Using biometrics as an authentication mechanism is appealing in that it offers a practical way to move away from single-level passwords for our more sensitive systems. Successful implementations were in place over 20 years ago, but they seemed to fulfill only niche opportunities, such as guarding mainframes or restricting access to some evil tyrant's lair in a James Bond movie. So what issues need to be overcome before biometrics becomes mainstream, and how near are we to achieving that?
As I mentioned in the previous article, there was a perception that the use of biometrics for authentication had a number of critical downsides that rendered the technology fascinating but impractical. Let's consider those drawbacks as they relate to fingerprint recognition and see what has changed:
Cost
One of the original concerns was that an expensive reader was required in all of the physical locations where the authenticator could possibly need access. Anybody who has recently ordered a new laptop knows that many vendors now offer an upgrade option to include a fingerprint reader. Alternatively, you can now get a USB-connected reader and/or a mouse with an integrated fingerprint scanner at a reasonable cost. With the reader integrated into the mouse, you really don't have to lift a finger!
Support
There was a perception that the resources and time involved in setting up the technology, initializing the appropriate "database" of fingerprints, and training the user was too high. What is the reality? Of course, a well-planned implementation is crucial to the success of the project, but it's not impossible to achieve. Then, on initialization, the user just needs to have his fingerprint captured about three times so that there are multiple "templates" to compare to. The training involves simply telling someone where to place his finger, which doesn't seem like rocket science to me.
False Negatives
Fingerprint reader technology now uses radio frequency (RF) signals to process the live, highly conductive layer of skin beneath the dead layers. The result is that the reader is no longer fooled by dirt or temporary cuts and abrasions on the user's fingers. I know what you are all thinking: What if an unscrupulous competitor cuts off the finger of your lead analyst in order to access your widget product list? First, if you think like this, you really need a vacation. Second, the technology can tell how "live" that finger is because the electrical properties of the skin tissue change as soon as the finger dies or is severed.
Limited User Base
There have been complaints that fingerprinting is less reliable in certain sections of the population, normally those with finer fingerprints, such as the elderly, the young, and some ethnic groups. However, the recent changes in the reader technology have made the systems much more inclusive. Hand in hand with this is continued improvement in the "fuzzy" matching algorithms. What is meant by this is that no matter how hard you try to place your finger in the same place consistently, it will always be slightly different. Fingerprint readers work by comparing the current image with the stored templates and making a decision based upon a very strong likelihood of a match.
False Positives
In a highly publicized (though often disputed) case in 2002, a Japanese researcher managed to fool a fingerprint reader using a mold and gelatin (the same substance used for the manufacture of Gummi Bears). Fortunately, the biometrics industry responded to this and other challenges and developed reader processing that could not be fooled so easily. In the same way, face recognition software improved so that a photo of a face was not sufficient to permit access.
Security
Many potential users have expressed concern that fingerprint recognition systems could store personal data in a way that could be stolen and reused. They noted that something so critically personal (and irreplaceable) as a fingerprint would be difficult to secure in a way that all would be comfortable with. Technology providers reacted to these previous shortcomings and now offer a better solution. As we will see below, the solution to this is using an encrypted template of the fingerprint and storing that template in an extremely safe place.
Another critical area for the acceptance of the technology is the scope of the solution--particularly integration into the enterprise rather than just simplistic access control. The enterprise has many critical authentication points, not just the initial logon. Most organizations need a biometrics solution that is enterprise-focused and secure in and of itself, not just a sexy tool for the users.
I recently talked to a couple of biometrics providers about the new wave of solutions that address these issues. CryptoMetrics of Tuckahoe, New York, stresses the importance of three aspects of this technology: security at the enterprise level, data protection for a traveling executive, and ease of use.
Security at the enterprise level means that, in addition to the initial authentication, there may also need to be a level of sub-authentication at the user-defined layer. In many organizations, a number of critical application or database-level accesses would benefit from another authentication step. CryptoMetrics' FingerSURE solution can be configured to provide that additional level of authentication. To further strengthen this, CryptoMetrics has also included a capability to enforce a supervisor-level authentication after users have authenticated themselves.
