Biometrics: Getting Back to Business

After 9/11, public-sector interest in biometrics spiked, but standards and stringent scalability testing are still needed to trigger widespread corporate adoption.

People and passwords—in the long run, they just don't work very effectively together. At least that's what Phil Fowler, vice president of IT at Telesis Community Credit Union, a Chatsworth, Calif.-based financial services provider that manages $1.2 billion in assets, found out. His team ran a network password cracker as part of an enterprise security audit last year to see if employees were adhering to Telesis' password policies. They weren't.

"Within 30 seconds, we had identified probably 80% of people's passwords," says Fowler, whose group immediately asked employees to create strong passwords that adhered to the security requirements. A few days later, the team ran the password cracker again: This time, they cracked 70%.

"We couldn't get [employees] to maintain strong passwords, and those that did forgot them, so the help desk would have to reset them," says Fowler. Telesis decided to secure network and application access with a biometric system that eliminated the need for user IDs and passwords, opting for the DigitalPersona fingerprint system from DigitalPersona Inc. in Redwood City, Calif.

The use of biometrics—the mathematical analysis of characteristics such as fingerprints, veins in irises and retinas, and voice patterns—as a way to authenticate users' identities has been a topic of discussion for years. Early commercial success stories have largely come from applying biometrics to projects with provable returns on investment: time and attendance, password reduction and reset, and physical access control. Though biometric work remains primarily in the pilot stages, the events of 9/11 pushed emerging commercial products to center stage—a spot some say they weren't ready to claim. Vendor focus shifted from the private sector toward the huge contracts many expected would be awarded in the public sector, say observers.

The attacks on 9/11 "brought focus to what was going on in biometrics, and [vendors] switched gears. Where previously they were thinking about [biometrics] for enterprise access, they decided government contracts were the next gold mine and jumped on that," says C. Maxine Most, president of Acuity Market Intelligence in Boulder, Colo.

Phil Fowler, vice president of IT at Telesis Community Credit Union
1pixclear.gif
Phil Fowler, vice president of IT at Telesis Community Credit Union

Image Credit: Manuello Paganelli

1pixclear.gif

The problem with this strategy, she says, is that commercial biometric systems aren't standardized and haven't been tested in large-scale implementations of the type federal agencies are undertaking, such as the US-VISIT and Transportation Worker Identification Credential projects.

Samir Nanavati, a partner at International Biometric Group LLC, a consultancy in New York, says the problem was more a lack of public-sector readiness than technology shortfalls.

"In 2001, the private sector was aggressively researching and testing biometrics, and the public sector had a couple of projects," Nanavati says. "After September, the biometrics industry reread the whole landscape and decided to gravitate toward the public sector, going after a market that wasn't ready for them." But, he adds, there are plenty of smaller stories of "biometrics hitting the bottom line" in the private sector.

Finger on Access

That has been the case for Telesis, which has rolled out fingerprint-based network and systems access technology in its headquarters and credit-union branches. Once Telesis has thoroughly tested the system, the company will deploy it in the offices of Business Partners LLC, its business loan services partner. Users no longer need to remember IDs and passwords because DigitalPersona authenticates enrolled personnel via fingerprint scanners, tying the fingerprints to 256-character passwords that it randomly generates every 45 days.

Fowler says Telesis looked at a single sign-on application but was uncomfortable with the idea that one authentication would provide access to the network and all connected applications. With the current deployment, employees touch their scanners to gain access to each application they use, including homegrown and third-party Web-based applications.

The system is already integrated with Microsoft Corp.'s Active Directory for network access, and fingerprint profiles are encrypted and stored directly in Active Directory, relieving worries Telesis had that they might be stored as images that could be compromised. Telesis' IT department is reviewing applications that require ID and password sign-ons and creating profiles for them in the DigitalPersona server.

During the deployment's testing phase, Fowler's team encountered a few issues related to mobile workers. For corporate travelers, the company considered equipping laptops with scanners, but most Telesis executives don't carry their laptops unless giving presentations; they prefer to use hotel business centers or Internet cafes to access the corporate intranet. When they do that, they use static but difficult-to-crack passwords.

