Biometrics: Getting Back to Business

Best practices for safe hardware disposal Beyond consolidation: five reasons why you should start virtualizing Myth of the Million Dollar Database Learn-Fast Guide: Get Up to Speed on Green IT Sign up to receive Security Resource Alerts

May 09, 2005 (Computerworld) -- People and passwords—in the long run, they just don't work very effectively together. At least that's what Phil Fowler, vice president of IT at Telesis Community Credit Union, a Chatsworth, Calif.-based financial services provider that manages $1.2 billion in assets, found out. His team ran a network password cracker as part of an enterprise security audit last year to see if employees were adhering to Telesis' password policies. They weren't.

"Within 30 seconds, we had identified probably 80% of people's passwords," says Fowler, whose group immediately asked employees to create strong passwords that adhered to the security requirements. A few days later, the team ran the password cracker again: This time, they cracked 70%.

"We couldn't get [employees] to maintain strong passwords, and those that did forgot them, so the help desk would have to reset them," says Fowler. Telesis decided to secure network and application access with a biometric system that eliminated the need for user IDs and passwords, opting for the DigitalPersona fingerprint system from DigitalPersona Inc. in Redwood City, Calif.

The use of biometrics—the mathematical analysis of characteristics such as fingerprints, veins in irises and retinas, and voice patterns—as a way to authenticate users' identities has been a topic of discussion for years. Early commercial success stories have largely come from applying biometrics to projects with provable returns on investment: time and attendance, password reduction and reset, and physical access control. Though biometric work remains primarily in the pilot stages, the events of 9/11 pushed emerging commercial products to center stage—a spot some say they weren't ready to claim. Vendor focus shifted from the private sector toward the huge contracts many expected would be awarded in the public sector, say observers.

The attacks on 9/11 "brought focus to what was going on in biometrics, and [vendors] switched gears. Where previously they were thinking about [biometrics] for enterprise access, they decided government contracts were the next gold mine and jumped on that," says C. Maxine Most, president of Acuity Market Intelligence in Boulder, Colo.

Phil Fowler, vice president of IT at Telesis Community Credit Union Image Credit: Manuello Paganelli

The problem with this strategy, she says, is that commercial biometric systems aren't standardized and haven't been tested in large-scale implementations of the type federal agencies are undertaking, such as the US-VISIT and Transportation Worker Identification Credential projects.

Samir Nanavati, a partner at International Biometric Group LLC, a consultancy in New York, says the problem was more a lack of public-sector readiness than technology shortfalls.

"In 2001, the private sector was aggressively researching and testing biometrics, and the public sector had a couple of projects," Nanavati says. "After September, the biometrics industry reread the whole landscape and decided to gravitate toward the public sector, going after a market that wasn't ready for them." But, he adds, there are plenty of smaller stories of "biometrics hitting the bottom line" in the private sector.

Finger on Access

That has been the case for Telesis, which has rolled out fingerprint-based network and systems access technology in its headquarters and credit-union branches. Once Telesis has thoroughly tested the system, the company will deploy it in the offices of Business Partners LLC, its business loan services partner. Users no longer need to remember IDs and passwords because DigitalPersona authenticates enrolled personnel via fingerprint scanners, tying the fingerprints to 256-character passwords that it randomly generates every 45 days.

Fowler says Telesis looked at a single sign-on application but was uncomfortable with the idea that one authentication would provide access to the network and all connected applications. With the current deployment, employees touch their scanners to gain access to each application they use, including homegrown and third-party Web-based applications.

The system is already integrated with Microsoft Corp.'s Active Directory for network access, and fingerprint profiles are encrypted and stored directly in Active Directory, relieving worries Telesis had that they might be stored as images that could be compromised. Telesis' IT department is reviewing applications that require ID and password sign-ons and creating profiles for them in the DigitalPersona server.

During the deployment's testing phase, Fowler's team encountered a few issues related to mobile workers. For corporate travelers, the company considered equipping laptops with scanners, but most Telesis executives don't carry their laptops unless giving presentations; they prefer to use hotel business centers or Internet cafes to access the corporate intranet. When they do that, they use static but difficult-to-crack passwords.

Another segment of Telesis' mobile population—"roaming" tellers—are another concern, says Fowler. He wants to be able to lock down all workstations so that the Ctrl-Alt-Delete function won't bring up the user ID and password log-in option, but then roamers wouldn't be able to use the teller workstations they need.

Although Fowler says it's difficult to quantify ROI, Telesis is pleased with the streamlined network access, reduced password-reset requests and the improved security ratings audits have found since it adopted DigitalPersona.

Security or Convenience?

The kind of biometric application Telesis is piloting—user authentication for access to computer systems—hasn't thus far seen the adoption rates that many had expected, according to Gartner Inc. analyst Clare Hirst. She adds that she doesn't expect to see many more such deployments before 2010.

"We hear a lot about biometrics, but the reality is that most of the projects are still in pilot stages," Hirst says. The most mature applications of biometric technology are in systems that control physical access to facilities and keep records of time and attendance, she says. "With time and attendance, companies can use finger-, hand- or facial-recognition technology; get rid of access cards and mechanical punch-in [devices]; and it's not a security issue—it's to save money," Hirst says.

