Technology Pundits ~ The Visible Face of PC Security

The Case for Fingerprint Reader Modules

In the past two years, a growing proportion of PCs — primarily commercial notebooks, but also a few commercial desktops and even some consumer notebooks — have been shipped with security chips. The number of systems going out with a Trusted Platform Module (TPM), as the chips are called, rose from 7 million units worldwide in 2004 to more than 20 million in 2005 and are projected to reach more than 250 million by 2010 (www.ndpta/Commentary/TPMForecast.html).

However, many of these TPMs are not utilized, despite being shipped with basic software to handle such useful tasks as user authentication, password management, and file and folder encryption. Part of the reason for this underutilization is that the software is still not entirely intuitive, but more importantly, the infrastructure needed for broad deployment — such as public key infrastructure (PKI) — is still rare. Thus, the TPMs are mostly used, when they are enabled, to allow a user to gain access to his or her machine securely, keep unauthorized users out, and protect its contents from intruders. For this reason, security technology is primarily found on mobile systems, since stationary ones have a degree of physical security, being, as they often are, located in offices with locks on the door and access protocols to get in. It's the mobile systems that are likely to get pinched in the airport, exposing the user, and the company, to a potentially catastrophic loss of data.

But another reason why TPMs aren't always to put work is that it's not easy to invoke the security technology without a good human interface. The user needs some way to generate the unique keys used to encrypt everything else and to invoke them when needed for access or to undertake a privileged encryption operation. The best user interface for this function, and the one rapidly taking over from all others, is the fingerprint reader. Fingerprint security is not perfect in the sense that it can be spoofed by a determined hacker, but no technology is truly perfect, and fingerprint has the virtues of being good enough for "commercial grade" security, familiar enough to garner a high level of user acceptance, and small and low cost enough to be built into notebook bezels and desktop keyboard surfaces.

Fingerprint Technology

The technology used in fingerprint readers has evolved rapidly from those that take an impression of the entire fingertip to those that require the user to "swipe" across a narrow band. The newer technologies have the benefits of being harder to hack, smaller, more reliable, and less costly.

These characteristics also make the readers an attractive technology for mobile phones as well as for notebooks. Since phones are increasingly a store of important information (e.g., contacts, email) as well as value (i.e., phones can be used in some countries already as "electronic wallets"), access to them also needs to be restricted to authorized users. Although the phone market ultimately represents a larger target for fingerprint readers than the PC market, the scope of this forecast is limited to the PC market, where the adoption of security technology in the form of TPMs and related software is already well underway, and fingerprint readers have already established an important beachhead.

Only a few short years ago, fingerprint readers were unreliable — granting entry to the wrong people (false positives) and not letting in the right people (false negatives) 15-20% of the time. Reliability has increased to greater than 99%, and the current technology handles fingerprints well under even fairly extreme conditions (e.g., the worn fingerprints of working hands, the soft fingerprints of older hands, and the greasy fingerprints of dirty hands). Costs, which, at $25-28 per unit in 1999, were way out of line, have dropped to $4-6 per unit.

The various suppliers use different schemes to detect the unique patterns that all fingers have, including plain old optical scanning, the differential modulation of an electronic field, the measurement of changes in DC capacitance, or the assessment of the degree of thermal difference between the valleys and ridges of the fingertip. The biggest change in the technology recently is the wholesale move from surface-based units that image the whole print at once to swipe bars that read the print like a compact scanner, effectively one line at a time rather than all in one shot. Besides saving on space, the bars present intruders a narrower attack surface.

The algorithms behind fingerprint readers give numerical values to the location of several dozen junctions and terminations in the fingerprint called "minutiae points." The precise values of these minutiae points will uniquely vary for each individual. In addition to uniquely identifying a particular print, these values do not allow someone in possession of them to reconstitute a fingerprint. So, the numbers are like a hash result, that is, a short string, output by a one-way process that cannot be worked backward to derive the original equation. This method not only improves the security of fingerprint technology, but has the added benefit of creating only a small dataset, always a good thing in computing.

Another development is aiding fingerprint reader adoption: the ecosystem necessary to make the readers work in PCs is solidifying. For example, Microsoft is will integrate drivers and backend fingerprint handling algorithms into Vista, its soon-to-be-released operating system. Aside from the silicon fingerprint sensor itself, other solution elements include biometric algorithms, companion processors that accept raw input from the sensors, and application software. Since fingerprint readers require mixed-signal (analog and digital) processing, companies involved in providing hardware elements of the solution not surprisingly include firms such as Texas Instruments, LGE, and Analog Devices. In addition, the more established fingerprint reader suppliers also provide reference designs to Original Design Manufacturers (ODMs) and Original Equipment Manufacturers (OEMs) interested in integrating the technology into their products.

