|
As broadband connectivity, Wi-Fi access and high volume storage capacity become ubiquitous, more and more mobile professionals are carrying sensitive data and accessing corporate networks via notebooks, USB flash drives, PDA and smartphones. As a result, IT managers are facing the need to securely authenticate mobile individuals in a convenient way that will ensure high user adoption. Existing authentication methods can no longer be securely managed with passwords and tokens that can be lost, forgotten, stolen or defeated. Companies spend an estimated $13,798 per year per mobile employee alone on password-related IT support and lost productivity (“Protecting Mobility,” IDC, Roger Kay, July 2003).
Fingerprint biometrics addresses these market needs by offering both improved security and higher convenience, while reducing associated IT support costs.
Benefits of Biometrics
A major benefit of biometric fingerprint technology is the ability to reliably authenticate a unique individual to an electronic device. Whereas passwords and tokens authenticate users based on “what you know” or “what you have,” biometric technology addresses secure authentication directly by verifying “who you are.” In addition, security in the corporate IT environment is only effective if users adopt the new and improved security measures. Recent studies suggest that users are reluctant to create a truly “strong” password, store it safely, and change it at regular intervals (“Survey: Passwords v. Fingerprints,” UPEK, Inc., October 3, 2005).
Biometric fingerprint technology also offers more convenience than existing authentication methods such as passwords because it encourages a repeated action -- swiping your finger -- versus the traditional approach of repeated use of the same password. This subtle but important distinction explains why the adoption of biometric fingerprint solutions for the enterprise environment is gaining mainstream acceptance.
Users tend to choose easy-to-remember passwords, use one password for multiple applications, and write down passwords on sticky notes or documents with obvious titles such as “passwords.doc,” all of which expose opportunities for security breaches. Meanwhile, users of keys, tokens and smartcards are burdened by a growing number of things to carry and applications to manage them.
The use of fingerprint authentication solutions frees users from remembering or carrying these items by giving them access with the simple swipe of a finger. In a growing number of deployment scenarios where fingerprints are used to supplement passwords instead of completely replacing them, long and complex passwords coupled with automatic rotation as well as unique one-time passwords have been implemented to increase security and improve the overall user experience.
Biometric fingerprint technology is quickly becoming a compelling ROI model for reducing IT helpdesk costs associated with password management and the loss of portable authentication devices such as smart cards and tokens. In addition, companies are leveraging the improved data and hardware platform protection capabilities to reduce insurance costs associated with data and hardware theft.
Biometric fingerprint technology has flourished in 2005 with the integration of fingerprint sensors into major notebook brands including IBM/Lenovo, Toshiba, HP, Sony, Acer and NEC. By the end of 2005, nearly all major notebook PC makers will incorporate integrated biometric fingerprint technology. As biometric-enabled platform deployments continue to grow, IT managers are learning how to centrally manage and utilize this new form of authentication and data protection security.
Implementing Biometric Fingerprint Authentication Solutions
The following are key considerations when implementing biometric fingerprint authentication solutions in enterprise network environments:
Security
1. Biometric performance – The quality of biometric fingerprint sensors is measured by three distinct performance metrics:
- False Accept Rate (FAR) – The percentage chance that a non-authorized user is granted access. This metric measures the security performance of the sensor. Naturally, sensors that prevent unauthorized users from gaining access is key.
- False Reject Rate (FRR) – The percentage chance that an authorized user is denied access. This metric measures the “convenience” performance of the device by indicating the percentage chance that an authorized user will incorrectly be denied access. Sensors that succeed in recognizing authorized users on their first attempt also bolster security since users are more likely to adopt security measures that are effortless.
- Failure To Enroll (FTE) – The percentage chance that a user will not be able to successfully enroll with the device. This metric is influenced by the image capture quality of the sensor and the performance of the matching algorithm used to create the fingerprint template. Sensors with a high FTE number will likely have higher corresponding FRR and FAR numbers.
