Although generally more expensive, hardware solutions generally provide more security than software-only password-management solutions.
Integrated Hardware Solutions: IBM/Lenovo Thinkpad
You've probably seen the bionic laptop commercial in which Lee Majors himself weighs in on the proper way to pronounce "dun, na, na, na." The commercial is for one of the new IBM/Lenovo Thinkpads with an integrated fingerprint reader and embedded security subsystem.
Although the security subsystem is available on most modern Thinkpads (my X31 has it, but not my X22), the fingerprint reader is available only on select models. The subsystem uses an embedded cryptographic microprocessor that works in conjunction with Client Security Software to help secure data. The processor is isolated from the operating system and has several tamper-resistant features.
The advantage of such a system is that the encryption methods are stronger than those employed by software-only solutions and are less likely to be reverse-engineered. However, the downside to the IBM/Lenovo solution is that the password vault works only with web pages (no application support). Also, a user has to authenticate with the system only once using a password; thereafter, using the system requires only a keystroke (Shift+Ctrl+G) to autopopulate web authentication fields. If someone sits down at my computer after I authenticate with the security subsystem, any of the sites I've trusted to the subsystem can easily be accessed.
USB Fingerprint Sensors
Several consumer-grade fingerprint readers have appeared on the market in the last few years. Two popular models—one sold under the Microsoft logo and the other by APC—are available from many retail outlets for under $50. Both sensors are minimally sized and connect to a PC via USB. The following figure shows both the APC and Microsoft reader side by side for comparison.
Many other peripherals now have integrated fingerprint sensors in their design: keyboards, mice, flash drives, PDAs, and even the IBM/Lenovo Thinkpads. All these devices work basically the same way and use similar software to drive the device. The software operates as follows:
You register one or more fingerprints by placing a finger on the device and having it read several times (to verify that it was read correctly).
You store your password in the software by accessing a site requiring a password and entering the account information and password into the fingerprint software. You can also enter the information directly into the web page and tell the software you have done so.
When accessing a saved site, you can press a registered finger against the scanner. The software automatically populates the page with the appropriate saved credentials.
Overall, the fingerprint readers offer an elegant solution to the password problem. However, it's the client software that presents problems, both in usability and overall security.
Although most of the software packaged with the reader has similar functionality, the devil is in the details of how that functionality is implemented. Some examples of bad or incomplete design include these:
The Microsoft reader comes bundled with a crippled version of Digital Persona's Password Manager that works only with web pages. There is no support for applications or OS login.
The APC reader comes with Softex's OmniPass software. The software allows you to use the fingerprint reader or your Windows password to auto-login to web sites and applications as well as access the password vault. Relying on the Windows password for security is poor practice. I'd have preferred to be able to shut off that option and have it rely solely on fingerprint recognition.
OmniPass pops up an authentication dialog box (shown in the following figure) every time I visit a stored site. Although usually I want it to be ready to accept my authentication and log me in, occasionally I don't want its involvement, and the dialog box is a mere nuisance. (The dialog box can be quickly dispatched by pressing the Esc key.) I'd prefer a less-obtrusive approach.