The Strong Authentication Battle

Tokens and biometrics are often used to replace insecure passwords. But these strong authentication systems are far from perfect.

Biometric Authentication

Biometric-based systems work best in environments that require physical access control. This is because the cost is at the authentication point, rather than with the individual being authenticated. Although biometrics generally require more training, most employees will find them easier to use. But there is a big caveat here: Some employees will not be able to enroll in a biometric system and will need to have a backup system.

Biometric authentication systems, such as fingerprint or iris readers, are becoming increasingly popular in applications that are especially vulnerable to fraud or abuse; after all, there's no way to share your fingerprint.

But biometrics are not foolproof. They don't offer the mathematical precision that comes with cryptographic keys or passwords. Just as each photograph you take of my face might be a little different, so is every scan of my fingerprint. As a result, biometric systems have complicated algorithms that take two measurements, and then try to determine whether the match is close enough. Unfortunately, there's no right answer.

Biometric systems are plagued by errors. Make the system accepting of fuzzy matches so that it can tolerate people who have dirty hands from time to time, and you increase the chance of an accidental mismatch, something called the false acceptance rate (FAR). Make the system more picky, and you decrease the FAR, but simultaneously increase the false rejection rate (FRR).

Biometrics are undemocratic: Some people can use them with ease, while others use them only with great difficulty, or sometimes not at all. Children, Asian women, and the elderly sometimes have problems with fingerprint readers because their fingerprints are too small or too fine. Some people lack hands altogether. These kinds of incidents contribute to the system's failure to enroll (FTE) rate. Other people can enroll in the system, but for whatever reason cannot get the system to verify their identity once it is on file. This is known as a failure to verify (FTV).

Biometrics is a young field with a profound lack of standardizationâ¬new and sometimes better biometrics are being developed every year. As a result, a CSO must evaluate the FAR, FRR and FTE and FTV rates of any proposed biometric system to see if the reliability of the system is adequate for the proposed application. A system that has an FTE rate of 1 percent might be fine in an office with 500 people: The five individuals who can't enroll with the system could be given USB security tokens. But the same system would be inappropriate as the basis of a national identification system designed to certify the identities of 100 million people.