Locks can be broken and alarms can be disabled, so one way to block access to a computer is through biometrics, which uniquely identifies authorized users through their fingerprints, retina scans, or voices. The main advantage of biometrics is that they cannot be easily guessed, as poor passwords can. While any hacker can try obvious passwords like SEX or PASSWORD, it's much more difficult to duplicate someone else's fingerprint, retina, or voice. Biometrics works on the principle that every person has unique characteristics that are impossible to duplicate; even identical twins have different sets of fingerprints.

Typically a biometric device works like this. First, you have to store every authorized user's biometric data in the device, such as their fingerprints or retina scans. This creates a database that the biometric device can use to decide who to accept and who to reject.

Once you've given the biometric device a few samples of each person's data, you need to test the device to ensure that the biometric device can accurately identify each person. The biggest problem facing biometric devices is finding the proper balance between false acceptance and false rejection.

As the name implies, false acceptance means that the biometric device's criteria accepts too many variations as valid, so anyone whose fingerprint may be slightly similar to an authorized user may still be granted access. False rejection means that the biometric device's criteria are too narrow, which means that even authorized users may have trouble getting the biometric device to recognize them as valid users.

Biometric devices

Since most people pick simple passwords or forget their passwords altogether, some people have chosen to get rid of passwords altogether and rely on tokens or smart cards instead. A token or smart card contains information magnetically coded on a plastic card. When you insert the card into a reader device, the computer can tell whether you're authorized to use the computer. Of course, if someone happens to steal your smart card, they can get access and keep you locked out.

Since passwords can be guessed and both passwords and smart cards can be stolen, many people are pinning their hopes on biometric devices to restrict access to their computers. The most common biometric devices and the simplest to implement are fingerprint scanners. These scanners can come as separate units that connect to the computer through a cable or as PCMCIA cards that plug into a laptop computer.

To learn more about fingerprint biometric devices, visit these sites:



Precise Biometrics


Utimaco Safeware

Besides fingerprints, no two person's signatures are alike, so several companies market signature-recognition devices. For more information about signature-recognition devices, visit Communication Intelligence Corporation ( or Cyber-SIGN (

Hook up a camera to your computer, and with the right software you can verify authorized users through face recognition. Users just have to stare into a camera, and once the computer recognizes them as an authorized user, they can get access to the computer. One company that sells face-recognition software is Identix ( To learn more about face recognition, visit the face-detection algorithm demonstration by the Robotics Institute ( Just upload photographs of different people so you can see how accurately the face-recognition algorithm correctly identifies the same face in different poses and backgrounds.

Offering a unique twist to biometrics, Real User ( offers a program called PassFaces. Instead of forcing people to remember obscure passwords and spell them correctly, PassFaces lets users pick a unique face as their password. When they want access to the computer, the computer flashes several different faces on the screen and the user must choose the right face.

Iridian Technologies ( offers an even more exotic biometric device that scans the retina of users' eyes to identify authorized users. Rather than rely on a single biometric measurement, SAFlink ( uses voice, face, and fingerprint recognition to identify authorized users through an ordinary digital camera, microphone, and fingerprint reader. Another company, BioID (, uses face, voice, and lip-movement recognition to identify authorized users. If someone fools one biometric device, they probably won't be able to fool the second or third one at the same time.

For more information about security in general, from protecting your possessions to guarding yourself on the streets, visit Ardent Security Solutions ( or the National Security Institute ( For specific information about protecting the security of your computer and data, visit the Computer Security Institute (

Defeating biometrics

The theory is that no one can duplicate a fingerprint, signature, or face scan of another person, so biometrics should be the answer to securing access to a computer, right? Wrong.

Biometrics can be fooled. Besides the cruder methods that involve holding a gun to an authorized user's head and making him scan his retina into the computer, or simply cutting off a person's finger and using the decapitated fingertip to get past a fingerprint scanner, there are subtler, less violent ways to trick biometric devices.

When authorized users put their fingertip on a fingerprint scanner, the computer verifies their access and they walk away. Of course, their valid fingerprint still remains on the fingerprint reader device. Many fingerprint scanners can be fooled just by cupping your hands and breathing over the device to fog it up, which causes the residue of the authorized user's fingerprint to appear on the fingerprint scanner. The scanner sees this valid fingerprint once again and thereby gives you access.

To capture a valid fingerprint for future use, sprinkle graphite powder on the fingerprint scanner and then stick a piece of ordinary cellophane tape over the surface to capture the fingerprint on the sticky side of the tape. Now you can stick this piece of tape over the fingerprint scanner, which will recognize it as the fingerprint of a valid user.

Face-recognition devices are even simpler to fool. Just take a picture of an authorized user, hold that picture up to the camera that scans the face, and chances are good that the biometric facial recognition device will think you're a valid user when you're not. Fooling voice-recognition devices can be just as easy. Hide a tape recorder and stand near an authorized user speaking into the microphone. Then, play back this recording and you've got yourself a valid voiceprint that the biometric device will recognize.

Retina scanners can be fooled the same way, just as long as you can get a picture of an authorized user's retina. Hold the picture of the authorized user's retina in front of the camera, and chances are good that you'll fool the biometric retina scanner.

Perhaps the best way to fool any biometric device is to intercept the data going from the biometric reader to the computer. If you can sneak a hardware device such as USB Agent ( in between the biometric device and the computer, you can intercept data from valid users. Then you can ignore the biometric device altogether and just use the USB Agent to feed the computer the data it expects from a valid user (see Figure 20-2).

Click To expand Figure 20-2: The USB Agent can intercept and analyze data sent across a USB cable.

Another tool for intercepting data sent across a USB cable is USB Sniffer for Windows ( or USB Snoopy ( Both programs can snare data so you can analyze what a valid user's biometric data looks like to the computer.

No matter how advanced biometric devices may get, there will always be a way to fool them. Biometric tools can supplement security, but they can't substitute for it. To keep someone from fooling a biometric device, you need a guard to watch over the biometric device. Of course, if you can afford to station a guard by your computer, then you don't really need the biometric device.

All the protective locks, alarms, and biometric devices in the world can only deter a casual thief and slow down a determined one—you can never protect your computer with absolute security. As long as you remember that all protective devices are deterrents, you'll be able to balance security with your budget. But the moment you believe that security can be bought through the latest technology, that's when you're certain to be disappointed—and you'll probably be missing a laptop computer as well.