Why you can't get a biometric Flash drive that'll work on Windows, Linux, and Mac

Responding to our earlier post about Sony's biometric Micro Vault Flash drive, Dan Kaminsky of Avaya Enterprise Security Practice writes in to explain why it's not so easy to get a biometric USB security device that'll work across different operating systems:

Actually, it's quite difficult to offer cross-platform security (such as passwords or biometrics) on USB storage devices. This is because the standard USB "Mass Storage Device" profile has no provision for preauthentication conversations — the user plugs in, and the OS expects it can execute a standard, unauthenticated disk connect operation and simply mount the file system. To do something more complicated requires platform specific code to communicate with the user and manage permissions on the device. What many secure devices do is embed that platform specific program, read only, on a public partition. This program when executed, manages all the particular accounting requirements for private partition. This works OK, but it can sometimes cause problems with file systems (for example, while all operating systems can support the FAT32 file system neither Linux, OSX, or XP default to it).

Interestingly, biometric authenticators could theoretically operate in a clientless mode — a base computer could have the advanced permissions manager, while accesses anywhere else would require thumbprint authentication before the Mass Storage Device would function correctly. Doing this would require some relatively significant computational power to be embedded into what's physically a relatively dumb device — a USB key — as the mathematics to convert a 128x128 fingerprint into a fuzzy-matchable hash isn't simple by any means.

So, in summary:
1) USB storage devices were never designed to have "secure access modes",
2) Almost all USB tokens that attempt to implement security use platform specific drivers by necessity, and
3) While it is theoretically possible to implement biometric security in a way that's often relatively transparent to the client, it's certainly not trivial.