<HTML> <BR>
Contact Us<BR>
About this page<BR>
<BR>
<BR>
<BR>
Posted at 1:35 p.m. PDT Friday, September 18, 1998 <BR>
You Are the Password<BR>
Personal computers can now recognize users <BR>
by fingerprint, voice and even face<BR>
THROW AWAY your keys. Forget your passwords.<BR>
A new technology called biometrics might soon make these <BR>
old-fashioned forms of security obsolete.<BR>
Everything from computers and automated teller machines to cars and <BR>
even the front doors of homes could ask to check your fingerprint, <BR>
hear your voice or see your face as a way of proving your identity.<BR>
These biometrics -- your body's unique characteristics -- could be <BR>
both more convenient and more secure than passwords or keys.<BR>
Convenient because you wouldn't have to carry anything special in <BR>
your pocket or inside your head. Your ``keys,'' which would always <BR>
be with you, would actually be you.<BR>
Secure because biometrics can't be copied or stolen.<BR>
Oh, sure, movies and television shows are full of spies recording <BR>
and replaying voices or synthesizing fake fingerprints, but even if <BR>
such stunts are possible in the real world, they require far more <BR>
expertise and money than simply overhearing or guessing a password <BR>
or pinching a key ring.<BR>
There is, however, a privacy question. It's one thing to identify <BR>
ourselves to our own computers and cars, but do we want large <BR>
corporations or the government keeping our body measurements on <BR>
file? There's already a bill before the Legislature that would limit <BR>
the collection and sale of biometric information. For details, go to <BR>
the World Wide Web (http://www.sen.ca.gov) and look for Senate Bill <BR>
1622.<BR>
I had my first taste of biometrics last week when I installed <BR>
U.are.U, a $150 fingerprint scanner from Digital Persona <BR>
(650-261-6070, http://www.digitalpersona.com). And I loved it.<BR>
The fingerprint scanner hardware is about the size of a mouse and <BR>
connects to the USB port of a Windows personal computer. You'll need <BR>
Windows 95 or 98, with support for NT due soon, as well as a Pentium <BR>
processor and 16 megabytes of random-access memory (RAM). Inside the <BR>
scanner is a light-sensitive chip, much like those in a digital <BR>
camera, and on top there's a postage-stamp-size window where you <BR>
press your fingertip.<BR>
More light reflects from the ridges on your fingerprint than from <BR>
the valleys, so the software can quickly see an image of the <BR>
fingerprint's curved lines. The software looks for the core, or <BR>
center, of the resulting curves and for the minutiae -- places where <BR>
ridges end or begin. It then calculates the angles between the core <BR>
and the minutiae, angles that are the same no matter how you press <BR>
your finger on the scanner.<BR>
After plugging the scanner in and installing the accompanying <BR>
software -- a very quick and easy task -- you choose two fingers <BR>
that will be used for identification. Then you press those two <BR>
fingers on the scanner window four times each.<BR>
Now you can start throwing away your passwords, starting with that <BR>
log-in password for launching Windows. If your PC isn't asking, by <BR>
the way, the password set-up was skipped when you or the factory <BR>
first installed Windows. Instead of typing letters and numbers and <BR>
then pressing return, you just press your finger for a second on the <BR>
scanner's window.<BR>
U.are.U should recognize you immediately and welcome you by name to <BR>
a new Windows session.<BR>
The name part is interesting, because you can set U.are.U up to work <BR>
for a number of people.<BR>
You can also use the U.are.U software to replace your Internet <BR>
sign-on and other passwords with the same fingerprint ``open <BR>
sesame.'' There's even a U.are.U screen saver that automatically <BR>
kicks in when you don't touch mouse or keyboard for a while, but <BR>
will revert to regular programming only when the correct fingerprint <BR>
comes along.<BR>
Promised soon is more software called U.are.U Private Space, to be <BR>
included in a $190 deluxe verison, that will let you encrypt any <BR>
file so it can't be viewed without your fingerprint key.<BR>
For better security, U.are.U doesn't send your fingerprint data <BR>
through the USB line to the computer. That could let someone <BR>
