Are Biometrics the Key to Data Security?

Page 3 of 3

Embracing Standards
The lack of such standards and of interoperability across interfaces is one of the main reasons companies have been embracing biometric data security solutions on a large scale. But since 9/11, this situation has been rapidly changing, in part due to the proliferation of governments embracing biometric security solutions. Indeed, standards for the interchange of biometric data are developing fast, and Bioscrypt's Dr. Soutar has worked toward making that happen. He served as vice chair for INCITS (The International Committee for Information Technology Standards) M1 advisory group, which has been instrumental in developing biometric standards for data interchange and common file formats, as well as application program interfaces.

Emergent standards and interoperability are crucial factors in making biometrics a viable data security solution. According to Bioscrypt's Bogart, "We have designed our technology to be sensor-independent. So, irrespective of the sensors you are using across an enterprise, we can speak to those different sensors so you can use one enrollment again and not be encumbered by having to go out and buy any particular hardware." 

Chevalier makes similar claims about CryptoMetrics' interoperability capacity, stating that "we are an end-to-end infrastructure asset protection company, meaning [we] don't just deal with data files on the laptop." CryptoMetrics protects application access, be it on the laptop or the network; web-based access; and VPN (virtual private network) access using biometric authentication. He also says that the solution works on any device. "You can give us a biometric mouse, biometric keyboard, wireless device, and we will run on that." 

Bioscrypt's VeriSoft Access Manager allows companies to consolidate user identities and replace passwords, and interoperability is important to its success. As Dr. Soutar explains, "If you're doing an enterprise-wide deployment, the last thing you want to do is re-enroll an individual every time they encounter a different sensor because their laptop may have a different sensor than the front door. You want an algorithm that ties all those things together, and that's one of the areas we focus on. A second area we focus on is working very actively with emerging standards [and] demonstrating that we can provide interoperability, not only with our own products across different sensors, but also with other vendor's products." 

Chevalier explains that "95% of the population that uses Microsoft Windows has an inherently available file encryption routine called EFS (Encrypted File Services), therefore, I don't have to disrupt any user base. I can move that private key through our software to the biometric device without going through any other file encryption technology." 

Biometric Bottom Line 
Ultimately, what you get with biometrics boils down to convenience and cost effectiveness, with security being the icing on the proverbial cake. As standards emerge and biometric encryption techniques become more ubiquitous, biometric security will begin to be more prevalent, gradually replacing outdated password systems. As Dr. Soutar explains, "You can fairly easily and for low cost have a good password system, but it just really won't be secure. People use the same passwords for everything and they'll be very simplistic passwords. As soon as the administrators enforce some of the rules they're meant to, where you have all sorts of characters in the passwords, of course people can't remember them. So they write them down and then you get security breaches." 

As far as Dr. Soutar is concerned, the attraction of a biometric solution for data security lies "in terms of having a system whereby you can get easy and quick authentication and access to rights and privileges but don't have to use passwords that can be easily hacked." CryptoMetrics' Chevalier agrees, but adds, "The promise of biometrics—greater assurance that the individual accessing data is the person they claimed to be and is authorized to do so—can only be realized by eliminating the ability to circumvent that protection at the password level by securing a private key."

Companies Featured

Bioscrypt, Inc.

CryptoMetrics, Inc.

Page 3 of 3