Allan Dyer
Recently, I visited a new Network Operations Centre that was promoted as "world class". It is currently undergoing evaluation for BS7799 certification, so, naturally, I looked carefully at their security arrangements. One impressive feature was the physical access control to the control room. To enter, staff use a smart card, type a PIN, and place their finger on a fingerprint reader. This gets them through the first door and into an anteroom. To open the second door and enter the NOC itself, they present their eye at an iris scanner. As I said, impressive.
Back to some authentication basics: there are three, possibly four, ways of authenticating someone summarised as: Something you know (in this case, the PIN), Something you have (the smart card), Something you are (biometrics, the fingerprint and iris) and Something you do (such as the way you sign your signature - I think this could be classified as a sub-category of biometrics). Using just one of these methods (single factor authentication) provides some assurance that the right person is given access, but it may still fail - a PIN can be guessed, a smart card can be stolen, biometrics have a false positive rate. Using two-factor authentication provides a higher degree of assurance, because two methods must be broken, in quite different ways. Three-factor authentication provides still higher assurance. Using the same factor twice does not increase the security - if we give the staff two, different tokens, they probably keep them in the same pocket, and they get stolen together, or if they choose two, different passwords, they probably find them difficult to remember and write them on the same piece of paper.
So, what does using both fingerprint and iris scanners gain the NOC? We can re-phrase this: under what circumstances would one of the methods fail, but the other work? When control of the fingerprint is separate from control of the iris. Perhaps the attacker cuts off the finger of an authorised member of staff, but an attacker determined enough to do that is certainly determined enough to threaten to cut off body parts if the staff does not let them in. Actually, a properly designed fingerprint scanner will check for a pulse, so a severed finger would not work, but that just makes it more likely that the fingerprint and iris stay together, and whoever controls one, controls the other.
The NOC could use just one biometric method, and still get the same level of authentication, by using two methods, it is just wasting its' money. I expect they will pass the BS7799 certification, because that evaluates whether they have effective security. It does not say whether it is cost-effective security. Security will always be an added expense, but there is no reason to make it more expensive than necessary.