intercept and then playback the fingerprint bits. Instead, it uses <BR>
encryption to send a special code based on your fingerprint.<BR>
In my initial testing, U.are.U never let my wrong fingertip or <BR>
anyone else's pass the test, but authenticated my correct fingertip, <BR>
even pressed at an angle or upside down, in only a second.<BR>
There were some instances when it didn't immediately recognize my <BR>
fingerprint, perhaps because the scanner window was getting dirty. <BR>
Supposedly, the software automatically corrects for this, even <BR>
subtracting any remaining fingerprint image from previous scans, so <BR>
maybe something else was troubling the system.<BR>
Sometimes, I had to press longer to be recognized; a few times I <BR>
gave up and typed the backup password that U.are.U lets you store.<BR>
That partially breached biometric security, but not thoroughly. <BR>
After all, the problem isn't really in creating and using a single <BR>
password that's hard to guess. Most people can do that, if convinced <BR>
it's necessary.<BR>
The frustration blooms when you need so many different passwords and <BR>
personal identification numbers (PINs), some you can choose yourself <BR>
and some that are chosen for you. That makes remembering them <BR>
something between tricky and absurd. Many people conquer this memory <BR>
hurdle by writing the passwords down, often on a little note that's <BR>
inside their desk drawer or even taped to the side of the computer.<BR>
Real security, huh?<BR>
Hackers often start not by creating sophisticated penetration <BR>
programs but by digging around for just such password cheat sheets.<BR>
There's a big temptation to just forget the whole mess and change <BR>
all your passwords to something truly simple such as ``password'' or <BR>
your initials. Or even to use no password at all. Hackers know those <BR>
temptations, and are often rewarded when aiming right at them.<BR>
So I don't want to overemphasize the times U.are.U didn't recognize <BR>
me. It did well enough, and is so easy and inexpensive that I <BR>
immediately wanted one in my car and on my house.<BR>
And, a very good sign, I immediately started using it each time I <BR>
turned on Windows, when before I typically just canceled out the <BR>
log-in password to save the trouble.<BR>
Digital Persona isn't the only company offering biometric <BR>
authentication technology. Many are already at work in law <BR>
enforcement, security and financial services. Because of recent <BR>
high-profile criminal trials, most of us have heard of DNA <BR>
biometrics. It will be awhile before that reaches your computer or <BR>
home, but expect to hear about more fingerprint sensors as well as <BR>
retina, iris, palm, face, voice and signature authenticators.<BR>
Here are some of the products now available:<BR>
American Biometric (888-246-6687, http://www.biomouse.com) makes a <BR>
$300 ``biomouse'' that adds a fingerprint scanner -- with <BR>
accompanying software -- to a mouse.<BR>
Cyber-SIGN Inc. (800-876-4605, http://www.cybersign.com) has <BR>
software that can authenticate signatures by remembering the shape, <BR>
speed, stroke order and pen pressure used.<BR>
VeriVoice (http://www.verivoice.com) makes Internet Security <BR>
System, Unix and Windows software to authenticate you by voice, <BR>
either over the telephone or over the Internet.<BR>
Visionics (201-332-9213) offers FaceIt PC for $100, software that, <BR>
in concert with a video camera, analyzes your face shape for <BR>
authentication. TrueFace from Miros (781-235-0330, <BR>
http://www.miros.com) is another face recognition program.<BR>
IriScan (800-333-6777, http://www.iriscan.com) sells the hardware <BR>
and Windows NT software to profile your eyeball from about a foot <BR>
away. Sensar (888-473-6727, http://www.sensar.com) also offers <BR>
iris-recognition tools.<BR>
Several companies hope to set the standard for biometric software -- <BR>
with password, screensaver, file encryption and other tools -- that <BR>
will work with a range of hardware. These include I/O Software <BR>
(909-222-7600, http://www.iosoftware.com) and TrueTouch <BR>
(http://www.truetouch.com).<BR>
<BR>
<BR>
<BR>
Write Phillip Robinson in care of the Mercury News, Business <BR>
Department, 750 Ridder Park Drive, San Jose, Calif. 95190; or <BR>
e-mail: [EMAIL PROTECTED]<BR>
</HTML>