|
|
COMPUTERWORLD (www.computerworld.com)
Biometrics: Getting Back
to Business
After 9/11, public-sector interest
in biometrics spiked, but standards and stringent
scalability testing are still needed to trigger widespread
corporate adoption.
May 9, 2005
By Kym Gilhooly
|
People and passwords—in the long run,
they just don't work very effectively
together. At least that's what Phil
Fowler, vice president of IT at Telesis
Community Credit Union, a Chatsworth,
Calif.-based financial services provider
that manages $1.2 billion in assets,
found out. His team ran a network
password cracker as part of an
enterprise security audit last year to
see if employees were adhering to
Telesis' password policies. They
weren't.
"Within 30 seconds, we had identified
probably 80% of people's passwords,"
says Fowler, whose group immediately
asked employees to create strong
passwords that adhered to the security
requirements. A few days later, the team
ran the password cracker again: This
time, they cracked 70%.
"We couldn't get [employees] to
maintain strong passwords, and those
that did forgot them, so the help desk
would have to reset them," says Fowler.
Telesis decided to secure network and
application access with a biometric
system that eliminated the need for user
IDs and passwords, opting for the
DigitalPersona fingerprint system from
DigitalPersona Inc. in Redwood City,
Calif.
The use of biometrics—the
mathematical analysis of characteristics
such as fingerprints, veins in irises
and retinas, and voice patterns—as a way
to authenticate users' identities has
been a topic of discussion for years.
Early commercial success stories have
largely come from applying biometrics to
projects with provable returns on
investment: time and attendance,
password reduction and reset, and
physical access control. Though
biometric work remains primarily in the
pilot stages, the events of 9/11 pushed
emerging commercial products to center
stage—a spot some say they weren't ready
to claim. Vendor focus shifted from the
private sector toward the huge contracts
many expected would be awarded in the
public sector, say observers.
The attacks on 9/11 "brought focus to
what was going on in biometrics, and
[vendors] switched gears. Where
previously they were thinking about
[biometrics] for enterprise access, they
decided government contracts were the
next gold mine and jumped on that," says
C. Maxine Most, president of Acuity
Market Intelligence in Boulder, Colo.
|
The problem with this strategy, she says, is
that commercial biometric systems aren't
standardized and haven't been tested in
large-scale implementations of the type federal
agencies are undertaking, such as the US-VISIT
and Transportation Worker Identification
Credential projects.
Samir Nanavati, a partner at International
Biometric Group LLC, a consultancy in New York,
says the problem was more a lack of
public-sector readiness than technology
shortfalls.
"In 2001, the private sector was aggressively
researching and testing biometrics, and the
public sector had a couple of projects,"
Nanavati says. "After September, the biometrics
industry reread the whole landscape and decided
to gravitate toward the public sector, going
after a market that wasn't ready for them." But,
he adds, there are plenty of smaller stories of
"biometrics hitting the bottom line" in the
private sector.
|
Finger on Access
That has been the case for Telesis,
which has rolled out fingerprint-based
network and systems access technology in
its headquarters and credit-union
branches. Once Telesis has thoroughly
tested the system, the company will
deploy it in the offices of Business
Partners LLC, its business loan services
partner. Users no longer need to
remember IDs and passwords because
DigitalPersona authenticates enrolled
personnel via fingerprint scanners,
tying the fingerprints to 256-character
passwords that it randomly generates
every 45 days.
Fowler says Telesis looked at a
single sign-on application but was
uncomfortable with the idea that one
authentication would provide access to
the network and all connected
applications. With the current
deployment, employees touch their
scanners to gain access to each
application they use, including
homegrown and third-party Web-based
applications.
The system is already integrated with
Microsoft Corp.'s Active Directory for
network access, and fingerprint profiles
are encrypted and stored directly in
Active Directory, relieving worries
Telesis had that they might be stored as
images that could be compromised.
Telesis' IT department is reviewing
applications that require ID and
password sign-ons and creating profiles
for them in the DigitalPersona server.
During the deployment's testing
phase, Fowler's team encountered a few
issues related to mobile workers. For
corporate travelers, the company
considered equipping laptops with
scanners, but most Telesis executives
don't carry their laptops unless giving
presentations; they prefer to use hotel
business centers or Internet cafes to
access the corporate intranet. When they
do that, they use static but
difficult-to-crack passwords.