Though it's not using biometrics for actual system access, Washington-based Marriott International Inc. is using voice authentication technology to reset the passwords that enable access to its intranet, Active Directory service and several nonproprietary applications, according to Al Sample, senior vice president of client services.

The system, Vocent Password Reset from Vocent Solutions Inc. in Mountain View, Calif., complements existing reset options. Users can also change passwords using PC or Web-based tools, or they can call the help desk. Around a third of the 40,000 Marriott employees who are assigned passwords take advantage of the Vocent option.

The system made sense, says Sample, because it utilizes Marriott's phone system and requires no special hardware. The Vocent application provides two-factor authentication, checking a user's voice patterns against a stored voiceprint while simultaneously verifying user information through voice recognition.

"We capture a voiceprint through a one-time registration, and at the same time, we gather some key information that we use during the password-reset process," says Sample.

Given the costs of manual password resets—Gartner estimates that they cost $10 to $31 per incident—Marriott's self-service deployment has translated into strong savings, says Sample, particularly since IT requires that passwords be changed every 90 days.

"We have a very large [user] base, with more than 30,000 associates, so you can imagine the amount of human intervention required for manual password resets," he says.

Waiting for Standards

The technology behind biometrics represents an emerging commercial market, but adoption of such systems won't really take off until vendors and users agree on standards in areas such as application programming interfaces, common file formats and data interchange.

The scope of massive federal initiatives such as the U.S. Department of Defense's Defense Biometric Identification System demands standardized, interoperable technologies, says David Wennergren, the U.S. Department of the Navy's CIO. He is also chairman of the DOD's Identity, Protection and Management Senior Coordinating Group, which oversees agency groups working with smart cards, public-key infrastructure and biometrics.

The DOD is using fingerprint biometrics as part of an authentication process for providing personnel and associates—4 million people to date—with smart cards for physical and network access. It's also piloting iris- and facial-recognition technologies.

"It's key that we have interoperable systems because everybody's mobile; we can't buy a proprietary biometrics [system] that ultimately only works at one base," says Wennergren, who's based in Crystal City, Va. He cites a recent memo issued by the DOD CIO that mandates that the agency's biometric collection practices align with FBI standards so the agencies can share data.

"When [the DOD] first became big consumers of smart cards, we knew there weren't perfect standards in place, but we were able to leverage our size and work with other agencies and technology providers to help create standards," says Wennergren. He says he hopes that federal agencies will have the same impact in driving biometrics standards.

Gilhooly is a freelance writer in Falmouth, Maine. You can reach her at kymg@maine.rr.com.

Biometric Revenue Projections Source: International Biometric Group LLC, New York

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Sidebar: Online Resources on Biometrics Biometrics: Getting Back to Business Sidebar: I Want To Read Your Hand

"It's the early 1990s when this pilot fish is challenged to find a better way to support telecommuting — and..." Read more... "It's a cheaper IT Blogwatch: in which Apple cuts the price of the top-end MacBook Air. Not to mention dan..." Read more... Read more Hardware posts or See all Blogs

Microsoft promises four patches next week Google gives away home-cooked Web application security scanner Storm botnet stages Fourth of July attacks More top stories...

Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Learn-Fast Guide: Get Up to Speed on Green IT (Source: Computerworld) Whether it's in the front office or the server room, green thinking can save energy, trees and money. From the Editorial Staff at Computerworld, here's the latest thinking on greening your operations. Download this executive briefing  Virtualization Everywhere Download this white paper, free, compliments of Citrix. (Source: Citrix) Adoption of virtualization is concentrated among large enterprises, while adoption by mid-sized companies has been much slower. For these companies, the cost and complexity of server virtualization solutions has been a barrier. In this paper, we'll discuss how Citrix XenServer" provides simple, economical server virtualization for any size company. Download now! Download this white paper  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Sidebar: Online Resources on Biometrics
• Biometrics: Getting Back to Business
• Sidebar: I Want To Read Your Hand

• Microsoft promises four patches next week
• Google gives away home-cooked Web application security scanner
• Storm botnet stages Fourth of July attacks
• More top stories 

Cost Effective Scaling with Virtualization and Coyote Point Systems An overview of the industry trend toward virtualization, how server consolidation has increased the importance of application uptime and the steps being taken to integrate load balancing technology with virtualized servers. Download this white paper now!

Get Into Gear! Check out our new personal technology section -- TechGear -- for the latest on those cool gadgets that you just gotta have! Host Mike Elgan provides hands-on reviews and analysis of the stuff that makes IT fun. Head to TechGear

Detect, identify, and locate RF interference in 802.11 WLANs. AnalyzeAir software provides IT network professionals with the vision they need into the hidden world of RF, providing them with the ability to see the spectrum in a visible and intelligible format. AnalyzeAir software lets you see, monitor, analyze, and manage all the RF sources and wireless devices that influence your Wi-Fi network's performance and security, even if those devices are unauthorized or transient. AnalyzeAir Trial Software v3.1 highlights the features found in AnalyzeAir Software using a set of saved spectrum files. Replay the data and experience the visibility that AnalyzeAir Wi-Fi Spectrum Analyzer provides. Note: The trial software is limited to a player version only. It does not communicate with an AnalyzeAir PC card so it does not collect actual spectrum data. Register for this trial now.