Software with Biometrics Makes Passwords Positively Paltry

By Michael Pastore

(Back to article)

Establishing identity is the key to creating a secure environment, and even though more information -- and more sensitive information -- is online than ever before, our standards for authenticating users have never been lower.

Whereas access to sensitive information once meant having a key to a building or room, passing a security camera, possibly a human guard, and remaining there while you searched through file cabinets, we now log on to a computer and walk away. The more difficult passwords become and the more frequently they change, the harder they are to remember and the more likely to be written down.

While we struggle to remember the names of children, spouses, and pets we use to access sensitive information, biometric solutions, such as fingerprint, iris, and facial scans, have been relegated mostly to Hollywood.

Thanks to lower price points in the hardware and some clever work by systems integrators, the day when your software prompts you for a fingerprint may come sooner than you expected.

Livelink, a component of the enterprise content management suite from Open Text, is vulnerable to the same password and authentication lapses as most Web-based and desktop software: How does a system know the user who logged in is who he says he is? From a healthcare background that highlighted identity and privacy issues, Glenn Munroe, a former Open Text services manager, saw an opportunity to alleviate user identity issues in Livelink by adding strong user authentication at an object level (document, file, folder, workflow approval, etc.).

When Munroe started Atlanta-based Knowledge Partners, he teamed up with Eagan, Minn.-based BIO-Key, which develops and licenses biometric finger identification technologies. The result was LiveID, a value-added module for Open Text's Livelink that utilizes a USB-based fingerprint reader for authenticating users.

"Identity management at log-in was not our focus in creating LiveID," Munroe said. "We can work with most any single sign-on (SS0) solution, and didn't want to reinvent the wheel. Our objective was to protect a data repository from the most common weakness of any computer system -- application security compromised by users who walks away from their PC without logging out, or compromised user name and password theft."

It's actually quite simple. "If an object in the Livelink repository has been secured by LiveID and you have rights to that object, you will need to authenticate yourself as the person who is currently logged in order to be granted access," Munroe said. The fingerprint portion of the authentication is fast, scalable, and not tied to any specific hardware. With the price points for USB fingerprint readers starting to reach less than $100, the costs may not seem as far-fetched as you might think.

"We're probably at a turn where a lot of companies are looking at it much more seriously," Munroe said. "There's no shortage of applications for this level of security." Not only can LiveID help secure intellectual property at pharmaceutical firms, but financial statements and earnings reports subject to new government regulations such as Sarbanes-Oxley can also be secured. "I almost see any customer of Open Text having some interest at the departmental level," Munroe said.

Munroe and others on the leading edge of integrating biometrics with software also have to battle misconceptions about accuracy and fallibility. The latest in fingerprint technology approaches 2,000 data points derived from a print, compared to the 40 or 50 from the original FBI AFIS fingerprint system. The authentication process takes just seconds, and while users could conceivably be denied access because of an oily finger or by pressing too hard or too softly, the false acceptance rate -- i.e., the chance you will be given access incorrectly -- approach odds of one in 200 million, Munroe said.

"Basically, you are going to win the lottery a couple of times before you get let in," he said.Combining Physical and Virtual Security

Using biometrics also allows physical security and information security to converge into a unified security strategy. Politec, an international IT organization based in Brazil, became involved with identity management when it established a presence in the United States in the late 1990s. On the biometric side, Politec initially worked with iris scans.

"You couldn't make a whole business on biometrics a few years ago," said Politec president Robert Nichels. So Politec began working on the infrastructure side of identity management, bringing in Computer Associates and its eTrust Identity and Access Management Suite nearly two years ago. "For most of our customers, it's beneficial to employ the infrastructure first. The return on investment is in SSO and user provisioning. Biometrics are additional security."

By adding the iris scan technology to the eTrust software platform, Politec has created what it calls "door-to-desktop" identity management. Using a single registration of a user's iris and eTrust as the core platform, users can be authenticated when they walk through doors and log-on to networks using cameras at the doors and computers. There are also the additional benefits of audit trails.

Much like the security of yesteryear that meant being physically present, door-to-dektop security can ensure you are in the building before you log on because it can integrate presence with network security. "You can't log-in if you haven't walked through the door," Nichels said.

In addition to using iris scans, Politec has experience in using fingerprints and hand geometry biometrics, and Nichels said the preferred method of authenticating identity may eventually depend on the client's industry. So far, Politec has focused on healthcare, but the company is beginning to explore opportunities in financial services.

As new technology behind physical security is drawn more to the IT side of the business, Nichels said he expects the two historically separate environments to converge, with biometrics playing a role as the authentication technology.

While the addition of readers and cameras to doors and desktop computer systems will require additional investment, you can put a price on security. Software and networks that aren't secure often aren't used to their potential, and that is money going down the drain.