Notebook computers are a systems security manager’s nightmare — and with good reason. Every day, thousands of notebooks venture outside the secure gates of agency offices, most carrying sensitive government data or providing a pipeline directly into federal servers. And while the news reports the few high-profile losses — nuclear secrets, and hundreds or thousands of stolen Social Security numbers — many more notebooks disappear every day, never to be seen again.
Among the tools available to keep data safe on notebooks, biometric fingerprint scanners are among the newest and possibly least understood. Though a valuable security asset, fingerprint scanners should be viewed as just one component of a three-part security approach, says Shab Madina, Hewlett-Packard’s worldwide product manager for business notebooks and an expert on notebook security.
This security triangle consists of “what you know,” i.e., your passwords; “what you have,” typically a smart card (or HSPD-12 card in the government); and finally, “who you are,” your physical identification, as recorded by the fingerprint reader in your notebook. Depending on the level of security needed, an information technology manager might require the use of one or all three.
How They Work
Nearly all fingerprint readers in notebooks consist of a thin gold-colored bar, about half an inch long, typically located on the palm rest.
When you swipe your finger across the bar, the scanner registers the valleys and ridges that make up your fingerprint. The resulting image is then analyzed and converted into a template — a sort of numerical map representing the location of distinguishing features (minutiae) in your fingerprint.
The more points on the map, the more accurate and secure the scan. A complete image of your fingerprint is never retained in the notebook. The swiping action also makes bar scanners more secure than the older pad scanners — pressing your finger on a static pad can leave a recoverable fingerprint.
The first time you use a notebook’s fingerprint scanner, the newly created template is linked to your user identification. Thereafter, each time you swipe your finger the system creates a temporary template and compares it against the stored template. Get a match, and you’re in.
Many scanners have the ability to learn more about your fingerprint with each swipe, making them better able over time to read off-angle swipes and a wider range of swipe speeds, says Toshiba product manager Craig Marking.
Protection Plus Convenience
All notebooks with fingerprint scanners also include security management software. Some vendors simply include a basic application from third-party software developers. Better versions are designed to tie into a notebook’s overall security management with a user-friendly interface. HP, Lenovo and Toshiba, for example, all combine fingerprint scanning with BIOS security, data encryption and system password management in a single umbrella application on their notebooks.
A second feature commonly included with most notebook-based fingerprint scanning applications is password management — not just for your power-up or Microsoft Windows login but all of your Internet passwords as well. Whether users find this useful or not depends on how well their other applications containing password management work.
Fingerprint scanning is exceptionally convenient when logging back into Windows. If you frequently walk away from your notebook during the day, typing in a password every time you want to unlock Windows is a pain. Security is enhanced, too, because users are likely to accept a shorter time between system idle (the time when they are not working on the notebook) and automatic system lock.
1888: At the age of 66, Sir Francis Galton — a cousin of Charles Darwin — was the first to develop a method for analytically defining the unique characteristics of an individual’s fingerprints and for comparing prints against one another.
Productivity Versus Protection
Fingerprint-scanning systems walk a fine line between usability and security. Make the scanning too stringent, and the number of false rejections (when the scanner rejects a legitimate user) goes up — along with user frustration. That’s more of an inconvenience than a security risk — the notebook user simply goes back to using a password.
Make the scanning too loosey-goosey and the number of false rejections goes down — which is great, except for the problem that false acceptances go up, along with an accompanying increase in security risk.
Most vendors set a specific balance point between false rejections and false acceptances. HP’s application, however, is a bit unusual because it lets you adjust the level of security from a one-in-3,333 chance of false acceptance to a one-in-20,000 chance.
HP’s Madina says that IT managers needing even higher levels of security can purchase more stringent matching algorithms from third-party software vendors. (Interestingly, all of the manuals reviewed for the article from different vendors state that fingerprint accuracy is not guaranteed.)
Lenovo and Toshiba let you use a fingerprint swipe at the power-on password level. HP and Fujitsu notebooks work only at the Windows login level. That’s no less secure because you can still use a password, but it is less convenient.
Ultimately, it’s the IT manager’s decision what level of security to enforce. And remember, fingerprint scanners are just one part of the security toolkit, but one that can be used at all levels of protection. For maximum security, use a three-tier authentication: Force a notebook user to insert a smart card, enter a password and scan a finger.