Although some readers were initially sold as USB add-ons, the market has quickly turned to embedded readers, which, like touchpad pointing devices, have the advantage of being sealed into the surface of the computer, minimizing the opportunity for spills and foreign materials to enter the electronics. Also, embedded readers can't get misplaced or stolen, and they take up less room. In some cases, the readers can even substitute for other pointing devices. Applications now allow the user to move the cursor around on the screen by moving a finger around on the little reader bar, an attractive capability for small form factor devices. Another interesting application is fingerprint-based fast user switching, by which a computer brings up a user's desktop, settings, and preferences profile based on his or her print. When a subsequent user logs onto the same machine, the system switches to that user's desktop and profile.

Vendors

At the moment, two vendors, AuthenTec and UPEK, supply 95% of the readers in PCs. There are several other vendors that manufacture a piece of the fingerprint reader solution. Atmel, Atrua, and Validity have sensors, but no platforms, and a dozen others have designs but no products yet in the marketplace. At this writing only AuthenTec and UPEK offer the entire stack, either through their own technology or via partners.

By now, most of the major PC hardware OEMs offer embedded readers in some or all of their commercial notebook lines, either standard or as an option. Some are also beginning to integrate units into their consumer notebook lines as well as the keyboards of some of their commercial desktops. One of the major assumptions for this forecast is that adoption will follow a pattern of commercial notebooks first, then consumer notebooks and commercial desktops at about the same time, and finally consumer desktops.

Fingerprint Attach Rate

Vendors that supply notebooks with both TPM and fingerprint reader options note that conservative expectations (a 5% attach rate of readers to TPMs) have been greatly exceeded (20-25%). This type of input drives another important assumption of the reader forecast: attach rates of readers to TPMs, which today hover at 20%, will reach 80% in the five-year forecast timeframe. Although 20% may seem like a high number, it is important to remember that the rate of TPM attach to PC clients itself is still rising, albeit rapidly. The attach rate of fingerprint readers to total PC clients is still only about 2%.
Forecast
Given the foregoing analysis, Endpoint predicts that fingerprint readers will proliferate widely, and shipments of embedded readers in notebooks and desktops, which are expected to hit 15 million in 2006, will reach 228 million in 2011 (Figure 1).

Figure 1

http://www.ndpta.com

Assumptions

This forecast was done with the following assumptions:

· Attach rate will grow to 80% of the TPM attach in PC clients by 2011.

· Order of acceptance will be commercial notebooks followed by commercial desktops and consumer notebooks followed by consumer desktops.

· Readers will standardize during the forecast period, allowing costs to decline from $4-6 today to $1-2 in the final year.

· Microsoft and PC silicon suppliers will continue to support the standards set out by the Trusted Computing Group (TCG), including the TPM and related networking standards, which will make TPM adoption nearly universal in PC clients.

· No other user interface will arrive on the market that has a better mix than fingerprint readers of security, convenience, user acceptance, and cost.

· AuthenTec and UPEK shipped 98% of readers in PCs in 2005 and will ship 95% in 2006; thereafter, other suppliers will enter the market.

· Useful new applications based on readers will be introduced throughout the forecast period.

· The steady growth of eCommerce during the forecast period, and the migration of more and more value to PC clients will stimulate a demand for interface technologies that are both secure and convenient.

· Toward the out years of the forecast, readers and TPMs will be mutually supportive in that they will tend to be sold and integrated as a single subsystem.

Conclusions and Recommendations

The fingerprint reader market is just taking off. Awareness of the technology and its benefits is still low on the part of end users and even many IT managers. However, some vendors are beginning to position themselves to adopt readers broadly across their product lines.

Vendors already moving toward providing fingerprint options on their systems are well positioned to benefit from the market shift toward readers. Vendors not yet on board should get going sooner rather than later. The industry should promote awareness of fingerprint solutions through marketing and advertising, and should work with their suppliers and partners in eCommerce to promote the standardization and usage of fingerprint technology for user authentication, network access, and Internet-based transactions.

Fingerprint readers represent the tip of the iceberg, the visible face of client security. Once they become common, PC users will have more convenient access to the security features embedded in their systems. These features are critical to the widespread adoption of eCommerce. People need to feel that they can trust that their identities and credentials will not be pilfered and misused as they go about their business in the digital world. They want good security, but they don't want this security to be too cumbersome. Fingerprint technology represents the most likely avenue toward making eCommerce both easy and safe.

© 2006 Endpoint Technologies Associates, Inc. All rights reserved.