People and passwords -- in the long run, they just don't work very effectively together. At least that's what Phil Fowler, vice president of IT at Telesis Community Credit Union, a financial services provider that manages $US1.2 billion in assets, found out. His team ran a network password cracker as part of an enterprise security audit last year to see if employees were adhering to Telesis' password policies. They weren't.
"Within 30 seconds, we had identified probably 80 percent of people's passwords," says Fowler, whose group immediately asked employees to create strong passwords that adhered to the security requirements. A few days later, the team ran the password cracker again: This time, they cracked 70 percent.
"We couldn't get [employees] to maintain strong passwords, and those that did forgot them, so the helpdesk would have to reset them," Fowler says. Telesis decided to secure network and application access with a biometric system that eliminated the need for user IDs and passwords, opting for the DigitalPersona fingerprint system from DigitalPersona.
The use of biometrics -- the mathematical analysis of characteristics such as fingerprints, veins in irises and retinas, and voice patterns -- as a way to authenticate users' identities has been a topic of discussion for years. Early commercial success stories have largely come from applying biometrics to projects with provable returns on investment: time and attendance, password reduction and reset, and physical access control. Though biometric work remains primarily in the pilot stages, the events of 9/11 pushed emerging commercial products to centre stage -- a spot some say they weren't ready to claim. Vendor focus shifted from the private sector toward the huge contracts many expected would be awarded in the public sector, observers say.
The attacks on 9/11 "brought focus to what was going on in biometrics, and [vendors] switched gears. Where previously they were thinking about [biometrics] for enterprise access, they decided government contracts were the next gold mine and jumped on that," says Maxine Most, president of Acuity Market Intelligence.
The problem with this strategy, she says, is that commercial biometric systems aren't standardized and haven't been tested in large-scale implementations of the type federal agencies in the US are undertaking, such as the US-VISIT and Transportation Worker Identification Credential projects.
Samir Nanavati, a partner at International Biometric Group, a consultancy in New York, says the problem was more a lack of public-sector readiness than technology shortfalls.
"In 2001, the private sector was aggressively researching and testing biometrics, and the public sector had a couple of projects," Nanavati says. "After September, the biometrics industry reread the whole landscape and decided to gravitate toward the public sector, going after a market that wasn't ready for them." But, he adds, there are plenty of smaller stories of "biometrics hitting the bottom line" in the private sector.
Finger on access
That has been the case for Telesis, which has rolled out fingerprint-based network and systems access technology in its headquarters and credit-union branches. Once Telesis has thoroughly tested the system, the company will deploy it in the offices of Business Partners, its business loan services partner. Users no longer need to remember IDs and passwords because DigitalPersona authenticates enrolled personnel via fingerprint scanners, tying the fingerprints to 256-character passwords that it randomly generates every 45 days.
Fowler says Telesis looked at a single sign-on application but was uncomfortable with the idea that one authentication would provide access to the network and all connected applications. With the current deployment, employees touch their scanners to gain access to each application they use, including homegrown and third-party Web-based applications.
The system is already integrated with Microsoft's Active Directory for network access, and fingerprint profiles are encrypted and stored directly in Active Directory, relieving worries Telesis had that they might be stored as images that could be compromised. Telesis' IT department is reviewing applications that require ID and password sign-ons and creating profiles for them in the DigitalPersona server.
During the deployment's testing phase, Fowler's team encountered a few issues related to mobile workers. For corporate travellers, the company considered equipping laptops with scanners, but most Telesis executives don't carry their laptops unless giving presentations; they prefer to use hotel business centres or Internet cafes to access the corporate intranet. When they do that, they use static but difficult-to-crack passwords.
Another segment of Telesis' mobile population -- "roaming" tellers -- are another concern, Fowler says. He wants to be able to lock down all workstations so that the Ctrl-Alt-Delete function won't bring up the user ID and password log-in option, but then roamers wouldn't be able to use the teller workstations they need.
Although Fowler says it's difficult to quantify ROI, Telesis is pleased with the streamlined network access, reduced password-reset requests and the improved security ratings audits have found since it adopted DigitalPersona.
Security or convenience?
