A NEW generation of James Bond-style
technology, called biometric authentication, is set to make portable computers
and the internet more secure.
Britain's spy agencies, embarrassed by revelations
that laptop computers belonging to MI5 and MI6 have gone missing, claim the
data on their laptops is securely scrambled, or encrypted. Similar techniques
are now available to the business user.
Mich Kabay, computer security expert at Californian consultant Adario, says
there are two key elements to consider in tackling security: authentication,
checking a person is who he or she purports to be, and encryption, to ensure
that unauthorised people cannot read confidential data.
"Identification and authentication are quite distinct from encryption. They
are separate functions, but for encryption to work properly it needs proper
identification and authentication," says Kabay. Biometric authentication involves
measuring a bodily characteristic of a person, such as a fingerprint, or the
pattern of the retina, to check if he or she is authorised to use the computer,
rather than simply relying on a password to control access. The approach is
superior because, unlike passwords, fingerprints and the like cannot be lost,
stolen, or forgotten.
US security company Identix, which has for years supplied fingerprint scanners
to protect nuclear power plants and bank vaults, will this month launch a miniature
reader small enough for a portable computer. The device, called BioTouch, will
come on a standard PC card which slots inside most laptops. "If you just press
the edge of the card, it zooms out, very much like your CD drive," says Neil
Rowlands, Identix's European director. "Out comes the fingerprint reader, you
place your finger on it, you perform the verification to identify who you are
and the computer either allows you in or it does not. Then you push it again
and it disappears back inside the computer."
Rowlands says that, at its most secure setting, the scanner and its software,
costing about £150, can prevent the laptop being used or the data on it being
read, even if the BioTouch card is removed by the thief after a computer has
been snatched. "If someone stole your laptop and removed the card, they basically
wouldn't be able to start it or do anything with it. Then it would require some
determination to remove the hard drive and try to get down to some low-level
analysis of it," says Rowlands.
"Even then, we have some techniques to prevent that. We have another application
that allows you to set up a folder in which you can put any confidential document,
so that when you shut your computer down, all the contents of that folder will
be automatically encrypted. "When you start up again, providing the correct
fingerprint is used, it will automatically decrypt those files."
Rowlands says Identix does not supply the encryption software, but leaves the
user free to choose his or her own encryption scheme to use in conjunction with
The biometric technology can also be applied to the wider security of e-commerce
transactions on the Net. "I'm not sure of the time it would take for it to become
accepted, but certainly in applications like home banking, with a limited number
of users in a well- defined transaction, it would be quite straightforward to
implement and would offer both the user and the corresponding bank a much higher
level of security than they get today with just a password," Rowlands says.
Graham Cluley, spokesman for security and anti-virus software company Sophos,
recommends that users encrypt their entire hard disk to avoid leaving insecure
copies of files available: "If you just selectively say 'here is my file, I
will encrypt that', you may not realise the computer stores temporary versions
somewhere else, so that is an advantage of encrypting everything."
He says that, as the popularity of portables increases, security is becoming
a bigger concern: "This is going to become an increasing problem because computers
are getting so much smaller, so much more powerful and everyone has a laptop
in their briefcase these days." He says the use of encryption is on the increase:
"We certainly see that a lot of banks and financial institutions and military
organisations are interested in this kind of protection."
Kabay is not impressed with corporate attitudes to security: "I am still appalled
by the degree of ignorance. There is a very primitive response in terms of security."
He argues that it is wise to encrypt all sensitive data, whether it is on a
laptop or not. "The consequences for my professional reputation and that of
my employer were any confidential information to be posted on the Net, or distributed,
or sent to a client, would be catastrophic. So in my office, not only do I encrypt
the confidential data on my portable computer but my main computer, my tower
system, is identically encrypted," he says.
Kabay strongly supports using biometric authentication: "Privacy advocates
frequently get confused by this technology and they think people are storing
images of the face or storing your fingerprints, but that is not at all the
"There are coded parameters about the biometric phenomenon, but they are one-way
encrypted. That means you can check to see if what you are reading matches what
was encrypted. But you can't go backwards, you can't take the encrypted data
and regenerate a picture of the person."
DK Matai, managing director of security software specialist mi2g, says
biometric authentication is rapidly becoming accepted as part of normal security
measures. "Microsoft Windows 2000 is the first Microsoft
operating system that comes with biometric security support, so that shows that
the major, mainstream operating system suppliers are waking up to biometric
security in a big way," he says.
Matai says the company has found that senior managers tend to have passwords
for their entire organisation on their laptops, with the belief that their own
laptop will not come to harm. "In the case of a major
European internet service provider, a whole raft of e-mail addresses had to
be changed about two months ago because one of the laptops which was carrying
the passwords fell into the wrong hands," he says.
"What we feel is going to happen in the not too distant
future is that people will rely on a triple model of security, which will be
password, plus biometric security, plus something that they carry, like a smart
card. It is going to become increasingly necessary to validate the password
that you type in," he adds.