|
Biometrics, Part One
Posted Wednesday, September 25, 2002 by PDA Center
In today’s changing society, security has become increasingly more important. Passwords, which were once considered effective and strong security methods, are now considered old, outdated, and ineffective. There are several password cracking programs that are widely available, which are pretty good at cracking your passwords wide open. They work by simply guessing at words and phrases, and combining them, until it reaches a match. While with some passwords this process could take years even using a large network of supercomputers, the truth is that people just don’t take as much care with their passwords as they should. People choose short, easy to remember passwords, such as telephone numbers, pet names, or even ordinary, every-day words. These are all easily guessed. The best passwords are long (generally 12 or more characters) and are alphanumeric (use both letters and numbers). If creating such a password seems a daunting task, you have a few options. The first option is simply to create a secure password, which is easy to remember. The strategy I would recommend is thinking of a phrase, let’s say “I wake up at 7 am every morning,” and creating a password based on that. The password would be the first letter of every word, in this case “IWUA7AEM.” The second option is to use biometrics.
Biometrics is using certain parts of yourself as the password, based on the assumption that you are unique. The most commonly used form of biometrics is signatures. If you think about it, you use them all the time. You use them to sign contracts, receipts, bills, taxes, all sorts of things. Unfortunately, signatures are not very secure methods of identification. They are easy to forge, subject to change with mood, experiences, and lifestyle. They are slow to analyze, difficult to implement for a mobile device, including a laptop, and have “limited potential for low cost miniaturized acquisition devices.” Another form of biometrics, fingerprint scanning, has been around for centuries; nevertheless its full potential has yet to be realized. It’s most common use is in law enforcement, to identify criminals. However, it is moving more and more into the public market. One company, DigitalPersona, has created a relatively inexpensive fingerprint scanner for use publicly. Called U.areU. Personal, it retails for around $90.
When I first opened the box which it came in, I was struck by how small it was. I had imagined that it would be large, bulky, and awkward. It was none of the above. In fact, it is barely even two inches long. It could be taped to the back of a PDA, or to the lid of a laptop for true mobility. The installation was a breeze. I inserted the CD it came with, and the scanner was up and running within five minutes. After I restarted my computer, I was prompted to register my fingers. Each finger that I wanted to register had to be scanned four times. While this seemed a little excessive, it made sense for strong security. After registering my fingers, I decided to try the scanner out online. I went to a few sites where I had registered, and scanned my finger. It recognized it so fast that I didn’t even realize it was done. A window popped up, and I navigated to the Replace Passwords option. I clicked on set up. I was prompted to enter my username and password that I wanted to use for the current site. I did so. It turns out that it offers even more flexibility in that you aren’t limited to only a username and password. You can enter as many fields as necessary. I could even have the scanner submit my user information for me, automatically.
U.areU. Personal also comes with One Touch Crypto. It is a simple encryption program. From the one-touch menu, you choose Encrypt, and then select the file. If this is the first encryption, you are prompted for a password in case you need to use the One Touch Crypto Recovery Utility (a mouthful). You use that in the event that Windows crashes or you have to uninstall U.areU. Personal.
DigitalPersona’s consumer product was designed to focus more on ease of use, rather than security. For example, everywhere a fingerprint can be used, they also allow you to enter a password instead, including at Windows logon. This password is used as a backup because there are no administrator tools to provide users access in case someone walks off with the sensor. While it is more convenient to not require or rely on an administrator, it is not as secure as a fingerprint only logon. Of course you could change all your Windows passwords to some ridiculous string of characters that’s very long (such as “ksdh$802mv27fnvoksjn^hgk#801280j”). That way you wouldn’t know what it is, and hackers or attackers would have a pretty hard time guessing it. When I asked them about the fingerprint-only security setting, they replied that people who are looking for additional security settings and network support should get U.are.U Pro, their enterprise product that is more expensive (about $149).
For a more affordable, yet more secure approach, I turned to Targus. They have recently come out with a fingerprint scanner, called the AUTHENTICATOR. The scanner comes with two USB ports built into it, which helps. The scanner itself is surprisingly small, yet it is able to accurately scan the finger. It comes with SecureSuite, which is a nice piece of software. It allows you to choose what authentication methods you want for what. For example, if you’re the administrator, you can require user Joe to prove he is who he says he is by setting SecureSuite to prompt for a password and a recognized fingerprint, or just use one of the two. It comes with features similar to that of the U.areU., such as allowing you to sign in to web sites using only a finger. The main drawback to the Authenticator is its difficulty. It is confusing to install, and in my testing, it froze and crashed a few times. In the end however, it did work. Another slight drawback is the number of false negatives, or the number of times I was rejected when I should have been accepted.
Another solution from Targus is a PC card. When I received my unit, I plugged it in, and right away was up and running. It comes with OmniPass, fingerprint scanning software similar to that included with U.areU. After enrolling my fingers, I tested the reliability out. It was the worst of all, with several false rejections. On the other hand, this can be seen as a good thing, as it means more security. However, OmniPass is almost too similar to the U.areU., as it doesn’t provide any fingerprint authentication at Windows startup. Another drawback is its form: PC card. I already had one PC card in use (a networking card). Since my laptop only has one PC card slot, I could only use one at a time, which would be a real pain in the neck.
So what’s the bottom line? If you want ease of use and reliability, go for the U.are.U Personal. (If you are looking for added convenience and heightened security look into the U.are.U Pro product). If you want stronger security, yet more complicated directions and less ease of use, opt for the Targus Authenticator. If you want more mobility, go with the Targus Authenticator PC card. Or, if you’re in the mood for something a little less conventional, read on.
There is exciting new work and research being done in biometrics. New devices that we should expect to see commercially available within the next several years are eye (retina, iris) scanners, voice recognition, and thermal imaging recognition, not to mention facial recognition, and even body odor recognition.
Voice recognition is already starting to appear more and more. For example, there are programs that allow you to dictate to your computer, instead of typing. Microsoft included such software with Office XP, allowing you to dictate to Microsoft Word. Mac, on the other hand, is one step ahead of Windows. The latest Mac OS includes a voice password feature that allows you to logon to your account using your voice. This has the potential for being a very useful technology, employed everywhere from homes to the increasingly secure airports. It does, however, have its flaws. If you set one voice password, it is very easy for someone to just record it, and then play it back. Of course, there is a solution for that. Once you’ve trained the software to your voice, when you login or require a password, it can prompt you to read a randomly generated phrase. Nevertheless, there are a few more problems that aren’t as easy to work around, such as voice changes with age, diseases (such as laryngitis, colds, the flu) that may alter your voice a little, or even different moods. So while this has potential, it still needs some work.
Facial recognition is being used more and more today by the government, and by high-security private institutions. It works by taking a picture of the subject’s face, then analyzing it, finding a few key points, and comparing them to a database. More advanced software could easily see around obstructions, such as facial hair, makeup, etc. Although this is not readily available on the market, some computer and electronics manufacturers are starting to include facial recognition software in with computer digital cameras.
To conclude, the field of commercial biometrics is new and still expanding, however there are several affordable, good quality peripherals out there. So if you’re a security buff, or even if you’re not, biometrics is something definitely worth investing in. As they say, an ounce of prevention is worth a pound of cure; in other words, better to spend $80 or $90 now than risk losing potentially thousands of dollars, maybe even more, in hardware and data.
Eye scanning is another new field that could be the most secure form of biometrics yet. Already used by some ATMs, these devices work by finding the subject’s eye and scanning it. Iris scanners, for example, find the pattern in the iris that is presumed to be unique to each individual, similar to fingerprints.
|
|
