|Introducing convenience to the security process
It's Monday morning. You've arrived at the office following a two-week vacation on the beach. The traffic was lousy and you forgot to set the alarm. The last thing on your mind is work. Sounds familiar?
You get to your desk. You turn on the computer. And then you stop.
What was the last password that you registered with IT support?
You frantically type in the name of your partner. Access barred.
You type in the name of your dog. Access barred.
You type in the kid's names. Access barred.
You type in the last four digits of your telephone number. Still no access.
You look at the picture of your favourite soccer team for inspiration, and then you hesitantly type "MANCHESTER UNITED".
By this point, the network has probably recognised you as a potential fraudster and has banned access to your computer. With a sigh, you pick up the telephone and call IT support. With your request logged, there is little you can do but wait for somebody within the IT department to come and re-set your password.
As businesses adopt more electronic processes and security becomes tighter in every part of our lives (access control to our homes, offices, banks etc), we're all seeing the limitations of passwords and Personal Identification Numbers (PINs). OK, we can often change some of our PINs so that we don't have too many to remember. But try remembering the PIN to set the burglar alarm in your house, your Internet banking code words, your ATM PIN card, and access to your work environment. And that's just half the problem. If you want a code or password to be memorable, you've got to pick something that sticks in your brain easily. Therefore, it's not surprising that you will probably pick a birthday, pet's names, children's names or favourite sports teams for your code. But here's another problem: The fact that most people use such pieces of information, which are often easy to attain, suggests that a potential criminal could also successfully 'guestimate' an individual's password.
How many business hours are lost by people forgetting their passwords? And how much money is spent on conducting monthly password maintenance work?
According to industry figures released by the Gartner Group, administration costs in a medium sized network involving 200 users amount to approximately USD340 per user per year. With such high costs in place, it is hardly surprising that many organisations are now examining alternative methods of security. One alternative could be the use of cards or keys. But these suffer from inherent weaknesses: What methods are in place to ensure that the person accessing an area is who he or she claims to be? And what happens if you lose your card or key? It could take days, or even weeks, to get a replacement.
Another route is the use of biometric technology. Biometrics replaces something we know (such as a password or PIN), or something we have (such as a card or token), with something unique to us (a physical or behavioural characteristic such as face, fingerprint, signature, voice or retina). Unlike passwords, cards and tokens, biometrics have the advantage of being difficult to forge, steal or abuse. The technology has actually been on the international scene for many years. However, it is only in the last four or five years, that we have seen real evidence of the growth of the industry. Falling unit prices combined with increased demands to provide secure authentication, that can be backed up with an audit trail of users, has led to a surge in interest on both sides of the Atlantic. Biometrics are currently being used for a range of applications including immigration, access control to banks, prisons and even nuclear facilities. In the low security area of the market, they are proving popular in providing convenience and additional security to the welfare payments, healthcare and computer security markets. In fact, school children in Europe are even reported to have adopted the technology to access food in their school canteens or to borrow books from their library.
As biometrics have moved into the mainstream over the last few years, a surprising number of people have continued to spread myths about the technology. In particular, areas such as privacy, data storage and weaknesses have made headline news, with often incomplete and inaccurate stories. Nobody within the biometrics community is claiming that the technology is 100% foolproof. However, what the community aims to offer is a cost effective, safe, secure, and convenient alternative to more traditional forms of identification. One way of examining a biometric device is to look at its error rates.
These rates ¨C listed as False Acceptance Rate, False Rejection Rate and Equal Error Rate ¨C are often open to wide interpretation and are also subject to whether trials have taken place in a real world environment or a laboratory environment. Since the beginning of 2002, the media has been critical about the accuracy of biometrics. While there is obviously a cause for concern here, research and development is continuing to ensure that high quality biometric devices can counter the latest criminal techniques. It should of course be remembered that given sufficient time and sufficient motivation, a criminal could over-ride any security device. What we have to ensure, then, is that safeguards are in place to ensure that the cracking of a system requires too much time and effort for a criminal to bother. The industry as a whole is working to reduce the chances of such attacks.
