Biometric Identification

Your body is your password

Most administrators don't need to look beyond an end user's workstation to find a potential security breach. I'm amazed at how easily I can discover a user's password when I'm seated at that person's workstation. When the user hasn't prominently displayed the phrase on a Post-it Note, I can usually figure out the password by glancing around the cubicle. My attempts to use account policies to tighten password requirements invariably lead to howls of user disapproval—not to mention a rash of locked-out accounts and forgotten passwords.

Until now, I've taken a typical approach to an intractable problem—I've ignored it, hoping a better solution would come along. And I might be in luck. Because of improved technology and lower prices, biometric identification is emerging as a viable alternative. Biometric solutions use unique biological or behavioral characteristics to verify identification, so a person's body literally becomes the password. Such characteristics can't be forgotten, and most are nearly impossible to reproduce, so the biometric method provides a potentially high level of security.

Biometric identification has become somewhat common in areas such as entry-access control. Now, several types of biometric- identification methods are available to secure network access. In most cases, these methods use a combination of hardware and software to identify biologically unique traits such as a user's fingerprint, voice, face, iris, or typing rhythm. (Other methods, such as retina and vein identification, have yet to cross over from securing a door to securing a network logon.)

Fingerprint solutions are the most numerous in today's market. These methods require a hardware device that scans a user's finger or thumb, as well as a software component that compares the scan to a stored image for positive identification. Voice-recognition systems use a sound card, microphone, and software to record and store voice patterns. To thwart intruders' attempts to use a digitally recorded voice, one of these products prompts the user to repeat a set of random digits. Face-recognition systems use a digital camera to capture an image of the user's face, then compare specific dimensions to a previously saved image of that user. Iris scanning uses a similar process but relies on the uniqueness of each person's iris to verify the user's identity.

The only biometric-identification method I've discovered that doesn't rely on additional hardware is Net Nanny Software International's BioPassword. This product recognizes a user's keystroke rhythms as the user types his or her username and password. Even if a password falls into the wrong hands, an intruder must exactly emulate the original user's typing rhythm to gain access.

Although biometric technology is still developing, it's already viable, and some organizations are deploying it. You need to answer several questions to determine whether this solution is right for your company. The most obvious question is whether your organization is willing to spend an additional $100 to $400 per seat—plus separate costs for deployment and training. Administrative overhead is also an unknown: Will biometric systems truly reduce Help desk calls or just change the nature of the calls? (For example, a forgotten password is easier to deal with than a buggy sound card that can't recognize a voice pattern.) What fallback procedure will you implement for logons in the event of hardware failure? Will that fallback procedure present a potential security breach? Can you integrate biometric solutions into the Windows security architecture to permit easy, centralized administration?

Biometric identification shows great promise for patching internal holes in our security fabric. As the technology improves and prices continue to drop, this method will surely become more attractive to more organizations.

End of Article

Biometrics are not the answer to the identification/authentication problem. I think you have to listen to what Schneier said in 'Secrets and Lies'. Biometric 'readers' work fine until an attacker steals the electronic signature generated by your finger print. Now your signature has been compromised so you have to use another digit. What happens if this is repeated? You could end up having to take your shoes and socks off to log in to your PC.
Biometrics may be fine in closed systems but I can't see them being any more secure than a smart card (or even a good password) in authenticating to public systems and they are a lot more trouble to change.

Robert Taylor January 22, 2001

I tested the Biopassword technology from Net Nanny Software at their demo site at http://www.biopassword.com. Seems fine to add an extra security level. Maybe Microsoft can buy it to prevent that their top managers will be victim again of hackers atack with theirs passwords.

Norma Rosado January 29, 2001

Bob, my sentiments exactly! Read what Kurt Seifired from securityportal has to say http://securityportal.com/closet/closet20010110.html Same scenario. If Hackers are gaining access to credit card databases, whats to stop them from gaining access to biomentric data. Or as Kurt suggests recording it for later use! Guess I'll be hacking off fingers and toes. To me it it just a lot of whitewash. Mark Edwards just related in his newsletter how administrators are failing to apply security patches. Do you think I'll trust them with my biometric info??? Gotta be thankful Germany still has one of the strongest laws supporting personal data security. I doubt we will be using biometrics any time soon. At least not on a volunteer basis.

Bert T. Skaletski February 01, 2001

i have come up a key smart solution that combines biometic finger print reader and digital cylinder that operates on the CE platform to work with my new server system for home user's and small retailer's, but still a lot work to done before i finally develop this solution.

you can check it out at www.ibillboard.com.au

micheal hodgson February 01, 2001

I do not agree with the comments of Bert and Bob regarding biometric data. The major key attribute of a fingerprint reader is, that it does not store a picture of a fingerprint, instead vectorized minutiae, that cannot be used the re-genereate the originial print. Authentication is made by pattern matching. Typically "electronic signatures" or certificates or not created using ones fingerprint or even the patterns, but by using the same algorithms used in smartcards. The Sony FIU-710 is a good example of a slim, fast and usable fingerprint reader with reasonable amount of RAM to store certificates, CRLs, and so on. Smartcards lack of three things: speed, capacity and the most important one: it has plenty of space for the user to write the PIN on it. Today, a 16KB smartcard can only store the pattern of one single finger along with a certificate.

Marcel Wiedemeier February 04, 2001

Marcel I was not suggesting that the problem is in the comparing of live fingerprint to storage. I meant something to the effect of what is explained here at http://homepage.ntlworld.com/avanti/authenticate.htm Quote "Take for example the biometric template matching process. When the user enrols into the system, a biometric template (the data describing their biometric) is created and stored either in a database to be held somewhere on the system, or on a portable token such as a chip card. Upon verification, this template is retrieved and compared against the live sample within a predefined matching tolerance level. If the templates match, then a 'true' message is generated by the matching system, to be used as applicable elsewhere in the process. The degree of possibility that this 'true' message could be discovered, captured, artificially injected or otherwise compromised, might affect our confidence in the authentication process. The overall systems architecture plays a strong part here, in that the biometric matching engine may reside on a back end server, on the client, or perhaps an intermediary. It's precise relationship with directory information and the communication between client (or point of live biometric capture) and host will be important from the overall security perspective. We need to be sure that we are really 'authenticating' the user and not 'authenticating' a message." My concerns are over the whole of the system. With all the damn security holes in present and FUTURE systems I am not will to place my trust in the "solution to end all problems!" After long exsistance our long trusted DNS servers running BIND have fallen to security holes. In the end, it is all about Risk Assessment. How much can you afford to lose? And for the rest there is insurance! LOL

Bert T. Skaletski February 06, 2001

I want to implement fingerprint identifiction. But the big problem is that my company has an centralized IT department that supports 200 users in 15 diffrent places in the country. We use SMS 2.0 for remote viewing of users workstations and servers. Today, if the user is not loggen on I click the "send Ctrl+Alt+Del" button, but how is this done if my authentication is my thumb that is 100 miles away?

Mikael Johannisson February 07, 2001

Interesting. How, many points will the scan read and on voice what happens with a cold, pull tooth. Same with a photo. Security is good the best is not to have net work until it is required.

Yes, the network is the business world and in some homes. But security is a good firewall, password and not changing to the newest at the first drop a hat. I still use W95 and NT 3.X with the security patches. Cost mostly time and arhiving.

HH Wieck February 15, 2001

You must log on before posting a comment.

If you don't have a username & password, please register now.