Wednesday, March 15, 2006

Biometric Security - the Rube Goldberg Device of Password Entry

Yesterday I helped a friend setup a new laptop with a fingerprint reader, and today Walt Mossberg expounded on the subject in his column. While I think that biometrics are truly a great convenience, it is my opinion that they don't offer any greater security, especially on the web, and here's why.

Consider what happens when your fingerprint reader fails? What about when you take your laptop on a business trip and don't bring along your external fingerprint reader? Or better yet, how you log in to corporate e-mail from home?

Because biometric devices are not a de-facto standard on most computers, even computers that utilize them still need to accept standard passwords. This means that those passwords are still vulnerable to cracking. This is doubly true for the web, because for the most part, biometric password utilities that allow you to 'web login' with biometrics, simply store your username and password and then send them to the web site when you swipe your finger. While this might help protect you against keystroke logging software, it will not proctect you against someone sniffing your network connection or against someone trying to crack passwords on a web site.

Bottom-line, the only real benefit to biometric security is when it is the ONLY method of logging in, until that day comes, the only real use I can see for it is encrypting files on your computer and as a convenience to prevent you from having to type in those 8-10 characters in your password.

No comments: