Now that the U.S. government has announced it is using fingerprint readers to authenticate foreign visitors, its time to revisit the use of this technology for securing laptop and handheld computers.
One advantage to fingerprint readers, or biometrics in general, is that there are no passwords to forget or cards to lose. On the other hand, keys, cards and passwords can all be easily replaced if lost or compromised, but if a fingerprint were to be virtualized, there is no practical way to replace it. Fingerprint readers also present reliability problems.
While passwords are the most common—yet least secure—method of securing PCs, smart cards are also becoming more common. One advantage to smart cards is their versatility—in addition to securing your PC, they can also be used to access corporate facilities or networks, and even as a corporate charge card (though Im not aware of anyone doing all of that with a single card yet). Although quite common in the European Union, smart cards have not completely caught on in the United States.
One of the biggest problems with securing a laptop or a handheld computer has been that, regardless of the security, the data remains relatively vulnerable to physical attack. By simply removing the hard drive and placing it in another system, anyone can access the data in your computer. Drives can be encrypted, but this can dramatically decrease performance.
This is where the Trusted Computing Group comes in. The group—made up of hardware OEMs from around the world, chip companies and Microsoft Corp.—has developed a specification to secure data properly on a laptop computer—a method that could also be applied to a handheld device.
Another element of the Trusted Computing specification is the establishment of a trust relationship between computers. This is not only critical for accessing sensitive corporate or government information online, but also for patches and e-commerce transactions. For instance, IBMs Linux group maintains that this component is essential to ensure that only IBM customers receive legitimate patches from IBMs own trusted servers. For devices outside the firewall, this trust relationship will be one of the most critical aspects of a secure mobile enterprise.
The problem with the Trusted Computing specification is that it doesnt specify user authentication, and (without a decent lock) even the most solidly built safe is not secure enough.
But, if we were to combine a fingerprint reader with the Trusted Computing technology, we would have a secure repository to store our sensitive information, the ability for a solid trust relationship with a Web-based service, and a key that is both easy to use and very difficult to duplicate.
Given the recent adoption of fingerprint readers by the U.S. government and the availability of biometric technologies, perhaps now is the time that large enterprises and governments should start building these requirements into specifications for portable devices (and even desktop PCs).
To date, companies like Acer and NEC have been the most aggressive with fingerprint readers, with IBM and HP leading the pack on Trusted Computing specifications. But the vendor that can address both will undoubtedly have an advantage going forward, as will the IT executives who successfully implement these technologies.