Making Money From Biometrics

Biometrics,the ability to tie logins and access to a computer to particular characteristics of the user, such as fingerprints or retinal patterns,is on the rise, due to several factors. First, as the laptop becomes the main desktop computer for many knowledge workers, and as those workers become more mobile, the possibility of theft increases. Biometric measures can easily secure the entire laptop from unauthorized users. Second, the numbers of different passwords required have proliferated, and both users and corporations have a harder time keeping track of network login identities. Fingerprint scanners and other devices can simplify and obviate the need for passwords. Third, using encryption has always been difficult, especially managing the public and private keys that are popular on many public key systems; biometrics simplifies much of this as well. Finally, corporations want to better account for and control their computing assets, and biometrics provide a solid and safe method for doing so.

Biometrics is a growing business. Last year, New York-based International Biometric Group (IBG) estimated the entire market at more than $520 million. And the analyst firm projects revenue to double by 2003, with better than 20 percent annual growth rates,most of it coming from integration services.

"New service models will leverage a burgeoning biometric infrastructure comprised of finger-scan readers, telephones, signature tablets and video cameras," says Raj Nanavati, founding partner of IBG.

Biometric device vendors are numerous, including Keytronics, Keyware, Motorola, Nuance, Polaroid, SecuGen, Targus, Veritel and Visionics. But perhaps the most intriguing use of technology has been made by IBM, which developed both an embedded security subsystem and secure-client software in its latest round of PCs, including several NetVista and ThinkPad models. "It's cheap, it's easy and it's available in over 3 million units that have shipped so far," says Clain Anderson, program director for client security at the Personal Systems Group for IBM.

The embedded security subsystem is a small custom chip that IBM adds to the motherboard of its systems. The chip provides hardware-based protection of critical security information, including passwords, encryption keys and other electronic credentials. It works in conjunction with a variety of security-aware software applications and other add-on hardware devices, such as a finger scanner from Targus called the Defcon Authenticator. The device comes in both PC-card (roughly $120) and USB-attached versions (roughly $200).

"It is a real competitive differentiator for IBM," says Travis Hartman, director of enterprise security practice for CompuCom, a Dallas integrator. "Other vendors will have to license the IBM chip and design their own security systems." IBM's solution is the first implementation of the Trusted Computing Platform Alliance specifications (see "Trusted Computing," below). "Recently, the TCPA adopted IBM's embedded security chip as the industry standard. IBM is currently the only PC vendor shipping with hardware security protection," Anderson says.

Hartman thinks IBM is ahead of what Microsoft is trying to attempt with its Palladium measures. "The security chip is already inside ThinkPads and getting used," he says. Anderson also differentiates between the two companies' security efforts. "Palladium was designed from the ground up to solve the digital-rights management problem," he says. "The design that IBM has, and the design that has been adopted as industry standard by the TCPA, was actually designed from the other direction, to protect the individual rights of users and to make sure that the bad guys and hackers stay out."

An application example is the IBM security chip combined with the Targus scanner and software. The scanner uses a sensor that sends a small electrical signal through the skin and captures the digital pattern generated. It differs from optical methods that scan actual skin patterns. The difference is important because people wearing artificial fingers that duplicate fingerprint patterns can defeat optical scanners.

The Defcon product can be configured so that multiple users who share a machine can have different login identities, as well as support for different accounts and network identities. It has a password "vault" feature that stores passwords for various Web sites. It can also be used to encrypt files using a key based on the finger scan.

"We have found IBM's client security to be a very popular feature," Hartman says. "There is no performance degradation, and it does all the encryption on the fly."

Hartman is particularly interested in using the security chip to strengthen the built-in encrypted file systems available in Windows 2000 and XP. "The encrypted file system is very easy to defeat,all you need is a specialized boot floppy," he says. "But with the IBM security system, this is much more difficult and, as a result, more secure."

The big asset for IBM's solution,and a big draw for integrators,is the client software pieces that work in conjunction with the hardware chip.

"There's a great deal of granularity with the software. You can digitally sign

e-mail, store various passwords and provide a different degree of authentication depending on the client and the application," Hartman says. "IBM is clearly taking the right steps toward better security. No one else has come out with a production version that's even close."

Biometrics are gaining ground, and more pilot projects are popping up. "The results of our pilot project confirmed we can provide increased convenience for our employees, while securing our networks and gaining a number of other organizational benefits," says Victor Pigoga, director of data/voice communications for Blue Cross/Blue Shield of Rhode Island. The health-care organization put SecuGen's fingerprint scanners on several hundred employees' desktops and integrated them into their Novell corporate network. That is just the coming wave of other integration projects that will incorporate biometric devices into corporate networks.