Biometrics has been called the future of IT security for years, but that future never seems to arrive. Last year, there were signs that this was about to change. Almost all laptop vendors began shipping models with built-in fingerprint readers, and biometric desktop keyboards also became an option from companies such as IBM and Microsoft.
The growth of biometrics is driven mostly by the failure of passwords. As computers increase in power, breaking dictionary passwords through brute force techniques becomes easier. At the same time, the increasing number of systems that each person must log in to is making passwords more difficult to remember. An unalterable physical characteristic that can't be forgotten or lost seems like a much better choice.
Maybe so, but IT departments considering biometrics need to keep three things in mind. First, forget about DNA sequencing or retina scans unless you're in the military or law enforcement. For the foreseeable future, fingerprints are the only physical biometrics set for widespread use in authentication--and even then, fingerprint readers will be far from ubiquitous.
Second, biometrics needs to be part of a multifactor authentication architecture, combined with passwords or hardware. This is partly because a biometric factor on its own acts only as an identifier--it's closer to a publicly known username than a secret password--and partly because today's cheap fingerprint scanners aren't reliable enough to be used alone.
Last and most importantly, physical biometrics is best used only for local physical security, not for direct access to networked resources. Transferring fingerprints over the Internet introduces risks, and a central store of private biometric data represents a valuable target for attackers. Instead, biometrics can be used indirectly: For instance, a server can be accessed via a digital certificate or one-time password that's stored on a local hardware device such as a smartcard, USB dongle, or Trusted Platform Module (TPM). That hardware can in turn be locked biometrically.