22
Sun, Dec
3 New Articles

System Sentinel: Biometrics--A Finger on the Pulse?

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
I mentioned in a recent article on authentication that the use of biometrics for authentication had not yet been widely adopted in the midrange space. But recent technological changes in the area of fingerprint recognition and the focus of some of the providers of these solutions suggest that this area should be revisited.

Using biometrics as an authentication mechanism is appealing in that it offers a practical way to move away from single-level passwords for our more sensitive systems. Successful implementations were in place over 20 years ago, but they seemed to fulfill only niche opportunities, such as guarding mainframes or restricting access to some evil tyrant's lair in a James Bond movie. So what issues need to be overcome before biometrics becomes mainstream, and how near are we to achieving that?

As I mentioned in the previous article, there was a perception that the use of biometrics for authentication had a number of critical downsides that rendered the technology fascinating but impractical. Let's consider those drawbacks as they relate to fingerprint recognition and see what has changed:

Cost

One of the original concerns was that an expensive reader was required in all of the physical locations where the authenticator could possibly need access. Anybody who has recently ordered a new laptop knows that many vendors now offer an upgrade option to include a fingerprint reader. Alternatively, you can now get a USB-connected reader and/or a mouse with an integrated fingerprint scanner at a reasonable cost. With the reader integrated into the mouse, you really don't have to lift a finger!

Support

There was a perception that the resources and time involved in setting up the technology, initializing the appropriate "database" of fingerprints, and training the user was too high. What is the reality? Of course, a well-planned implementation is crucial to the success of the project, but it's not impossible to achieve. Then, on initialization, the user just needs to have his fingerprint captured about three times so that there are multiple "templates" to compare to. The training involves simply telling someone where to place his finger, which doesn't seem like rocket science to me.

False Negatives

Fingerprint reader technology now uses radio frequency (RF) signals to process the live, highly conductive layer of skin beneath the dead layers. The result is that the reader is no longer fooled by dirt or temporary cuts and abrasions on the user's fingers. I know what you are all thinking: What if an unscrupulous competitor cuts off the finger of your lead analyst in order to access your widget product list? First, if you think like this, you really need a vacation. Second, the technology can tell how "live" that finger is because the electrical properties of the skin tissue change as soon as the finger dies or is severed.

Limited User Base

There have been complaints that fingerprinting is less reliable in certain sections of the population, normally those with finer fingerprints, such as the elderly, the young, and some ethnic groups. However, the recent changes in the reader technology have made the systems much more inclusive. Hand in hand with this is continued improvement in the "fuzzy" matching algorithms. What is meant by this is that no matter how hard you try to place your finger in the same place consistently, it will always be slightly different. Fingerprint readers work by comparing the current image with the stored templates and making a decision based upon a very strong likelihood of a match.

False Positives

In a highly publicized (though often disputed) case in 2002, a Japanese researcher managed to fool a fingerprint reader using a mold and gelatin (the same substance used for the manufacture of Gummi Bears). Fortunately, the biometrics industry responded to this and other challenges and developed reader processing that could not be fooled so easily. In the same way, face recognition software improved so that a photo of a face was not sufficient to permit access.

Security

Many potential users have expressed concern that fingerprint recognition systems could store personal data in a way that could be stolen and reused. They noted that something so critically personal (and irreplaceable) as a fingerprint would be difficult to secure in a way that all would be comfortable with. Technology providers reacted to these previous shortcomings and now offer a better solution. As we will see below, the solution to this is using an encrypted template of the fingerprint and storing that template in an extremely safe place.

Another critical area for the acceptance of the technology is the scope of the solution--particularly integration into the enterprise rather than just simplistic access control. The enterprise has many critical authentication points, not just the initial logon. Most organizations need a biometrics solution that is enterprise-focused and secure in and of itself, not just a sexy tool for the users.

I recently talked to a couple of biometrics providers about the new wave of solutions that address these issues. CryptoMetrics of Tuckahoe, New York, stresses the importance of three aspects of this technology: security at the enterprise level, data protection for a traveling executive, and ease of use.

Security at the enterprise level means that, in addition to the initial authentication, there may also need to be a level of sub-authentication at the user-defined layer. In many organizations, a number of critical application or database-level accesses would benefit from another authentication step. CryptoMetrics' FingerSURE solution can be configured to provide that additional level of authentication. To further strengthen this, CryptoMetrics has also included a capability to enforce a supervisor-level authentication after users have authenticated themselves.

