingerprint maps being stored and who has access to them? If a central repository of these maps is created and legal authorities have access to them, a police state has just been built. At the same time, there is also the potential for identity theft. There would be the possibility of essentially becoming another person by fraudulently registering your own prints in someone else’s name.

According to studies conducted by International Biometric Group, a New York-based integration and consulting firm, the biometrics market’s total annual revenue in 1999 was US$58.4 million. The company expects the revenue to increase to US$594 million per year by 2003. Their numbers include revenue on various types of biometrics systems, including finger, voice, face, signature, hand, iris and retina scanners. By far, the most popular technology right now is the fingerprint scan with 34 per cent of the total revenue.

While the biometrics market is certainly growing, it will be at least three years before the establishment of commercial markets, and it will likely be at least another two years after that before consumers adopt the technology, Kay said.