Have passwords outlived their usefulness? Take a look at some of the weak passwords exposed in website breaches this year, and judge for yourself. The frequent usage of weak passwords such as "changeme," "123abc," and "Pa$$w0rd" (real-life examples uncovered in the recent breach and defacement of a security software vendor's website) are a strong indicator that enterprise organizations might be well-advised to consider a shift to new mechanisms for secure authentication that are more resistant to subversion by careless end-users.

Weak passwords are a problem because they are easy to guess – and they are certainly no match for brute-force password attacks by criminals using automated password cracking software such as John the Ripper.

One way to beef up the security of your authentication process is to force users to create long, complex passwords, but such enforcement comes at the risk of employees writing the passwords down – thereby defeating the attempt to increase security.

A better method is to adopt a two-factor authentication system. To authenticate, users have to supply a password ("something they know") as well as information from a second factor – typically "something they have," such as a one-time password generator token.

The Biometric Advantage

Of course, one-time password tokens can be lost as well as potentially hacked, so relying on "something they have" is not always a foolproof approach.

Instead, an even more secure two-factor system can be based on "something they are" – that is, biometric information derived from measurable biological or behavioral characteristics.

Common biological characteristics used for enterprise authentication are fingerprints, palm or finger vein patterns, iris features, and voice or face patterns. These last three involve no physical contact with a biometric sensor, which makes them less intrusive to use.

Behavioral characteristics such as keystroke dynamics – a measure of the way that a user types, analyzing features such as typing speed and the amount of time they "dwell" on a given key – can also be used to authenticate a user.

The biggest growth area is the deployment of systems that make use of a smartphone as a portable biometric sensor, according to Ant Allan, a research vice president at Gartner. "There is an explosion in the choice of authentication methods open to organizations, and we are certainly seeing a shift towards biometric systems that take advantage of sensors in mobile devices – the camera, for face or iris recognition, the microphone for voice recognition, and the keyboard for typing rhythm," he said.

The advantages of this smartphone-based approach are that it is not necessary to purchase any special biometric hardware, because users are likely to have their phone with them any time they need to log on to a system, and the phone's cellular or Wi-Fi connectivity can be used to transmit biometric information to a back-end authentication system.

Benefits and Drawbacks

The main benefit of using a biometric authentication factor instead of a physical token is that biometrics can't easily be lost, stolen, hacked, duplicated, or shared. They are also resistant to social engineering attacks – and since users are required to be present to use a biometric factor, it can also prevent unethical employees from repudiating responsibility for their actions by claiming an imposter had logged on using their authentication credentials when they were not present.

"Biometric systems can be much more convenient than tokens and other systems, and are useful to augment existing security methods like passwords," said Alan Goode, a security analyst at Goode Intelligence. "For added security they are also sometimes used as a third factor," he added.

The main drawback of any biometric system is that it can never be 100 percent accurate. To use a biometric system, it is first necessary for each user to enroll by providing one or more samples of the biometric in question (such as a fingerprint) which is used to make a "template" of that biometric. When a user attempts to authenticate, the biometric they provide is then compared with their stored template. The system then assesses whether the sample is similar enough to the template to be judged to be a match.

A measure of a system's accuracy is commonly provided by two statistics: False Non Match Rate (FNMR) and False Match Rate (FMR). The former measures how often a biometric is not matched to the template when it should be, while the latter measures how often a false biometric is matched (and authentication is allowed) when it shouldn't be. Most biometric systems can be "tuned" to reduce one of these two measurements, usually at the expense of the other. "It's important to understand that when a user supplies a password or a number from an OTP (one time password) token, it is either correct or it isn’t. With biometrics you never get a definitive yes or no," explained Mark Diodati, a Gartner analyst.

What To Look For

# 1. Cost. The purpose of implementing any biometric system is generally to maintain the same level of security at lower cost, or to improve security at a reasonable cost. The cost of implementing a biometric system will depend on whether biometric authentication can be added to your existing authentication infrastructure using standards such as BioAPI (vendors such as Entrust support fingerprint readers as authenticators on their platform), or whether your entire authentication platform has to be replaced, or whether you decide to use an additional biometric authentication system in parallel with your existing one.

An alternative approach could be to use biometrics to access a single sign-on system that then accesses your existing authentication system(s).

Other factors include the cost of sensors such as fingerprint readers or iris scanners that have to be purchased. This drawback obviously does not apply with biometric system that use smartphones as sensors.

# 2. Biometric type and security. Different biometric systems provide different levels of security as measured by FNMR and FMR scores – and with the current state of technology, a good fingerprint reader generally offers a lower FNMR and FMR (and therefore "better security") than non-contact technologies such as voice or face recognition.

