Vying for our attention are two major groupings of technologies: asymmetric or public cryptography, which is the mathematical relation between two numbers, and biometrics, which is the mathematical representation of a piece of human physiology. Both are practicable, but in a straight-up shoot-out, biometrics is more inline with classic examples of signatures. However, the ever-increasing risks inherent in this digital age may force us to lean heavily toward public cryptography.

Although there are many types of biometrics, a person has but one or two biometric e-signatures. Take thumbprints, for example. The mathematical representation or template of your thumbprint is unique. If your biometric technology of choice is defeated, you've lost sole possession of that template and can never safely use your thumbprint again with that specific biometric technology. But worse yet, that template had become a unique identifier tying together your entire electronic life. As far as privacy concerns go, this is a serious one. The only biometric technology that seems to break free of this pattern is the handwriting-geometry technology. With handwriting geometry, my template will be different if I cross my "t" and end my "z" with an outward stroke as opposed to curling up the stroke from the "z" and crossing the "t" in a single motion. So even if this technology is defeated, I can easily supply a new template.

Another issue is the need for third-party authentication, which is essential for most biometric technologies. Your biometric template must be stored on a server out of your control. If that server is compromised, your template may be compromised, too.

Public-key cryptography paints a different picture. The math behind it is independent of any aspect of the person using it. To find out who's behind an e-signature, you have to issue a request to a third-party authenticator. The request is handled via digital-certificate (X.509 or PGP) technology. But, unlike biometrics, if the third-party authenticator is compromised, it does not put digital-certificate users directly at risk. Public-key cryptography also differs from biometrics in that a person can have as many key pairs, authenticated in as many certificates, as he or she wishes--and the loss of one private key will not have an impact on the use of other key pairs. However, the process for third-party authentication (identity proofing) and private-key protection for a public-key owner might be too complex for some uses. In the long run, the less seriousness of the risks associated with losing the private key and other associated privacy issues make public-key cryptography the more desirable technology for e-signatures.

Biometrics does have a niche in a complete e-signature system. And in some cases, biometrics can simplify identity-proofing to the public-key, third-party authenticator. Biometrics also can be a strong replacement for PINs used to access private keys. Maybe a hybrid is the best solution. After all, hybrid systems are always stronger than purebred systems; Mendel taught us that.

Robert Moskowitz is a senior technical director at ICSA. Send your comments on this column to him at rgm@htt-consult.com