Problem solve Get help with specific problems with your technologies, process and projects.

Two-factor authentication and biometrics

An introduction to biometric authentication, how it works, its pros and cons, and expert advice on if and when to deploy the technology.

How it works

Biometrics authenticates a person based on a physical or behavioral characteristic, including the face, fingerprints, hand geometry, retinas, handwriting and voice. Many computer manufacturers are building in swipe fingerprint readers onto the case of the computer or its keyboard.

At the same time, Trusted Computing Group (TCG) is driving the adoption of the Trusted Platform Module (TPM) chip onto the motherboard of most business-class desktops, laptops and tablet computers. Manufacturers like Dell, Fujitsu, Hewlett-Packard, Intel, Lenovo and Toshiba have joined TCG and support the TPM module. The TPM chip is a microcontroller that stores cryptographic keys, passwords and digital certificates, and is accessed via secure channels built into the client software. Combined with built-in, swipe-based biometric readers, the TPM provides strong authentication and credential storage.

Pros and cons

TPM adoption by the major PC vendors, combined with free client biometric software, is driving down costs dramatically in this market and facilitating enterprise deployment. Standalone biometric readers such as fingerprint, retina and handprint scanners have historically been in the $100 range plus software costs. Currently, only fingerprint readers are being added to PCs at the point of manufacture.

The biometric software typically converts the fingerprint into a series of data points that mathematically represent the fingerprint, but cannot be used to recreate the fingerprint. Vendors vary widely in their implementation of this measurement process. The crossover error rate is a good measure of accuracy of the reader/software combination, but the readers themselves can be susceptible to errors.

Other issues to consider before choosing this type of biometric solution are what's required to effectively deploy and centrally control the required client software, and whether there is reporting to a central server on security events such as unauthorized access. The answers to these questions vary from manufacturer to manufacturer.

What to do

Look first to implement a built-in fingerprint reader/TPM solution for users that are accessing high-value data such as mergers and acquisitions material, technical research and marketing plans. Then consider deploying it in a measured way across the enterprise to other users, keeping in mind the time it takes to deliver client software to thousands of desktops and to enroll users' fingerprints with the readers.

Two-factor authentication options

  Smart cards
  Safe mode: Danger zone

Tom Bowers

About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group, as well as a technical editor for
Information Security magazine. Bowers, who holds the CISSP, PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members.

This article originally appeared in Information Security magazine.

Dig Deeper on Identity and access management (IAM) security services