Another segment of Telesis' mobile population—"roaming" tellers—are another concern, says Fowler. He wants to be able to lock down all workstations so that the Ctrl-Alt-Delete function won't bring up the user ID and password log-in option, but then roamers wouldn't be able to use the teller workstations they need.

Although Fowler says it's difficult to quantify ROI, Telesis is pleased with the streamlined network access, reduced password-reset requests and the improved security ratings audits have found since it adopted DigitalPersona.

Security or Convenience?

The kind of biometric application Telesis is piloting—user authentication for access to computer systems—hasn't thus far seen the adoption rates that many had expected, according to Gartner Inc. analyst Clare Hirst. She adds that she doesn't expect to see many more such deployments before 2010.

"We hear a lot about biometrics, but the reality is that most of the projects are still in pilot stages," Hirst says. The most mature applications of biometric technology are in systems that control physical access to facilities and keep records of time and attendance, she says. "With time and attendance, companies can use finger-, hand- or facial-recognition technology; get rid of access cards and mechanical punch-in [devices]; and it's not a security issue—it's to save money," Hirst says.

Though it's not using biometrics for actual system access, Washington-based Marriott International Inc. is using voice authentication technology to reset the passwords that enable access to its intranet, Active Directory service and several nonproprietary applications, according to Al Sample, senior vice president of client services.

The system, Vocent Password Reset from Vocent Solutions Inc. in Mountain View, Calif., complements existing reset options. Users can also change passwords using PC or Web-based tools, or they can call the help desk. Around a third of the 40,000 Marriott employees who are assigned passwords take advantage of the Vocent option.

The system made sense, says Sample, because it utilizes Marriott's phone system and requires no special hardware. The Vocent application provides two-factor authentication, checking a user's voice patterns against a stored voiceprint while simultaneously verifying user information through voice recognition.

"We capture a voiceprint through a one-time registration, and at the same time, we gather some key information that we use during the password-reset process," says Sample.

Given the costs of manual password resets—Gartner estimates that they cost $10 to $31 per incident—Marriott's self-service deployment has translated into strong savings, says Sample, particularly since IT requires that passwords be changed every 90 days.

"We have a very large [user] base, with more than 30,000 associates, so you can imagine the amount of human intervention required for manual password resets," he says.

Waiting for Standards

The technology behind biometrics represents an emerging commercial market, but adoption of such systems won't really take off until vendors and users agree on standards in areas such as application programming interfaces, common file formats and data interchange.

The scope of massive federal initiatives such as the U.S. Department of Defense's Defense Biometric Identification System demands standardized, interoperable technologies, says David Wennergren, the U.S. Department of the Navy's CIO. He is also chairman of the DOD's Identity, Protection and Management Senior Coordinating Group, which oversees agency groups working with smart cards, public-key infrastructure and biometrics.

The DOD is using fingerprint biometrics as part of an authentication process for providing personnel and associates—4 million people to date—with smart cards for physical and network access. It's also piloting iris- and facial-recognition technologies.

"It's key that we have interoperable systems because everybody's mobile; we can't buy a proprietary biometrics [system] that ultimately only works at one base," says Wennergren, who's based in Crystal City, Va. He cites a recent memo issued by the DOD CIO that mandates that the agency's biometric collection practices align with FBI standards so the agencies can share data.

"When [the DOD] first became big consumers of smart cards, we knew there weren't perfect standards in place, but we were able to leverage our size and work with other agencies and technology providers to help create standards," says Wennergren. He says he hopes that federal agencies will have the same impact in driving biometrics standards.

Gilhooly is a freelance writer in Falmouth, Maine. You can reach her at kymg@maine.rr.com.

Biometric Revenue Projections

Biometric Revenue Projections

Source: International Biometric Group LLC, New York

Copyright © 2005 IDG Communications, Inc.

  
Shop Tech Products at Amazon