For both the enterprise as well as the traveling executive, the security of the biometric identifier is absolutely critical. CryptoMetrics is adamant that the security of the fingerprint template, which is compared against the actual live fingerprint, is the most critical aspect of biometrics acceptance at the enterprise level. According to Greg Chevalier, Senior Vice President of Sales and Strategic Partners, "The FingerSURE product delivers the highest level of data and information asset security in the industry at the user and enterprise level. A unique technology leadership capability is the FingerSURE movement of a private key or digital identity certificate to a trusted biometric device or trusted platform module (TPM). This private key can also be associated with the Microsoft EFS encryption routine provided as part of the Microsoft Windows platform, and most important, the private key can only be used to decrypt data or access systems once a successful biometric authentication takes place."

For CryptoMetrics, another important aspect of adoption is the desire to be device-agnostic; the company does not want its clients to be tied to a particular USB reader device.

In the end, it is impressive to see an organization focusing so hard on doing the right things to make the solution widely acceptable. The nine years that Chevalier spent with IBM gave him a great introduction to the mainframe and midrange marketplace and the high security standards that are expected there.

Another approach being taken by a vendor in this marketplace will warm the hearts of all MC Press readers. Valid Technologies of Boca Raton, Florida, has chosen the most securable of platforms, the i5, to host its new technology, called Valid Secure Systems Authentication (VSSA). VSSA is not an add-on or a shell as it is with PC-level fingerprint systems. It resides on the application level with calls for authentication being securely embedded in the source code of the applications.

Greg Faust, President of Valid, says, "We provide user authentication that is easily bound into applications currently running on virtually any platform and written in virtually any language. The application enabled with a call to VSSA responds to users with a request for authentication, with user input being sent to a central i5 for authentication processes. If authentication is made, the transaction is revalidated, and, if OK, the application is told to proceed as normal. The entire transaction is then kept in a journal on the i5."

The VSSA solution relies upon the user having access to a supported fingerprint reader. Valid has chosen American Power Conversion (APC) as its main partner here. To avoid the historical failure point of spoofing/stealing the fingerprint "image," the credentials are never cached on a local machine and are encrypted within the DB2/400 database to make access much harder for hackers. Obviously, some overhead is necessary to integrate this solution into an organizations' appropriate applications; however, as this is expected to be at only a few discrete points within the enterprise systems, that should not be onerous. A software development kit (SDK) is provided to assist with this task.

Valid's choice of the i5 as its host was important. Faust says, "When we looked to build enterprise authentication solutions, we focused on the enterprise kernel--the transaction--and enterprise needs for security, reliability, and scalability. IBM i5/OS made our authentication host decision easy. The i5 is the most trusted and productive transaction processing system available, and it has the secure implementation of DB2 that makes it the perfect platform for enterprise authentication."

In fact, Valid has taken VSSA to the next logical step by working with my co-author Pat Botz and others from IBM to allow the fingerprint authentication to be an optional front-end to Enterprise Identity Management (EIM) in a single sign-on configuration.

To many organizations, the fact that the technology is better and more relevant to enterprise applications will still not be enough to make the change. However, recent guidance from the Federal Financial Institutions Examination Council (FFIEC) will start to move banks in that direction. On October 12, the FFIEC released new guidelines that call on banks to upgrade from single-factor authentication by adding a second form of authentication during online transactions. As you probably know, many of the current regulations affecting us started life in the financial arena.

Is It Time to Make the Move?

I hope this introduction to the current state of the fingerprint authentication marketplace will encourage some of you to investigate further. Obviously, authentication is only a part of the overall security requirements of an enterprise. In fact, a move away from focusing on perimeter security has been noticed in the security industry recently. Where we used to be slavishly devoted to anti-virus software and firewalls, there is now agreement that appropriate authorization within all levels of the enterprise systems cannot be ignored. And as we have seen here, at least two organizations have focused on the special requirements of authentication at an application level to further strengthen that authorization step.

If these offerings fit your requirements, maybe you can start to reap the well-recognized benefits for users, such as simplicity and the end of the lost password.

Martin Norman is Senior Systems Engineer for SafeStone Technologies, an IBM BP specializing in compliance and identity management. As one of the original developers of SafeStone's security portfolio, Martin has performed security audits and advised on installations for clients throughout the United States and Europe. Martin can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: