Keep your development environment safe with tips from expert John McCormick in Builder.com's weekly Development Security Spotlight e-newsletter. Automatically subscribe to the e-newsletter now!
Biometrics, a security technology that uses some human physical feature for identification purposes, stands (or falls) on four legs: hardware, security level, integration with applications or operating systems, and user acceptance. Unless biometrics can meet your minimum requirements in all four areas, you should reject it.
Of the four criteria, hardware is probably the simplest to grant a passing grade. There are many kinds of biometric hardware that are inexpensive and interface fairly easily with various software platforms.
In choosing to go with a form of biometrics, you must balance the freedom from the much-hated (and often misused) password with the extra cost associated with adding hardware to the desktop (or perhaps many desktops).
It's fairly simple to integrate biometric software with development platforms, but the details vary so much depending on the application and operating environment that it’s difficult to go into specifics here. Before you begin, you need to check to see if the appropriate APIs are available.
You also need to look at user acceptance. If a particular technology can’t provide a high degree of security with low error rates, you can't use it anyway. Too many calls to the help desk won’t win biometric technology any friends in management or among users.
Now let's look at a few biometric technologies, keeping these four criteria in mind. But first, you need to learn two terms commonly used in biometrics: FAR (False Acceptance Rate) and FRR (False Rejection Rate). FAR is a measure of how secure the system is (i.e., how often an imposter will be accepted as legitimate), and FRR is a measure of how often a legitimate user is not authenticated properly.
Face and voice recognition
Face recognition and voice recognition are the most popular biometrics technologies with users. However, face recognition requires expensive hardware and a complex physical setup, while voice recognition scores poorly on both FAR and FRR.
In the real world, face recognition is very processor-intensive and requires an expensive camera with special lighting and careful installation to work really well.
The most secure and commonly available biometric system is based on the unique pattern of a person’s iris (for an example of this technology, see the James Bond movie Never Say Never Again). Users often strongly resist this very invasive technology; it's also expensive and takes up a lot of space. Therefore, iris scanning technology is best suited for physical-access control rather than software-access control.
Fingerprint recognition has been around longer than any other biometric technology. (I actually evaluated PC-access fingerprint systems more than a decade ago, and they were usable even then.)
Today, USB ports and ever-increasing processor speed make this the best choice for most application or hardware access control. Fingerprint recognition is by far the most cost-effective, reliable, easiest to implement, and the best overall choice for the majority of applications where desktop-level user authentication is required. The only time that fingerprint recognition isn't the clear choice is when extremely high security is required.
Remember to remind administrators to have users “enroll” a minimum of two fingers (although registering all ten is best) on different hands to minimize lockouts from such minor problems as paper cuts.
Users are sometimes reluctant about fingerprint recognition technology, primarily because law enforcement uses fingerprints. This may be easy to overcome by reminding users that their fingerprints are all over their workstation already if someone really wants to capture them. If that fails, tell them that the best alternative is the regularly changing password. There are so many objections to the use of passwords that it makes biometric technology a very attractive authentication alternative.
One final point to remember is that most biometric technology can be adjusted at the software level to tweak both the FAR and FRR, depending on the required security level.
Paul Reid’s Biometrics and Network Security explains the various factors in choosing a biometric technology. This book may be useful for planning a new project, although developers should be aware that this text deals with costs, reliability, and user acceptance rather than how to interface with your applications.