Give Social Networking the Finger
Fingerprint authentication isn't just for security anymore. Authentec makes fingerprint sensors for enterprise computers, and their main clients have until recently been the military or any company that really needs to keep its laptops secure.
In my last post about Authentec, I swooned about how they go the extra mile to protect you from finger-truncating impersonators and eyeball-gouging identity thieves. (The company doesn’t simply use a picture of the top layer of the skin; it uses radio frequencies to measure the valleys and ridges of the fingerprint beneath the outer layer of skin, or within the live layer. Because they’re measuring these RF fields within that live layer, a finger that has been separated from its owner won’t work in setting up that first RF field when a user contacts the sensor. Without the attached owner, there's no pattern and the finger is no good.)
Today, Authentec announced that they’re putting those military-grade fingerprint sensors into netbooks. Nothing says top secret like a fluffy little netbook, right? It’s the king of consumer-only applications, a cross between a lightweight laptop and an big-screen iPhone.
Here’s where the fingerprint sensor goes to work for consumer netbooks. Instead of protecting your identity a la The Bourne Identity or Angels & Demons, in your netbook the sensors take on a completely different capacity. They're putting your fingerprints to work for more mundane tasks.
It’s not just the one fingerprint that distinuishes you. The sensor easily differentiates among your ten fingerprints. Their software (called TrueSuite) lets you assign different fingers to different functions, including accessing facebook or twitter accounts, or your email. The program is even able to condense processes that would normally take multiple steps into the swipe of a single finger.
For example, say you want to log into your facebook account. Normally, you wake up your sleeping, locked laptop, type in your OS's password, open your browser, navigate to facebook, and type in your username and password.
With the fingerprint sensor, you skip 4 of those 5 steps. Instead of doing any of the above, you swipe your designated finger. The software reads your finger, and takes care of the rest. You set how it reacts to the swipe of your ten fingers: open gmail, facebook, twitter, flickr, picasa--all you have to remember is what job you gave which finger.
Authentec is also working on the LED lights that surround the sensor, which glow when giving you a notification. Normally these would have limited use; i.e., if you swipe the wrong finger or you’re the wrong person, you'd get a red blinking light, if you did it right you'd get a green light. But the Authentec people devised a few new uses for these LEDs. You can set your own colors the same way you set the actions for your fingers.
Say you’re taking some time out of your busy schedule for an important episode of Walker: Texas Ranger. Your laptop has long since gone to sleep and locked itself. To find out if you have mail, you’d normally have to stand up (all the way!), walk across the room (nooo...) and wake up and unlock your computer. That could take up to 10 seconds! But, with this app, you can glance across the room and see that you have a red flashing LED, which means there is a message waiting from your boss, or a blue flashing light indicating a note from your mother. Granted, you still have to move the muscles that control eyeball directionality, but there’s no such thing as a free lunch.
This is probably the best thing that could have happened to fingerprints. I think it’s not such a bad idea to take fingerprint authentication out of highly secure environments and repurpose it for more mundane applications. Fingerprints will become almost meaningless as a security measure within less than 20 years.
The two main things that will undermine security at every turn:
1) Poor adminstration. Read this slashdot post to understand-- biometrics are just databases, and databases need to be securely and competently administered.
It's too difficult to manage a 2000 or even 200 member authentication database. The simplest administration is just not done because it is tedious or takes too much time. ... You have the human being that lets everyone into the building, security guards that think you work there because they've seen you before, meeting rooms filled with all-open network connections and a bunch of people that write down their password on a sticky note, even if it's as simple as their husband's name, brand of monitor or keyboard or something else.
2) Time. The younger you start the less secure your fingerprints will inherently become: "Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats." Slashdotter Kadin2048 commented that
The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.
The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.