But before rejecting any biometric type on the grounds that its FNMR and FMR scores are too high, it is important to consider what level of security you really need a biometric system to provide. A biometric system that you plan to use as the single factor for authentication needs to offer more security than a system that you plan to use as a second or third factor.

It's also important to take into account the environment the biometric authentication system will be used in. For example, fingerprint readers do not work well in environments where users' fingers are likely to be dirty. Similarly, voice recognition systems are not a good match for excessively noisy environments.

# 3. Anti-spoofing measures. One potential problem with biometric factors is that they are not "secrets" in the way that passwords or tokens are. This means that it could be possible for a hacker to present a photograph to fool a facial recognition system, to present a wax cast of a fingerprint to a reader, or to play back a recording of a voice to a voice recognition system. It may even be possible to intercept the biometric data from the reader and replay it later, bypassing the biometric sensor. Before purchasing any biometric technology, be sure to understand what types of anti-spoofing measures it employs.

Vendors tackle this problem in a number of ways. For example, some voice recognition systems require users to authenticate by asking them to speak a series of random words, preventing them from using a previously recorded voice sample. Similarly, face recognition systems may attempt to detect blinking to ascertain that the image in front of the camera is not a photograph. Sophisticated fingerprint readers also measure heat or electrical conductivity to establish that the finger is "alive."

# 4. Revocation. Unlike a password, biometric characteristics such as fingerprints can't be revoked or changed. This can pose a serious problem should a hacker successfully compromise the database housing the biometric credentials. Some biometric systems may deal with this challenge by uniquely distorting or transforming the biometric template when it is stored, and transforming or distorting the biometric in the same way during the match process. If a hacker compromises a fingerprint template database, users can then re-enroll and distinct templates can be generated by using a different distortion or transformation. Ask any vendor you talk to how their system deals with template revocation.

# 5. Compatibility with operating systems and devices. Make sure any biometric system you are considering works with every operating systems in your organization that will use it. The same goes for mobile devices such as tablets and cellphones.

# 6. Ease of management. When evaluating a biometric authentication system, make sure to pay particular attention to how easily the system can be managed using the management software provided to you by the vendor. It's particularly important to investigate how easily you can enroll large numbers of users into the system.

# 7. Integration with directory systems: It's advisable to consider if the system can integrate easily with Active Directory or any other LDAP directory system you use. If not, does it use its own directory system, and how practical would it be for you to use it?

Selected Vendors

Authentify offers out-of-band authentication system authenticates users via their smartphones. It employs voice recognition to match a user's voice with a template, and verification is performed against a phrase that is randomly generated to prevent the use of recorded samples.

BioID provides biometric authentication as a cloud-based service. It uses a desktop or laptop webcam or smartphone camera and microphone to carry out face- and voice-recognition authentication. The company's "live detection" technology detects blinking and other non-intentional movements to ensure that a real person (not a photograph) is presented to the camera. BioID also supplies the biometric component to Intel's SSO and McAfee's Cloud Identity Manager.

Daon's DaonEngine is a back-end authentication system which supports a wide range of biometrics though "SnapIns" – optional modules that enable authentication with different biometrics such as fingerprints, iris, voice, and palm patterns, using industry standard hardware and matching algorithms. Other modules supply functionality such as enrollment and performance analytics.

DigitalPersona's Pro Enterprise system is a complete multi-factor authentication system managed via ActiveDirectory that supports conventional authentication tokens as well as face and voice recognition. For smaller companies, it also offers a cloud-based solution which offers fingerprint biometrics as well as smart cards.

M2SYS' Hybrid Biometric Platform supports fingerprint, finger vein, palm vein, and iris recognition using a range of hardware such as the Hitachi finger vein reader and the Fujitsu PalmSecure palm vein reader. It also supplies biometric middleware to enable the integration of its biometric platform into Windows and web software, and a product called Bio-SnapOn which allows its biometric authentication to be attached to any Windows or web application without any code-level development.

Plurilock's BioTracker uses behavioral biometrics – mouse movements and keystroke rhythms – to authenticate users as they log in with a user name and password. The software then continues to analyze these behavioral biometrics during the user's session to protect against situations in which a legitimate user logs on, but the session is then continued by an unauthorized user.

Precise Biometrics' Tactivo is a smart casing for Apple's iPhone and iPad mobile devices that incorporates a smart card and fingerprint reader. It enables a user's fingerprint to be matched against a template stored in a smartcard, allowing secure authentication to VPN connections into corporate networks, web based applications, and applications and data stored on the mobile device.

Realtime North America's Biolock authentication system is designed to bring biometric authentication to SAP, either to replace standard passwords or as part of a multifactor authentication system. The software works with off-the-shelf fingerprint readers from vendors like SecuGen, and allows administrators to configure the system so that users have to re-authenticate when carrying out specific activities such as fund transfers, or accessing restricted information.

Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.