The Problem CIOs realize that passwords are not enough to insulate their networks from hacks. Passwords suffer from two significant problems: Interlopers can easily guess them, and users frequently forget them. And studies show that providing the support necessary to get new passwords to absentminded users costs as much as $300 per year per employee. The HypeEnter biometrics. Both the media and vendors have been showering this up-and-coming $119 million market?which consists of face, voice, fingerprint, hand and eye recognition systems?with oceans of attention, according to Framingham, Mass.-based analyst firm IDC (a sister company to CIO\u2019s publisher, CXO Media). And unlike a password or key-card, users never forget their fingers, voices or eyeballs. The FactsDespite the hype, Earl Perkins, an analyst with Meta Group in New Orleans, says it will take at least another four years before biometric security solutions become mainstream. "If you want millions of people using biometrics, all of the hardware manufacturers and all of the software developers have to agree on a specific programming interface. They\u2019ve been working on a biometric [programming interface] for two years and are nowhere near agreement," says Perkins. But the biggest challenge to biometrics becoming the mainstay of enterprise security is also the biggest headache for CIOs: the logistics and cost of putting a biometric solution on every desktop and laptop in the company. "You have to recognize that having an IT person install the hardware and the software on a broad scale gets to be very expensive," says Chris Christiansen, program vice president of Internet infrastructure and security software at IDC. And while biometrics has been in development for U.S. and European governments for more than 20 years, it\u2019s still not perfect. Some systems are still difficult for humans to use, and they\u2019re subject to error.While substantial challenges remain, some organizations are successfully using biometrics to crack down on fraud and safeguard sensitive information. For example, two nonprofit hospitals in Washington, D.C. (EMC Medical and MedStar Health), use iris scanning technology from Moorestown, N.J.-based Iridian Technologies to control access to patient data and restricted areas of the hospital. "Since we put in our current system back in September, I have not seen a false rejection on anyone," says Craig Feied, director of informatics for emergency services at EMC Medical and MedStar Health. "The last thing we want is a security model that prevents patients from getting the care they need," he says.