Biometric systems have been around for a significant period of time, and they have successfully made the leap from science fiction and movies to the real world. Early issues such as revocation and replay have largely been resolved, though compromise of the biometric storage system still remains an issue. Consider what happens if your biometrics are compromised where they're stored. What do you do if your fingerprints or retina scans are pinched? You can't very well go and get a new set!
That said, it's hard to forget your fingers on the way to work, unlike swipe cards, tokens and passwords. The problem with biometric authentication is that some over-zealous vendors are promoting them as a substitute for conventional authentication processes. They're not! Biometric systems make an excellent addition to security, and could be considered a substitute for token-based authentication, but they will never be a substitute for a username/password/PIN.
If you have currently made the investment in tokens and can manage the overhead that they create in terms of loss, replacement and staff education, then stick with them. Biometrics won't have a significantly lower support overhead, and it could be a great deal higher as users get the hang of exactly how to authenticate with them. The value from a token system is either wrong or right, not mostly right or mostly wrong, as would be a fingerprint match. Hence the learning and 'tuning' process for new users and your support team can be significant.
If you haven't implemented a second factor of authentication, then review both biometrics and tokens. Either would significantly complement your current security setup.
This was first published in April 2008