However, it should be remembered that most reported attacks took place in laboratory tests ¨C not in real world environments.
In the case of IT Security, biometrics are enjoying strong growth, thanks largely to the increasing availability of low-cost biometric capture devices already integrated into PCs, PDAs and cell phones. A number of peripheral devices currently contain embedded biometrics products, and one of the most popular combinations is the integration of fingerprint scanners into keyboards and mice in standalone systems. Face recognition is also a strong player, as many computers now come with all the necessary hardware (e.g. digital camera) installed. Therefore, individuals need only pay for a software license. From a technology point of view, one area of interest lies in the size and storage of biometric templates. In the case of IT Security, the biometric template size varies depending on the biometric and the algorithm used.
At IdentAlink, both server side and client side verification of the face, iris and fingerprints can be carried out. Client side verification is only used in standalone PCs and requires 650 bytes for a face and 220 bytes for a fingerprint. IdentAlink's BioPassport? Enterprise Server side verification (networks, intranets and Internet) represents a higher level of security, as the biometric engine is intelligent and more features are added over time. In such instances, face templates require up to 4200 bytes (6500 bytes if embedded in PKI) and finger templates require 800 bytes (1200 bytes if embedded in PKI). Unlimited templates can be stored on a network server (depending on RAM and storage capacity), and use of server side verification requires no extra money as IdentAlink products operate as a service on any server platform. Moreover, to avoid the potential misuse of personal and biometric data by a fraudster, all information is kept separately and secured by PKI. This means that personal data and the relevant biometric data (template) can only be combined with the consent of the individual involved. In addition to this, a digital signature can be performed without the help of third party trust centres.
This is an exciting time for the biometrics industry. Many years of behind-the-scenes research and development are now paying off, and strong portfolios of biometric solutions are being marketed around the world. With big name organisations now examining and using biometric devices, we can be confident that this is a technology reaching maturity.
About the author:
Elmar Hilgers is the Managing Director and Co-founder of IdentAlink Ltd. Founded in 1997, the company initially provided solutions to the UK healthcare industry for staff security and drug control problems. Using facial and fingerprint recognition technology, IdentAlink Ltd now offers cost effective, secure and reliable identity verification in a variety of global applications. IdentAlink's commitment to research, development and testing ensures that all biometric solutions are constantly improved and enhanced.
The company's products include:
BioPassport? Enterprise Server and its modules for various environments.
The BioPassport? Enterprise Server is the intelligence behind all of IdentAlink's biometric modules.
The BioPassport? BioLogin module replaces the Windows 2000 and Windows XP login procedure. The module enables users to login to their networked PC with biometrics. The BioPassport? BioLogin module supports passwords: this allows the transition of users logging in with passwords to logging in with their personal biometrics over a period time. Currently BioPassport? BioLogin supports face recognition, fingerprint recognition and a combination of the two. BioPassport? BioLogin will automatically request a live image from the appropriate scanner, depending on which biometric was enrolled onto the BioPassport? Enterprise Server. All biometric technologies are embedded in PKI and use SSL protocol.
A range of modules are currently available and form part of the BioPassport? Enterprise Server
Enables a user to login to a Windows 2000 or XP network with biometrics instead of a password.
BioPassport? Secure Communication
Enables a user to send and receive digitally signed and encrypted email, only when he or she has been biometrically verified. This module includes an encryption facility for files and entire directories secured with biometrics.
BioPassport? Secure Application
Allows replacement of passwords in applications (ERP, QCM, CRM) and files with chosen biometrics.
BioPassport? Content Provider
Allows all web site content, such as web mail to be secured with chosen biometrics.
To find out more about biometrics, surf to: www.identalink.com
Or, contact Elmar Hilgers. IdenAlink Ltd, Rudower Chaussee 29, 12489, Berlin, Germany.
Tel: +49 (0)30 63926973
Fax +49 (0)30 63926971
Mail: e-mail protected from spam bots