---

‘Something you are’ is
probably the most secure

The publication of the contents of Paris Hilton's smartphone set information technology security managers into a tizzy a few weeks ago.

No, they weren't busy searching for Fred Durst's phone number, or nudie pictures of Ms. Hilton. Any IT professional worth his or her weight in salt could find that in a matter of minutes. Rather, it was the rumor that Hilton's phone was breached by simply guessing an answer to one of her password "reminder" questions, in this case, "what is the name of your favorite pet?" Apparently Hilton takes her pet chihuahua, "Tinkerbell," everywhere she goes.

Whether the rumor is true or not, it points to a gaping hole in the security policy of many organizations. Simply answering a query that only you are supposed to know will allow you to reset the password of many accounts.

In the old days, up until around the '90s, the only reminder question anyone used was "what is your mother's maiden name?" More recently, in addition to asking about your pets, other questions have become more popular. These include supposedly private queries, such as "what is your favorite sports team?" along with our personal favorite, "where did you go to high school?" As all kamaaina know, this is the worst kept "secret" in all of Hawaii. Even the most casual of acquaintances know where you went to high school. After all, it's one of the first questions anyone ever asks about you.

Nowadays, it is universally agreed that the most rigorous security policies should be based on a combination of three things:

» Something you know;

» Something you have; and

» Something you are.

Something you know might be a password. Something you have might be a smartcard or even a smartphone. It's the "something you are" that's the most intriguing. Biometric devices such as retinal scanners and voice analyzers are becoming more and more popular, and as a result, less expensive. Grocery stores on the mainland now allow you to pay your bill with a simple scan of your fingerprint.

If you are considering implementing or upgrading a security policy along these lines however, be aware that standards for such technology are still being developed. The National Institute of Standards and Technology recently released the Personal Identity Verification standard, which details specifications for identification smartcards for federal employees and contractors.

The institute is also working on standards for biometrics. Although fingerprint standards have already been established, specifications for other means of biometric information must still be defined.

Once the standards have been complete, the institute must still define how the smartcards must work with other devices, such as computers. As such, commercial products conforming to federal standards are still a ways away. Even those organizations outside of this space should pay attention to these standards as they are developed and implemented. Many government standards tend to work their way into the private sector over time.

---