SUNDAY BUSINESS

A NEW generation of James Bond-style technology, called biometric authentication, is set to make portable computers and the internet more secure.

Britain's spy agencies, embarrassed by revelations that laptop computers belonging to MI5 and MI6 have gone missing, claim the data on their laptops is securely scrambled, or encrypted. Similar techniques are now available to the business user.

Mich Kabay, computer security expert at Californian consultant Adario, says there are two key elements to consider in tackling security: authentication, checking a person is who he or she purports to be, and encryption, to ensure that unauthorised people cannot read confidential data.

"Identification and authentication are quite distinct from encryption. They are separate functions, but for encryption to work properly it needs proper identification and authentication," says Kabay. Biometric authentication involves measuring a bodily characteristic of a person, such as a fingerprint, or the pattern of the retina, to check if he or she is authorised to use the computer, rather than simply relying on a password to control access. The approach is superior because, unlike passwords, fingerprints and the like cannot be lost, stolen, or forgotten.

US security company Identix, which has for years supplied fingerprint scanners to protect nuclear power plants and bank vaults, will this month launch a miniature reader small enough for a portable computer. The device, called BioTouch, will come on a standard PC card which slots inside most laptops. "If you just press the edge of the card, it zooms out, very much like your CD drive," says Neil Rowlands, Identix's European director. "Out comes the fingerprint reader, you place your finger on it, you perform the verification to identify who you are and the computer either allows you in or it does not. Then you push it again and it disappears back inside the computer."

Rowlands says that, at its most secure setting, the scanner and its software, costing about £150, can prevent the laptop being used or the data on it being read, even if the BioTouch card is removed by the thief after a computer has been snatched. "If someone stole your laptop and removed the card, they basically wouldn't be able to start it or do anything with it. Then it would require some determination to remove the hard drive and try to get down to some low-level analysis of it," says Rowlands.

"Even then, we have some techniques to prevent that. We have another application that allows you to set up a folder in which you can put any confidential document, so that when you shut your computer down, all the contents of that folder will be automatically encrypted. "When you start up again, providing the correct fingerprint is used, it will automatically decrypt those files."

Rowlands says Identix does not supply the encryption software, but leaves the user free to choose his or her own encryption scheme to use in conjunction with the package.

The biometric technology can also be applied to the wider security of e-commerce transactions on the Net. "I'm not sure of the time it would take for it to become accepted, but certainly in applications like home banking, with a limited number of users in a well- defined transaction, it would be quite straightforward to implement and would offer both the user and the corresponding bank a much higher level of security than they get today with just a password," Rowlands says.

Graham Cluley, spokesman for security and anti-virus software company Sophos, recommends that users encrypt their entire hard disk to avoid leaving insecure copies of files available: "If you just selectively say 'here is my file, I will encrypt that', you may not realise the computer stores temporary versions somewhere else, so that is an advantage of encrypting everything."

He says that, as the popularity of portables increases, security is becoming a bigger concern: "This is going to become an increasing problem because computers are getting so much smaller, so much more powerful and everyone has a laptop in their briefcase these days." He says the use of encryption is on the increase: "We certainly see that a lot of banks and financial institutions and military organisations are interested in this kind of protection."

Kabay is not impressed with corporate attitudes to security: "I am still appalled by the degree of ignorance. There is a very primitive response in terms of security."

He argues that it is wise to encrypt all sensitive data, whether it is on a laptop or not. "The consequences for my professional reputation and that of my employer were any confidential information to be posted on the Net, or distributed, or sent to a client, would be catastrophic. So in my office, not only do I encrypt the confidential data on my portable computer but my main computer, my tower system, is identically encrypted," he says.

Kabay strongly supports using biometric authentication: "Privacy advocates frequently get confused by this technology and they think people are storing images of the face or storing your fingerprints, but that is not at all the case.

"There are coded parameters about the biometric phenomenon, but they are one-way encrypted. That means you can check to see if what you are reading matches what was encrypted. But you can't go backwards, you can't take the encrypted data and regenerate a picture of the person."

DK Matai, managing director of security software specialist mi2g, says biometric authentication is rapidly becoming accepted as part of normal security measures. "Microsoft Windows 2000 is the first Microsoft operating system that comes with biometric security support, so that shows that the major, mainstream operating system suppliers are waking up to biometric security in a big way," he says.

Matai says the company has found that senior managers tend to have passwords for their entire organisation on their laptops, with the belief that their own laptop will not come to harm. "In the case of a major European internet service provider, a whole raft of e-mail addresses had to be changed about two months ago because one of the laptops which was carrying the passwords fell into the wrong hands," he says.

"What we feel is going to happen in the not too distant future is that people will rely on a triple model of security, which will be password, plus biometric security, plus something that they carry, like a smart card. It is going to become increasingly necessary to validate the password that you type in," he adds.