Managed Security Services

Beyond Passwords: Implementing The Vision — continued

by Lisa Phifer VP Core Competence, Inc. [April 5, 2005]

5. Biometrics
Certificates, OTPs, tokens, and smart cards all represent "something you have." Let's briefly consider that third authentication factor: "something you are." Authentication methods that employ this factor are known as biometrics. Biometric authentication samples physical characteristics and uses them to verify the user's claimed identity.

Perhaps the most well-known biometric method is fingerprint analysis. Fingerprint authentication captures an image of the user's fingerprint, identifies unique points and patterns, and compares them to a biometric template created during an earlier (known valid) scan of the user's fingerprint.

For example, Silex Technologies sells several fingerprint sensors, including the Combo-MINI (USB token with fingerprint sensor, MSRP $179) and MUSB200-Combo (smart card reader with fingerprint sensor). These compare fingerprint images to data stored on the token / smart card. Fingerprint images taken by these devices are never "sent" anywhere—they are verified on the token / smart card to ensure the legitimate user is attempting to use that device. Fingerprint scanners have also been incorporated into some new smartphones (FOMA F900i ) and laptops (IBM ThinkPad T42).

Facial recognition is another well-understood biometric method. For example, the VISecurity BiometricsVIEW toolkit illustrated below translates a facial image into numerical samples that can be used on subsequent scans to authenticate that person. Facial recognition products must overcome differences that change a person's appearance, such as lighting, haircut, glasses, and aging.

Handwriting (signature) analysis can also be used for biometric authentication. If you've watched CourtTV, you know that each person's handwriting is unique. Analysis may take into account the shape and appearance of a person's signature; parameters like pressure and timing can also be measured when a person signs their name. For example, CIC SignatureOne server and Sign-it client software enable real-time signature capture and verification. Handwritten signature programs like Cryptosign can be used to unlock PDAs, making it harder to steal or use any credentials that might be stored there.

Authentication through iris scanning is possible because every iris (the colored ring around the pupil of your eye) has a unique pattern that is formed during a person's first year and remains the same thereafter. Iris patterns have unique characteristics that can be scanned from a few feet away with a high-resolution camera. Like fingerprints, iris images can be mapped and stored as biometric profiles for future comparison during authentication. Iris scanning is considered highly reliable, with few false positives, although a bit more expensive than some other biometric methods. For example, see Iridian's KnoWho Authentication Server.

Retina scanning is conceptually similar to iris scanning, but analyzes patterns made by blood vessels in the back of the eye. Like iris scanning, retina scanning uses cameras and is highly-accurate, but it requires close proximity to the eye and is thus more intrusive.

In comparison, voiceprint recognition is inexpensive and non-intrusive. Voice samples can be easily recorded and compared, evaluating characteristics like tone, pitch, and cadence. On the other hand, a person's voice changes throughout their lifetime, including temporary changes due to illness, hoarseness, etc.. Voice samples are readily affected by environmental factors like background noise and distance from microphone. For example, see Nuance Verifier, a voice authentication platform used to secure telephone transactions through a combination of voice recognition and PINs. A system like this could be used to add strong authentication to a change request process.

These are just a few of the many biometric authentication methods and products now available. Of these, fingerprint recognition is probably the most commonly deployed biometric authentication method in business networks. However, biometrics in general trail use of other authentication methods covered in this primer, largely due to cost of deployment. Today, biometrics are more likely to be employed in high-risk scenarios, but if costs drop, they may someday be preferred to other authentication methods. To learn more about biometric authentication and vendors in this field, visit the Biometric Consortium or the International Biometric Industry Association (IBIA) website.

Conclusion
Providers who offer Managed Authentication services don't need to choose just one method. In fact, you may be able to satisfy more customers by offering several methods, working with your customers to choose the method(s) that best fit their business needs.

For example, CSC offers Managed Authentication Services that can be based on tokens, smart cards, and biometrics. This provider examines each customer's existing authentication process, the workflow used to issue identities and credentials, and the business systems and services to be protected. CSC then recommends an authentication service to satisfy that customer's specific needs. The managed service includes this up-front analysis, implementation, integration, testing, on-going administration, help desk support, and end user education.

Ultimately, deciding when and how to upgrade authentication infrastructure requires careful consideration of business needs, implementation costs, ramifications for existing network and servers, and of course subscriber willingness to pay for new authentication services. We hope this primer has given you some food for thought about why there's a need for better-than-password authentication, the potential for tapping this need to generate new revenue streams, and places to begin learning about strong authentication products and services.

< Back to part one