Another segment of Telesis' mobile
population—"roaming" tellers—are another
concern, says Fowler. He wants to be
able to lock down all workstations so
that the Ctrl-Alt-Delete function won't
bring up the user ID and password log-in
option, but then roamers wouldn't be
able to use the teller workstations they
need.
Although Fowler says it's difficult
to quantify ROI, Telesis is pleased with
the streamlined network access, reduced
password-reset requests and the improved
security ratings audits have found since
it adopted DigitalPersona.
Security or Convenience?
The kind of biometric application
Telesis is piloting—user authentication
for access to computer systems—hasn't
thus far seen the adoption rates that
many had expected, according to Gartner
Inc. analyst Clare Hirst. She adds that
she doesn't expect to see many more such
deployments before 2010.
"We hear a lot about biometrics, but
the reality is that most of the projects
are still in pilot stages," Hirst says.
The most mature applications of
biometric technology are in systems that
control physical access to facilities
and keep records of time and attendance,
she says. "With time and attendance,
companies can use finger-, hand- or
facial-recognition technology; get rid
of access cards and mechanical punch-in
[devices]; and it's not a security
issue—it's to save money," Hirst says.
|
Though
it's not using biometrics for
actual system access,
Washington-based Marriott
International Inc. is using
voice authentication technology
to reset the passwords that
enable access to its intranet,
Active Directory service and
several nonproprietary
applications, according to Al
Sample, senior vice president of
client services.
The system, Vocent Password
Reset from Vocent Solutions Inc.
in Mountain View, Calif.,
complements existing reset
options. Users can also change
passwords using PC or Web-based
tools, or they can call the help
desk. Around a third of the
40,000 Marriott employees who
are assigned passwords take
advantage of the Vocent option.
The system made sense, says
Sample, because it utilizes
Marriott's phone system and
requires no special hardware.
The Vocent application provides
two-factor authentication,
checking a user's voice patterns
against a stored voiceprint
while simultaneously verifying
user information through voice
recognition.
"We capture a voiceprint
through a one-time registration,
and at the same time, we gather
some key information that we use
during the password-reset
process," says Sample.
Given the costs of manual
password resets—Gartner
estimates that they cost $10 to
$31 per incident—Marriott's
self-service deployment has
translated into strong savings,
says Sample, particularly since
IT requires that passwords be
changed every 90 days.
"We have a very large [user]
base, with more than 30,000
associates, so you can imagine
the amount of human intervention
required for manual password
resets," he says.
Waiting for Standards
The technology behind
biometrics represents an
emerging commercial market, but
adoption of such systems won't
really take off until vendors
and users agree on standards in
areas such as application
programming interfaces, common
file formats and data
interchange.
The scope of massive federal
initiatives such as the U.S.
Department of Defense's Defense
Biometric Identification System
demands standardized,
interoperable technologies, says
David Wennergren, the U.S.
Department of the Navy's CIO. He
is also chairman of the DOD's
Identity, Protection and
Management Senior Coordinating
Group, which oversees agency
groups working with smart cards,
public-key infrastructure and
biometrics.
The DOD is using fingerprint
biometrics as part of an
authentication process for
providing personnel and
associates—4 million people to
date—with smart cards for
physical and network access.
It's also piloting iris- and
facial-recognition technologies.
"It's key that we have
interoperable systems because
everybody's mobile; we can't buy
a proprietary biometrics
[system] that ultimately only
works at one base," says
Wennergren, who's based in
Crystal City, Va. He cites a
recent memo issued by the DOD
CIO that mandates that the
agency's biometric collection
practices align with FBI
standards so the agencies can
share data.
"When [the DOD] first became
big consumers of smart cards, we
knew there weren't perfect
standards in place, but we were
able to leverage our size and
work with other agencies and
technology providers to help
create standards," says
Wennergren. He says he hopes
that federal agencies will have
the same impact in driving
biometrics standards.
Gilhooly is a freelance
writer in Falmouth, Maine. You
can reach her at
kymg@maine.rr.com.
|
|
|
|