For both the enterprise as well as the traveling executive, the security of the biometric identifier is absolutely critical. CryptoMetrics is adamant that the security of the fingerprint template, which is compared against the actual live fingerprint, is the most critical aspect of biometrics acceptance at the enterprise level. According to Greg Chevalier, Senior Vice President of Sales and Strategic Partners, "The FingerSURE product delivers the highest level of data and information asset security in the industry at the user and enterprise level. A unique technology leadership capability is the FingerSURE movement of a private key or digital identity certificate to a trusted biometric device or trusted platform module (TPM). This private key can also be associated with the Microsoft EFS encryption routine provided as part of the Microsoft Windows platform, and most important, the private key can only be used to decrypt data or access systems once a successful biometric authentication takes place."
For CryptoMetrics, another important aspect of adoption is the desire to be device-agnostic; the company does not want its clients to be tied to a particular USB reader device.
In the end, it is impressive to see an organization focusing so hard on doing the right things to make the solution widely acceptable. The nine years that Chevalier spent with IBM gave him a great introduction to the mainframe and midrange marketplace and the high security standards that are expected there.
Another approach being taken by a vendor in this marketplace will warm the hearts of all MC Press readers. Valid Technologies of Boca Raton, Florida, has chosen the most securable of platforms, the i5, to host its new technology, called Valid Secure Systems Authentication (VSSA). VSSA is not an add-on or a shell as it is with PC-level fingerprint systems. It resides on the application level with calls for authentication being securely embedded in the source code of the applications.
Greg Faust, President of Valid, says, "We provide user authentication that is easily bound into applications currently running on virtually any platform and written in virtually any language. The application enabled with a call to VSSA responds to users with a request for authentication, with user input being sent to a central i5 for authentication processes. If authentication is made, the transaction is revalidated, and, if OK, the application is told to proceed as normal. The entire transaction is then kept in a journal on the i5."
The VSSA solution relies upon the user having access to a supported fingerprint reader. Valid has chosen American Power Conversion (APC) as its main partner here. To avoid the historical failure point of spoofing/stealing the fingerprint "image," the credentials are never cached on a local machine and are encrypted within the DB2/400 database to make access much harder for hackers. Obviously, some overhead is necessary to integrate this solution into an organizations' appropriate applications; however, as this is expected to be at only a few discrete points within the enterprise systems, that should not be onerous. A software development kit (SDK) is provided to assist with this task.
Valid's choice of the i5 as its host was important. Faust says, "When we looked to build enterprise authentication solutions, we focused on the enterprise kernel--the transaction--and enterprise needs for security, reliability, and scalability. IBM i5/OS made our authentication host decision easy. The i5 is the most trusted and productive transaction processing system available, and it has the secure implementation of DB2 that makes it the perfect platform for enterprise authentication."
In fact, Valid has taken VSSA to the next logical step by working with my co-author Pat Botz and others from IBM to allow the fingerprint authentication to be an optional front-end to Enterprise Identity Management (EIM) in a single sign-on configuration.
To many organizations, the fact that the technology is better and more relevant to enterprise applications will still not be enough to make the change. However, recent guidance from the Federal Financial Institutions Examination Council (FFIEC) will start to move banks in that direction. On October 12, the FFIEC released new guidelines that call on banks to upgrade from single-factor authentication by adding a second form of authentication during online transactions. As you probably know, many of the current regulations affecting us started life in the financial arena.
Is It Time to Make the Move?
I hope this introduction to the current state of the fingerprint authentication marketplace will encourage some of you to investigate further. Obviously, authentication is only a part of the overall security requirements of an enterprise. In fact, a move away from focusing on perimeter security has been noticed in the security industry recently. Where we used to be slavishly devoted to anti-virus software and firewalls, there is now agreement that appropriate authorization within all levels of the enterprise systems cannot be ignored. And as we have seen here, at least two organizations have focused on the special requirements of authentication at an application level to further strengthen that authorization step.
If these offerings fit your requirements, maybe you can start to reap the well-recognized benefits for users, such as simplicity and the end of the lost password.
Martin Norman is Senior Systems Engineer for SafeStone Technologies, an IBM BP specializing in compliance and identity management. As one of the original developers of SafeStone's security portfolio, Martin has performed security audits and advised on installations for clients throughout the United States and Europe. Martin can be contacted at
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online