Getting started with biometrics
The ever-growing need to mitigate the risks of identity theft, coupled with regulatory compliance and general concerns about the reliability of passwords, are such that multi-factor authentication is a hot issue in identity management circles. The factors in question are well understood: something you know; something you have; or something you are in various combinations.
The "something you are" factor - biometrics - has long been discussed as a means of addressing the limitations of the other factors. But it has largely remained just that - discussion. However, government identity cards, passports etc are increasing the volume and widespread implementation is becoming a serious (in more ways than one!) possibility.
With that in mind, I recommend you take a look at
this recent post from
Jerry Fishenden, Microsoft's National Technology Officer for the UK. Whilst Jerry discussions broader societal issues, there is some sage advice for organisations evaluating biometrics as part of a multi-factor authentication strategy, not least:
I use fingerprint readers at home both for access to my office and on one of my PCs - where they are a great convenience and work reasonably well (if occasionally taking a few times to succeed). However, I don't like the way in which they merge authentication and identification into a single process, unlocking the PC for example just with a fingerprint without any other form of credential. This would certainly not be a sustainable model in an environment where proper security was required.
and
One of the core principles of computer-based security is the separation of identification from authentication. After all, if you merge the two, what happens when your biometrics are compromised? By keeping these aspects separate, it remains possible to issue different credentials to be used alongside our biometrics. Stronger systems ideally adhere to the established 3 factor principle: something you know (such as a PIN), something you have (such as a smart card) and something you are (which is, of course, where biometrics typically come in).
