Click to Print

Body Language

Password glut got you down? Hackers scoff at password systems, anyway. Is biometrics the answer?
March 1, 2001
URL: http://www.entrepreneur.com/article/37810

Back in the 1980s, I think I had one password-my ATM PIN number. OK, maybe I had a gate code number, too. Today, I must have 100 passwords-who knows?

It seems as if a growing number of sites demand user names and passwords-usually with special syntax that keeps me from using the same pair everywhere. Then, I'm supposed to change them all periodically for security's sake.

That's a joke. Research company Frost & Sullivan analyst Jason Wright reminds us that password systems are relatively low hurdles for hackers breaking into our LANs, Web sites or e-mail systems. The average hacker-more often than not, an employee-need only run free password-cracking software like Lophtcrack against a fairly obvious set of user names (such as Mike_Hogan, Mike Hogan, Mhogan and so on).

Consumers know this intuitively. In a recent survey by Yankelovich Partners, 38 percent of respondents said privacy and security concerns limit their online spending, and another 31 percent said those concerns cause them to refrain from online purchases altogether. In other words, real or perceived short-comings in Internet security hit entrepreneurs right in the bottom line.

But you may already have the solution to all your security needs right in the palm of your hand-or, more likely, at your fingertips. That's because biometrics offers an answer to all security and authorization issues. These technologies rely on the uniqueness of the human body to identify individuals, literally measuring your biological features and behaviors. The technology can scan your fingertips, hands, face, iris, retina, voice pattern or even behavioral characteristics. For example, there's a technology that measures the way you hunt and peck on a keyboard.

Biometrics has long been used by government and corporate IT departments. Lately, it's gotten a lot cheaper and so reliable that the chances of fooling a biometric scan are, like, one in a billion.

The technology is only now getting into the hands of consumers and businesses, although analysts believe the continued strong growth of biometrics in traditional venues will help jump-start its widespread use on the Internet.

IDC predicts that biometrics sales to IT departments alone will grow more than 60 percent annually to $1.8 billion by 2004. But it's hard to be precise about a market that's just being born.



Mike Hogan, Entrepreneur's technology editor, can be reached at mikehoganentrepreneur@juno.com.

Different Strokes

There are at least a half dozen different technologies and hundreds of vendors under the biometrics umbrella. Finger (or thumb) scanning accounts for the lion's share of sales-about 34 percent in 1999, according to consulting firm International Biometric Group (IBG)-and is expected to maintain its lead. However, none of the methods can be considered the optimal solution.

"If you already have a telephone in your hand, the most natural thing in the world is to use voice scanning for identification," says Samir Nanavati, partner with IBG. "If you're already typing at a keyboard, the unique pattern of how you type makes the most sense. And if you need an electronic signature anyway, why not do a biometric match for identification purposes?"

IBG showcases all the commercially available technologies at its Biometric Store in New York City and on its Web site, which also includes vendor profiles, performance results and links to providers.

Finger scanners are easy to use and can fit easily into peripheral devices, such as keyboards or Type II PC Cards. A good example of the latter is the Bio-Touch PC Card Fingerprint Reader/BioLogon software bundle sold on the Web site of market leader Identix for $179 (all prices street). The optical fingerprint reader pops out from the PC Card slot when you press it-just like the phone jack on some modem cards. Identix also sells the technology to Compaq, Dell and Toshiba, which offer it as an option for their portable PCs. Other types of readers made by Identix partners are found on its Web site.

Relatively low (and falling) retail prices mirror precipitous declines in manufacturing costs and the retail prices of most leading biometrics technologies. Retail prices have recently fallen below the important $100 threshold on a per-unit basis, says Wright. Identix used to sell the precursor to its current technology to government and law enforcement for a minimum of $40,000 per installation. Now the per-unit original equipment manufacturer price is less than $20.

Prices are at the point that BioLink vice president of business development Mike Thompson hopes to persuade major Web portals and financial institutions to buy his U-Match Biolink Mouse in bulk and give it to their best customers as a premium. "It costs about $160 to get a customer and $200 a year to keep him," reasons Thompson, who maintains that biometric security is a good way for e-tailers to bind customers to their sites. U-Match and most competitive finger scanners can already be configured to substitute for your usual Web site passwords, says Thompson.

Of course, that only provides convenience, not added security. Truly secure browsing requires an appropriate authentication and authorization server on the Web site, and those are only now hitting the market. BioLink is putting the finishing touches on its $3,500 BioVault biometric Web server, and Identix is about to begin marketing a Windows-compatible finger-scanning server.

According to Identix vice president Grant Evans, biometric servers could also benefit B2B e-commerce because, under the recently passed digital signature law, biometric authentication can be substituted for your actual signature or used with card e-sign technology to make a document legally binding.

Don't want to maintain a biometric server in-house? Vendors plan to provide their services for a monthly licensing fee. Some are building partnerships with providers of related technologies in order to offer a menu of services.

Privacy Concerns

With costs under control and accuracy unparalleled, the last remaining issue to the adoption of biometrics seems to be a lingering concern about its potential invasiveness, especially the technologies, like retina scanning of the back of the eyeball, that require close proximity to a reading device. There's also lingering concern that various hand scans could be used to collect fingerprints.

But that's not how it works. While biometrics may make you more efficient at matching your Web site visitors to the customer profiles you keep of them, it doesn't provide any more information about the user at the point of access than the typical password system. These concerns are usually ameliorated once someone begins using the technology, says Nanavati, a process that can be accelerated if the consumer has control of the actual scan template on, say, a portable smart card.

Some templates can fit on a pen or even the magnetic stripe on a credit card. The complementary PKI, smart card and biometric markets got a boost this spring when Microsoft announced support for all of them in future Windows versions, making it easier to build servers using them all. Multifactor security or carrying a "hardware token" may be desirable for logging on to your LAN or your online bank.

But carrying something around detracts from one of the big selling points of biometrics-convenience. In most cases, the use of random software keys in combination with biometrics should suffice, says Evans. After all, he points out, that's the beauty of relying on your body for security: "You can't leave home without it, you can never forget it and it doesn't change."


Contact Sources