Measuring biometric performance is challenging because it requires testing a wide range of people in multiple environments over extended periods of time. For the many companies that don’t have the resources or budgets to conduct statistically significant testing, a good indicator of biometric performance is to look at the choices of large security-focused companies who have conducted rigorous qualification testing. IBM is an example of a company known for its research competency and rigorous product performance testing.
2. Storage and matching of fingerprint data – A biometric sensor by itself can only capture an image and relies on a host PC (a non-secure environment) to match and possibly store fingerprint data in an offline mode. A more secure alternative is to deploy a fully integrated “chipset” solution containing dedicated hardware for storing and matching fingerprints. A chipset solution delivers “hardware-level” security that is superior to security based on software-only solutions. It can be used to take advantage of the existing security infrastructure on a PC platform through other devices such as the Trusted Platform Module (TPM) to offer stronger data encryption and more secure communications. In the online mode, fingerprint matching and data storage can be performed on a remote server for centralized management and roaming capabilities.
3. Encrypted communications – Security is optimized with the use of encrypted communications between the sensor and host PC. Again, a chipset solution provides stronger encryption capabilities than a sensor alone. The use of communication encryption prevents hacking attempts through “sniffing” and wiretapping at the platform level.
4. Anti-spoofing – Methods for “spoofing” optical and older silicon-based biometric fingerprint sensors have been published on the Internet. Spoofing refers to the act of generating a false acceptance with a “fake” finger to gain unauthorized access. The latest generations of silicon-based sensors generally include anti-spoofing technology for determining the presence of a real vs. fake finger. Any biometric fingerprint sensors being considered for deployment should include anti-spoofing technology.
Convenience
5. Biometric performance - As indicated above, the false reject rate measures the probability that an authorized user is denied access, which will influence the user experience. Security and convenience settings for the biometric sensor can generally be traded off to some degree, so it is important to select a solution that can maximize both at an acceptable level based on the application requirements.
6. Simplified logon interface – Leveraging biometric fingerprint authentication enables numerous security applications on the PC platform to become almost effortless: these include logon protection of the PC at the BIOS and Windows OS levels, encrypting files and folders, logging in to network applications and web accounts, and securing remote access to corporate or public networks.
Scalability
7. Remote management – Deploying biometrics-enabled devices throughout a corporate network creates another method by which IT managers can centrally manage user credentials and access policies. Assuming control for password maintenance and rotation has become an ROI opportunity and helped create more streamlined security policies. The advantage for users is that their credentials can “roam” across the network to any station where they log on and provide the necessary access to their applications, data, preferences, etc.
8. Multi-factor authentication – Fingerprint biometrics can complement existing authentication methods such as TPMs, passwords, smartcards and tokens to enable a layered approach to access security. As the number of security layers is increased, the defense against breaches and hacking attempts can rise exponentially.
Ease of integration
9. Complete solution – In an industry with products that have only recently moved into the mainstream, using hardware and software from multiple vendors introduces complexities for integration and support and adds additional cost. By contrast, deploying market-tested end-to-end solutions that are accompanied by integration services ensures the fastest time-to-market and leverages the full capabilities provided through integration with an advanced security architecture.
10. Standard interfaces – Biometric fingerprint modules with standards-based software interfaces enable custom third party application development.
In summary, while the value proposition offered by biometric fingerprint security is becoming increasingly clear, the proper criteria for selecting the right technology is not as well understood. This decision is not simply a matter of purchasing new hardware and software products, it requires a fully integrated solution approach to extending corporate network and platform security. As opportunities for biometrics in the enterprise continue to expand, market leaders will continue to offer innovative, cost-effective approaches to the growing security dilemma.
About the Author:
Bill Bockwoldt manages the Business Development activities for the Notebook and PC Business Segment at UPEK, Inc, a provider of biometric fingerprint security. He has previously held technical roles in the semiconductor, telecommunications and software industries.
Go Back
|
