In a survey of IT decision-makers conducted by Forrester Research Inc., 13 per cent of respondents said they predicted their companies will be using biometrics by the end of 2005 (please see Most firms shy away from biometrics, page 17). The majority said they would be relying on “strong password policies” to control network access. You’ve probably read, or even formulated, disseminated and enforced, the type of strong password policy Forrester is talking about. Don’t use the name of a close relative. Don’t use words that can be found in the dictionary. Use something that would be impossible for someone who knows you well to guess. Oh, and by the way, don’t write it down. This is wishful thinking, considering more than one in four respondents to a recent AT&T Global Services study said they wrote their passwords down (see Converged networks give IT administrators security concerns, page 10).
The unwritten rule for IT departments is to establish a procedure to allow workers who forget their passwords to restore them quickly.
Biometrics is not a silver bullet for IT security. The readers cost money and can result in false positives, and biometrics alone does not address the issue of security breaches caused by careless or malicious insiders. There are alternatives to biometrics, such as public key infrastructure cards, that address the weaknesses of passwords. But it’s the perception that fingerprint readers are somehow an invasion of privacy that seems to discourage their use.
Smart cards are more likely to be lost or stolen than fingers, and the only way to overcome a properly-functioning biometric security system is to kidnap someone with legitimate access. But people seem fixated on the notion that somehow the recording of their fingerprints will lead to a totalitarian system in which everyone is under constant surveillance. If you want something to worry about, think about the banks, insurance companies and clinics that rely on passwords alone to protect your financial and health records.