Office Memo 10

Home > Office Jotter > Office Memos > Office Memo 10

Time for a snack at Office Jotter?

Office Memo 10

26 January 2004

Fingers ready, Captain Kirk - destroy all passwords!

Street research carried out at earlier this year revealed that 90% of people were willing to give their passwords to researchers. As part of a survey on identity theft, researchers from the Infosecurity Europe conference asked people at Victoria Station in London to disclose their passwords. The researchers gave no verification of their identity; their only tool was a clipboard.

This research shows how easy it is to steal a person's identity and all their passwords. The problem has cost £1bn in the UK alone this year, according to statistics given out by Home Office Minister, Beverley Hughes.

The amount of identity theft and related crimes has never been greater. At the same time, there is also more high-value information than ever before kept on the Internet or intranets. The two facts are of course related. Users are confronted by a proliferation of passwords. There are so many that people write them down on 'post-it' notes beside their computers, or store them in their address books or on unprotected laptops and PDAs. The situation is not helped by people being happy to give out those passwords to colleagues or even perfect strangers.

The typical corporate user now has to remember at least three, and often five, passwords to access business systems and applications. There are more needed for private use, such as home banking and eBay. Add to this the increasingly common use of 'password ageing', in which passwords expire after a set time. The results is that average user has, in theory, to learn and remember between 18 and 30 8-character alphanumeric passwords in a year. Most people can remember the PIN of only one of their credit cards; most don't bother with the PIN on their mobile phone. Is it any wonder that, according to Aberdeen Group, large organizations spend as much as $350 a year for each employee on computer password management?

Passwords can at last be replaced. Fingerprint recognition biometrics offers a secure, affordable and scalable solution to the problem. Already, 11,000 National Health Service employees use it, in more than 60 hospitals in the UK. A further 30,000 remote NHS workers can access patients' records while on the move. Hundreds of patients are using also fingerprint recognition. In Oxfordshire and Derbyshire, they securely gain access to their own medical records held within their doctors' surgeries. Patients can read their notes and the results of doctors' consultations, as well as making sure their records are accurate and up to date.

The next major sectors to embark on biometric authentication look likely to be the banking and retail industries. It is an attractive and cost-effective choice. The chips used in the fingerprint reader have fallen in price from £60 in 2001 to £4 in 2003. A mouse combined with a fingerprint reader now costs just £49.99. Recent research suggests the biometric authentication market will go from $900 million in 2002 to $4.0 billion by 2007.

Fingerprint recognition lets people access multiple application programs with just the touch of their finger. No more passwords or PINs. Also, unlike iris or face recognition scanners, it's easy and unintrusive. People become more accountable for their actions and transactions, which helps with fraud detection.

In ecommerce, fingerprint biometrics can potentially help to achieve legally binding transaction processing that is easy to use. Some national regulations already approve the use of biometrics for high-security or 'qualified' electronic signatures. Fingerprint biometrics are regularly used to digitally sign transactions covered by the American E-SIGN (Electronic Signatures in Global and National Commerce) and Uniform Electronic Transactions Acts. On this basis, legally binding contracts can be signed online using digital signatures and public keys. This can save a lot of time, money and lawyers fees.

Writing down PINs and passwords will continue to be common practice. Password corruption and fatigue will account for more and more fraud. Biometric offers a cheaper, more reliable and stronger way of keeping information secure. Consumers and users of corporate systems can at last happily - and safely - dispense with all those numbers and passwords. Why wait to let them?

***

Steve Barnett, Chairman of ISL biometrics, contributed this article. Our thanks go to him.

Infosecurity Europe 2004 takes place from 27 to 29 April 2004, at Grand Hall, Olympia, London.

About Office Memos

An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.

You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment*.

Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.

Thanks,

Roger Whitehead

Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.

Copyright Roger Whitehead, 2003. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.