A human touch makes passwords passe

I went flying a couple of weekends ago, across to the coast of France for a bite of lunch and back again, all courtesy of a friend with a pilot's licence. What surprised me was that the plane had no locks on the doors.

Anyone could have started her up and flown away. Yet no-one attempted to break in while we were at lunch, or had ever done so. There remains a mutual trust among flyers that stems from their mutual dependence.

Compare that to today's networks. There are locks everywhere - such as passwords and smartcards - but this doesn't seem to stop unauthorised miscreants from breaking in. We routinely expect our networks to be safe - and end-users have as much of a stake in this as the people responsible for safeguarding precious company data.

The trouble with passwords, as any network manager knows, is that there are too many of them. Anyone who spends any time at all on the web ends up with a stack of them, so you still see the proverbial Post-it stuck on the side of a user's monitor - an open door for anyone passing by.

Single sign-on has gone some way towards solving the problem, but the fact remains that what you know - a password - doesn't ensure that the person logging on is the person who's authorised to access that information. Also, a security system based on what you have, such as some form of token or smartcard, has other similarly fatal flaws. It's time to took a second look at biometrics.

Biometric authentication is based on who you are, verified by such techniques as fingerprinting, retina scanning or voice recognition. None is perfect, and some, such as fingerprinting, can be faked if you can bothered to go to the trouble of coating your fingertips with silicon.

However, fingerprinting and retina scanning are the most secure of all the biometric methods; signature scanning, facial scanning, and keystroke analysis are nowhere near as good at identifying individuals. They are both invasive, however, especially the retina scan which involves shining a laser into the eye, and both can require a little work from the user's point of view.

The biggest obstacle to the uptake of biometric security is end-user attitudes. Using a fingerprint for authentication purposes invokes at best unease, and at worst a sense of intrusion: when people think of fingerprinting they think of prison, not of an alternative to passwords.

Fortunately, other hurdles are falling. Though laser-powered retina scanners remain prohibitively expensive, elsewhere prices are coming down as volumes increase, with fingerprint scanners now available for less than $50.

Integrated devices can only aid this trend. Infineon has produced a mouse that includes a fingerprint scanner, for example. The trend also enables the introduction of mobile security devices, such as a PDA with built-in hardware security.

I believe that biometrics will, in time, become a standard authentication technique for the enterprise, and the time to start thinking about implementation is now. That's because security problems won't go away, and with passwords becoming more problematic, the situation can only worsen, making new authentication methodologies essential.

Flyers may trust each other, but alas, network managers cannot trust anyone.