The kind of biometric application Telesis is piloting -- user authentication for access to computer systems -- hasn't thus far seen the adoption rates that many had expected, according to Gartner analyst Clare Hirst. She adds that she doesn't expect to see many more such deployments before 2010.
"We hear a lot about biometrics, but the reality is that most of the projects are still in pilot stages," Hirst says. The most mature applications of biometric technology are in systems that control physical access to facilities and keep records of time and attendance, she says. "With time and attendance, companies can use finger-, hand- or facial-recognition technology; get rid of access cards and mechanical punch-in [devices]; and it's not a security issue -- it's to save money," Hirst says.
Though it's not using biometrics for actual system access, Marriott International is using voice authentication technology to reset the passwords that enable access to its intranet, Active Directory service and several nonproprietary applications, according to Al Sample, senior vice president of client services.
The system, Vocent Password Reset from Vocent Solutions complements existing reset options. Users can also change passwords using PC or Web-based tools, or they can call the help desk. Around a third of the 40,000 Marriott employees who are assigned passwords take advantage of the Vocent option.
The system made sense, Sample says, because it utilizes Marriott's phone system and requires no special hardware. The Vocent application provides two-factor authentication, checking a user's voice patterns against a stored voiceprint while simultaneously verifying user information through voice recognition.
"We capture a voiceprint through a one-time registration, and at the same time, we gather some key information that we use during the password-reset process," Sample says.
Given the costs of manual password resets -- Gartner estimates that they cost $US10 to $31 per incident -- Marriott's self-service deployment has translated into strong savings, Sample says, particularly since IT requires that passwords be changed every 90 days.
"We have a very large user base, with more than 30,000 associates, so you can imagine the amount of human intervention required for manual password resets," he says.
Waiting for standards
The technology behind biometrics represents an emerging commercial market, but adoption of such systems won't really take off until vendors and users agree on standards in areas such as application programming interfaces, common file formats and data interchange.
The scope of massive federal initiatives such as the US Department of Defense's DefenCe Biometric Identification System demands standardized, interoperable technologies, says David Wennergren, the US Department of the Navy's CIO. He is also chairman of the DoD's Identity, Protection and Management Senior Coordinating Group, which oversees agency groups working with smart cards, public-key infrastructure and biometrics.
The DoD is using fingerprint biometrics as part of an authentication process for providing personnel and associates -- four million people to date -- with smart cards for physical and network access. It's also piloting iris- and facial-recognition technologies.
"It's key that we have interoperable systems because everybody's mobile; we can't buy a proprietary biometrics system that ultimately only works at one base," Wennergren says. He cites a recent memo issued by the DoD CIO that mandates that the agency's biometric collection practices align with FBI standards so the agencies can share data.
"When [the DoD] first became big consumers of smart cards, we knew there weren't perfect standards in place, but we were able to leverage our size and work with other agencies and technology providers to help create standards," Wennergren says. He says he hopes that federal agencies will have the same impact in driving biometrics standards.
I want to read your hand
Arguments abound over which biometric system provides the most accurate identification, but accuracy is only one of the factors driving technology decisions. The ways and the places in which people do business affect the biometrics which businesses deploy.
First, there's the little matter of concerns over privacy that recent events have exacerbated. Then there's the perceived or real intrusiveness of the type of technology deployed, where it's deployed and who's deploying it. A person might not mind putting his hand in a reader but he might object to having his retina scanned.
Then there are straightforward technological issues. For example, voice authentication systems can be hindered by background noise, while an individual's fingerprint can be compromised by working conditions.
At one university, for instance, a biometric pilot at the dental school revealed that fingerprint technology probably wouldn't be suitable. "Dental students get powder residue on their hands from their gloves, and they wash their hands a lot, so the devices didn't work well," says Brian Young, vice president of IT. "We had to set security thresholds so low as to make using the systems not feasible."
At Children's Hospital Boston, Paul Scheib, director of operations and chief information security officer, will deal with similar issues as the information systems division looks to roll out biometric access to 600 workstations to be shared by 4000 clinicians. The hospital has explored retinal scans but is leaning towards fingerprint access so it can deploy keyboards with embedded scanners. Given that workstations are shared and are in easy-to-access locations, a peripheral biometric device that could get removed or lost wouldn't be ideal, Scheib says.