Solutions for Portable Security

Who hasn’t marveled at the high-tech spy gadgets Q developed for James Bond. Biometric technology was something we once envisioned as only being used in secret facilities and spy agencies, like the CIA or MI-6.

In reality, biometric products have been commercially available for more than a decade. “Lowcost” desktop fingerprint scanners appeared on the market as early as 1995 and soon there was a proliferation of biometric companies and advances in cool technologies such as finger, iris, face, voice recognition and even some not-so-glamorous types, such as smell (body odor) and gait (walking stride).

People and companies became keenly interested in the possible uses of biometrics, making it clear that solutions were needed, not just technology. Vendors quickly responded by demonstrating numerous solutions, including biometric logins, single sign-on, time and attendance and integration with
PKI. Few deployments ever happened though. While there were significant advances in technology, biometrics was just too hard and expensive to deploy.

Now, finally, this situation has changed and we are seeing biometric products that are very deployable. The big deployment issues facing organizations are security, cost, interoperability and usability. One thing that hasn’t changed much is the difficulty of assessing the security of a biometric solution. A first step is to understand whether the technology is accurate enough for your security needs. How good is it at accepting genuine matches and rejecting imposters?

While biometric performance is quantifiable, vendor claims of false acceptance and rejection rates are often exaggerated and biased. The details about how many features are captured or whether it is pattern-based or uses a neural network, and so on, are interesting but not relevant to the performance.

Biometric technology can be treated as a black box — with biometric image samples going in and scores coming out. It is best to turn to independent, third-party technology evaluations that have done the hard work to develop trustworthy comparative numbers based on this black box approach.

The biometric performance is only one dimension of its security. A poor implementation of a product, even with great technology, can still leave an organization with unacceptable security risks. If you can find them, products with security certifications are best. Barring that, there should at least be reviews by industry analysts and respected publications. Fortunately, the industry has matured and a lot of hype has been replaced with scrutiny, allowing well-informed decisions to be made.

Technological advancements have dramatically changed the ability to successfully deploy fingerprint biometrics. Several years ago, fingerprint technology required host computer processing power along with a relatively expensive (around $100) peripheral to scan fingers. Not only does this imply touching all the desktops to install biometric software and device drivers, but there are serious security issues that are practically impossible to solve. Anytime a host computer is required to manipulate a biometric sample, you expose your authentication data to malicious code. Think of the threat like a Trojan virus that captures your password and has the additional severe consequence that you cannot change your biometric if it is compromised. Hostbased processing of biometric information is now a big security risk, since malicious code and cyber crime are undergoing explosive growth.

Today, fingerprint technology is packed into dedicated chips with inexpensive, high performance swipe sensors that can handle every part of the biometric processing (image capture, template creation, matching). This advancement has enabled the development of self-contained portable authentication devices that not only process the biometric in a secure environment (within the device) but also provide secure storage for fingerprint templates. While central fingerprint databases caused privacy concerns and were barriers to deployment, these issues no longer exist when biometric information never leaves the device.

Interoperability has taken a quantum leap, but surprisingly not from biometric standards. It used to be that applications needed to become biometrically aware in order to leverage the technology. This meant major software changes and to do it right, the industry needed standards so that the biometrically-
enabled applications could easily use different technology. Lots of effort has gone into biometric standards, but the uptake by applications has been very disappointing.

The irony is that applications are being augmented with biometric authentication without the need to
implement biometric standards. This is possible through other (non-biometric) standards that have been widely implemented throughout the industry; namely Microsoft CAPI and PKCS#11. These are cryptographic standards that allow hardware devices (tokens) to be used to enhance the security of crypto operations. The trick is that self-contained biometric authentication devices that also have cryptographic token functionality can be plugged into these interfaces and used as strong authentication tokens.

Applications get biometric authentication for free, without any additional complexity. This is really significant because we suddenly have many off-the-shelf applications: workstation logins, e-mail encryption, SSL Web authentication, enterprise single signon, etc., where biometrics can now be
used. By selecting the right biometric product, corporations can contemplate deploying biometric authentication across many applications that support the crypto standards.

Ultimately, it is the end-user that will either reject or accept the deployment of biometric technology. Here too there are big changes in usability, above-and-beyond the performance improvements of the technology. Portable biometric devices allow more mobility and convenience than ever before. The ability to go to any machine, plug-in the device and biometrically authenticate to a remote corporate server is a reality today. The fact that a multitude of applications are suddenly biometrically-enabled means that the user has a single, simplified experience. Whether it is digitally signing an e-mail, logging into a workstation, decrypting a file or launching a remote desktop, the authentication to each is the same for the user. When increased security actually becomes easier for a user, you have a winning situation for the user and the corporation.

In the case of fingerprint biometrics, the cost reduction, development of dedicated chips and the creation of fully-portable secure devices are technological advancements that have propelled biometrics to being deployable to the enterprise with huge gains in security, interoperability and usability. Fingerprint biometrics may have been the first, but may be not the last to undergo this transformation.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.