Fujitsu recently launched a biometric authentication technology which it claims can identify one individual out of data from a million people. Taking under two seconds to complete both fingerprint and palm vein recognition the system appears largely foolproof. But do we really need this level of biometrics?
Biometric authentication is undoubtedly a growing area of our industry, and advances like this are to be applauded. However, we must remember that authentication at this level is unlikely to be adopted on a mass-market scale, so innovations like this one will probably never directly affect many of us. The reason for this is simple: all authentication must be risk-appropriate.
In layman’s terms, this simply means that the greater the sensitivity of the data or network you are trying to protect, the stronger your authentication scheme needs to be. There are two key factors in this, and the first is cost. Just as no one in their right mind would pay $1,000 to insure a car which is worth only $500, no business is likely to spend more on authentication technology than what it could potentially stand to lose through a security breach. When the stakes are high, such as in border security, for example, biometric technologies such as fingerprint and palm recognition have a vital role to play. But in the case of a salesperson remotely accessing CRM or email, where the risk is much lower, a one-time password (OTP) is probably sufficient. Compared to the weakness of username and password, OTP is a good step toward stronger authentication.
The second crucial factor is usability. Usability and security are always a delicate balancing act for CIOs, who have to decide at which point increased security may start to discourage end users from choosing to access data or networks in the first place. Again, in many cases, OTP may be the only requirement, but as the data in question becomes more sensitive then security of the data becomes the top concern. Technologies like certificate based identity (i.e., smart card and PKI) provide a much stronger way of securing data, but take a little more effort to implement and manage. Microsoft has done a lot of work to integrate this technology into its current server and gateway offerings which makes the implementation and management much easier.
So while you may see Fujitsu’s new biometric technology coming to an airport near you in the not-too-distant future, it’s unlikely you’ll find it on your desktop!