BOSTON (05/23/2000) - A few weeks ago, Network World Fusion offered a discussion of biometrics featuring Samir Nanavati of the International Biometric Group and Barry Steinhardt of the American Civil Liberties Union. The central question posed during the forum asked if using biometrics for authentication is an invasion of privacy.
That's akin to asking if requiring passwords, or any secure authentication method, is an unethical restriction on the freedom of movement.
Network security involves restricting access to data and services so only authorized people can get to them. This can be done by having a person identify himself either as an individual, a member of an authorized group (such as technical support), or the holder of an authorized role (such as a human resources clerk). Since there are dishonest people in the world, we ask people to prove their identity, their membership in the group or their authority to use the role.
Authorization takes the form of one or more of three general areas: what you know (password); what you have (smart card); or who you are (biometric).
Passwords are frequently written down and left in insecure places. Smart cards are easily misplaced or forgotten. But biometrics you always have with you.
Biometrics, in combination with either passwords or smart cards, or both, provides the strongest security for your network.
The biometric data stored in your directory service can't be used to identify an unknown person. The data collected for, say, a fingerprint is at the same time far less and far more than the data collected when you press your fingerprint onto a card at the police station. Biometric fingerprint devices collect a handful of metrics on the design of the fingerprint, but also collect data on the temperature, pressure and other properties, making it nearly impossible to provide a false identity. Pictures don't work. Wax fingers don't work. Fingers cut from a dead body don't work.
On the other hand, the data collected by itself is often poor at identifying an unknown fingerprint. It's only when asserting identity and confirming it through the use of a biometric that the system works.
There is absolutely no privacy issue involved, and the sooner we leave this false argument behind the better off our networks will be. And the better off the privacy of our personal data will be.
Kearns, a former network administrator, is a freelance writer and consultant in Austin, Texas. He can be reached at firstname.lastname@example.org.