Securing USB flash drives with biometric authentication

Kevin Vlasich

Every day, people and organizations hand over their most valuable and vital personal information to government agencies. It is then up to the recipient – a federal or state agency, or another government organization – to safely store that data.

However, without adequate data security, that confidential information can get into the hands of cyber-criminals, putting people at risk of identity theft and leaving government organizations with costly consequences. In fact, government agencies and public companies on average pay $202 per record for a single data breach, which costs U.S. organizations at least $45 billion annually. 

Furthermore, as the workforce becomes more mobile, people are relying increasingly on flash drives to share and access their data. Today, 67 percent of all workers use mobile and wireless computing, and 75 percent are expected to become mobile by 2011, according to IDC. 

Unfortunately, while USB flash drives are inexpensive and easy-to-use, they present security risks because sensitive information is available easily unless proper security measures are in place. 

Think about it. People’s work laptops typically contain important, proprietary data. If the laptop were ever lost or stolen, they would report it as missing. First, that laptop likely is encrypted, making it difficult for an outsider to bypass the system security and access the data. Then, even if an intruder bypasses the encryption, the organization’s IT department might have already changed the user’s security credentials and removed the account name from the domain, making it very difficult for an intruder to access the data residing on the organization’s server. Ultimately, most of the proprietary data is safe.

However, if a USB flash drive goes missing, most people would simply get a new one. In other words, the small size, low cost and large storage capacities of USB flash drives makes them a security risk; even more so than laptops. 

Thankfully, several options, ranging in security level, are available to help government agencies and other organizations mitigate the security risks that traditional flash drives pose.

At a lower level, USB flash drives with built-in hardware encryption have been around for a few years and can help address these security risks. Many of these drives offer strong encryption algorithms, such as the Advanced Encryption Standard (AES), along with simple password protection for authenticating the user to the device. 

While these provide a certain level of assurance of protection, they have limitations. Sure, only the world’s most elite cryptographers may have the skills required to attack algorithms like AES, but anybody can try -- and succeed -- to guess a password.

Alternatively, the same adversary could deploy easy-to-obtain software to decode the password. Some encrypted USB devices address these concerns by locking out an attacker after a certain number of incorrect passwords, but that is only helpful if the adversary exceeds the specified number. 

Here is where biometric authentication makes a lot of sense. Biometric authentication is the process of using a unique physical (such as a fingerprint) or behavioral trait as a method to confirm the identity, and determine the access profile of a person. 

Recent advances have made fingerprint scanners more affordable, more reliable and smaller than ever before. A biometric fingerprint cannot be guessed, written on a Post-It note, or forgotten, and is not vulnerable when another system is compromised.

Biometric authentication offers a strong defense against the weakest part of a crypto system, which is a password that can be guessed or stolen. Using biometric authentication also means the user has one less password to remember, which can lead to reduced help desk costs for forgotten passwords.

In general, configuring a new biometric USB drive for fingerprint authentication is straightforward. It usually requires the user to swipe one or more fingers over a small biometric reader embedded on a USB flash device so the device can “learn” the user’s fingerprint. Once the device has been configured to recognize a particular fingerprint, accessing the device simply involves the user swiping his or her finger over the biometric reader again. 

In situations where only the highest level of security will do, use two-factor authentication. In those instances, both a password and a fingerprint scan would be required to authenticate the user and unlock the encrypted files. Two-factor authentication, which is also called “strong authentication,” usually includes “something you know” (such as a password or PIN) and “something you have” (such as your fingerprint.)

When choosing which USB flash drives to deploy in their organizations, government agencies will want to look for products that are Federal Information Processing Standards (FIPS) validated and compliant with the Trade Agreements Act (TAA). These are key requirements for U.S. Government users. 

The need for security measures will only increase as the nation, and the world, become more digital and more mobile. Already, 45 states have adopted data breach laws, while a new federal statute requires many financial institutions to develop and implement a formal, written and revisable "Identity Theft Prevention Program.”

Solutions such as biometric USB flash drives can add a tremendous amount of value and assurance to government agencies and organizations; especially as digital information, threats and regulations continue to multiply.