GPSolo Magazine - December 2005
Biometric Devices: Ready for the Solo?
Let me begin with a disclaimer: I love gadgets. I play with the latest technology a lot: I fiddle. I ooh! I ahh! But that doesn’t translate into “I use it in my practice.” I practice mostly by myself (I have a partner who is a Luddite) and am reasonably automated, meaning I won’t spend 20 hours perfecting some automation to save ten minutes.
Now, the gadget nerd in me admits that biometric devices are neat. These are devices used to identify people based upon some biological trait. Typical examples include fingerprint readers, facial, iris, and voice recognizers, stress meters, and the like.
I have worked with many inventors doing such cool stuff as finding pathogens in blood using a computer that automatically recognizes the pathogen’s shape and counts them in a known volume. But this stuff is well beyond what I am prepared to recommend to solos or small firms yet.
The government and credit providers see biometrics as the ultimate in security, if only they could get it to work cheaply and reliably. So far, it has not been widely adopted for these purposes. Homeland security wants reliable facial recognition available at choke points such as airports and bus stations, but these devices so far have not seen any likely application in the solo and small firm setting. They will become ubiquitous and cheap, but we aren’t there yet.
Fingerprint recognizers for computers are ubiquitous and cheap, in the order of $40 to $60. You simply attach one of these little gizmos through a USB port and train it to recognize your fingerprint. Well, you better make that at least two of your fingerprints—you might find yourself locked out if you’ve cut a finger unless you have a “backup finger.” (What a concept!) The device will let only you log onto your computer or a particular website.
How does it work? When you put your finger on the reader, it looks at your fingerprint and compares it with what it has on record. Because every time you put your finger on the reader you don’t do so identi-cally, it compares a number of regions (“points”) and determines whether enough points match between the stored image and the image presented to the reader.
How many points of comparison are enough? It depends on how stringent you want to be. Use too many points, and you will have to bear with false negatives: Even though it’s your finger, the device doesn’t find enough matching points to let you in. You may need to put your finger in again and hope the positioning is closer to what’s on file. Use too few points of comparison, however, and you run the risk of false positives: Someone else’s fingerprint is close enough to yours (based on the limited number of points of comparison you have chosen) to be let into your computer. False negatives are annoying. False positives are dangerous.
Let us be clear here: What these fingerprint readers do is to recognize your fingerprint (more on this later) and then serve up whatever log-on info is needed to get into your computer or some website. They do not replace the log-on; they are merely a convenience. You still need the password and log-on ID. So there is always a backup to let you log on to a computer or a site: enter your ID and password.
Hey, I’m into convenience. So what’s the problem here? Why don’t I like these things? The problem is that biometric devices provide an alternative entry path, so they do not enhance security, they compromise it. If someone can fake your fingerprint, they can get in.
Can faking and fooling a fingerprint reader be done? Not a real problem, apparently. Tsutomu Matsumoto managed to do it in 2002 using Gummy Bears to hold latent prints. In some cases, merely breathing on the reader was enough to raise a latent image that was read as the real thing. Lifting a print using alpha-cyanoacrylate glue (Crazy Glue) seemed to have some success as well. If you really want to know more about this, go to www.extremetech.com/article2/0%2C1697%2C13919%2C00.asp and read the paper.
To be fair, the vendors of these devices warn that they are not security devices, nor should they be used in high-security applications. For example, Microsoft says in its fingerprint reader documentation:
The biometric (fingerprint reader) feature in this device is not a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or protect sensitive data, such as financial information. Instead, you should protect your sensitive data with another method, such as a strong password that you either memorize or store in a physically secure place.
It is not clear whether more expensive biometric devices are more immune to these problems, but then if they are so much more expensive, are they really useful to a solo or small firm? It seems more practical simply to start taking your passwords seriously—make sure they are “strong” (i.e., containing letters, numbers, and punctuation), change them frequently, and exercise some caution about where you keep your written copies. (Note to self: Erase my passwords from inside my desk drawer.) If you want convenience, try using AI Roboform ( www.roboform.com), a $29 award-winning program that is itself password protected, but which, after you have logged in, will automatically serve up log-on information you have provided and thus perform the same convenience function as the fingerprint reader—with greater security and taking up zero real estate on your desk.
Daniel S. Coolidge is a recovering large-firm lawyer, now a patent attorney with Coolidge & Graves, PLLC, in Keene, New Hampshire. He can be reached at firstname.lastname@example.org.