As with any authentication system, users must be enrolled first. Many biometric systems let users self-enroll. They authenticate to the local computer or to a directory and then enroll with the biometric. Unfortunately, if you are using biometrics to strengthen authentication but you rely on user names and passwords during the initial identification and authentication process, you haven't made any security gains. Monitored enrollment prevents this scenario but takes more time.
After enrollment, consider where the authentication information will be stored. Biometric systems that store data on the local machine can authenticate a user to that machine only. For larger deployments and for better management, look for a system that uses centralized storage. If the biometric software is deployed on all relevant systems, users can enroll once and have access everywhere.
For backup, multiple means of authentication should be recorded. Some devices let you enroll multiple biometrics--such as all the fingers on the right hand--for a single user. If something happens to one finger, a cut across the finger pad for example, the user can use another finger to authenticate without having to re-enroll.
In all cases, you will have to use hardware and software from a single biometric vendor: Interoperability is nonexistent in biometric authentication, despite the BioAPI Consortium's rallying to provide a standardized API for biometric integration. Authentication-management applications, such as Novell's NMAS and Secure Computing's SafeWord PremierAccess, which tie together biometric and nonbiometric authentication strategies for directory logins, are available, however.
Application integration is still based on individual partnerships, so it is important to ensure the device you choose supports your applications or that the vendor is willing to develop the integration for you. Integration usually takes place on the desktop or server using a Unix PAM (Plugable Authentication Module), a Windows GINA (Graphical Identification and Authentication) or a Novell eDirectory LCM (Login Client Module). As long as a user name-password pair is cached, your login credentials are used to log in to other applications. If your applications require a separate login, expect to do some developing.
Biometrics alone shouldn't be used for access to highly confidential data unless you've thoroughly tested the technology. If your goal is strong authentication, more proven technologies--hardware and software tokens and passwords--work well. And despite a recent decrease in the cost of biometric devices, these old standbys are usually a better deal. But if your goal is ease of use and reasonably strong authentication, biometric technology might be for you.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®. Write to him at mfratto@nwc.com.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
