For years, we’ve seen characters
in science fiction movies using a hand, an eye, or voice to gain access to
highly secure areas in a building. The hero always manages to find a way to
around these barriers and save the day. It’s not quite so simple, but it’s more
challenging for the hot shot spy to access areas using physical characteristics
than using passwords.
How much of your day is spent helping end-users
track down, reset or gain access to the network because they lost or forgot
their passwords or other security issues? What if you could have extra security
and added convenience by not using passwords again?
This no-password technology is here and is growing
rapidly. It is called biometrics
and you’re on your way to becoming a hero like those in the movies.
Biometrics is the use of automated methods of recognizing an
individual based on physical or behavioral characteristics. Common commercial
examples are fingerprint, face, iris, hand geometry, voice and dynamic signature
recognition.
Adopting new
technology
Not all cool technology becomes viable. The old
‘build it and they will come’ concept only works if the buyer is looking for
something to solve a business problem. Not just a minor irritant, but a major
pain.
Think about the main motivator behind most of the
technology purchases you make. There is likely a loss of productivity, existing
stress point, or both behind each one.
Password scenarios
In the security world, there is continuing
pressure to make your network more secure. Each layer of additional security
implemented also adds more complexity to the process. One of the major time
wasters for a help desk staff is assisting end users with password problems.
Password issues have also become an annoyance for the end user.
Consider three different basic password scenarios.
You operate either with no passwords, simple and same passwords, or complex
ones for logon screens, applications and secure Internet sites. Here are the
rationalizations for the scenarios regarding passwords and their tribulations:
§ No passwords: it’s effortless, but
not secure. It’s an open invitation for hackers and peers, and it’s highly
vulnerable. There are many people using this method today. Startling, but true.
§ Simple or same
passwords for all logons: simple to remember, but not secure, easily
guessed, and leads to havoc if one password is cracked on a system.
§ Complex passwords: these are perceived as
secure, but they’re inconvenient. They can be cracked by patient hackers with a
little help from password generating programs.
Here is story from the front line involving a
“simple password” usage policy in a particular company. A company’s passwords
policy for employees was as follows:
1.
Use
first initials of the first name,
2.
Then
the last name
3.
Add
the number one (1) at the end of the string of characters.
Therefore, Joe Shmo’s
password was “jshmo1.”
This policy applied for all 70 plus employees.
Management’s insecurity for wanting to know all the passwords caused this
unsecured inefficiency. They did not see the other side of the coin; a
wicked-minded employee with minimal technical expertise could access the
company’s intellectual property for snooping.
There is another contributor to the already
complex password issues. It’s bad enough there are password generator programs,
which enable hackers to crack passwords when they want to infiltrate into a
network; even when complex passwords are used companion such a network.
This contributor is called, social engineering.
People share passwords with their peers, co-workers, friends and bosses. In a
corporate setting, when network break-in issues occur, it creates finger
pointing. Worst of all, it causes the loss of valuable time, money and
resources. Furthermore, company intellectual property is exposed to the wrong
individuals with potentially catastrophic consequences for the company.
If someone breaks into your network, which of the
previously mentioned password issues will come to mind? Most likely, none. The
media and marketing firms have brainwashed the public because they want to
frighten, to promote and to sell security prevention products blocking
outsiders from infiltrating your network.
The reality is there is good likelihood that the
infiltrator could be working within your department, sitting in an adjacent
office or in the cubicle at the end of the hall or even the person who greets
you every morning and offers you a cup of hot cocoa in the hallway.
As big as a problem as passwords are for everyone,
not being able to secure your network is unthinkable.
A more efficient
solution
Biometrics is the solution for simplifying these
password security issues. Biometrics provides an additional layer of security,
efficiency and convenience for users and IT administrators. The passwords are
there if you need them. Nevertheless, you can implement a simple policy to use
back-door passwords—say 30 characters long—so no hacker or program can easily
break it—and use biometric authentication for all logons, applications and
secured internet sites.
Here are a few facts about most biometric
solutions:
1.In general, it’s a
non-intrusive solution. Often people relate biometrics devices to those
fingerprint imaging devices used by law enforcement agencies. In biometrics
during fingerprint enrollment, the fingerprint image is converted into
often-encrypted binary data and stored onto the hard drive. Reverse
engineering, to convert this data back into the fingerprint image, is virtually
impossible.
2.It’s easy to setup and
to use.
3.A combination of
different biometric devices with Boolean authentication methods can be used for
additional layers of security. For example, using a fingerprint together with
iris recognition methods of authentications, or even combined with passwords.
4.It can significantly
minimize the cost and the time wasted on administration and maintenance of
password related issues for IT departments.
5.It maximizes efficiency
and convenience by avoiding the need to remember passwords.
The wide spectrum of industries that already have
adopted biometrics solutions are as follows:
§
financial
institutions
§
pharmaceuticals
§
small
businesses
§
medium
and large corporations
§
healthcare
industry
§
educational
institutions
§
remote
corporate employees
§
health
clubs
§
government
agencies
§
hospitality
industry
§
consumer
industry
The “password” future
is here
Firewalls, virus protection programs, intrusion
detection and prevention, and programs and operating systems patches for their
vulnerabilities and loopholes are examples of the nuisances embrace even though
it comes with additional costs and headaches.
Biometrics is ready for embracing by those who
require and understand the benefits of added security (from insiders and
outsiders), efficiency and convenience for our everyday computing experiences.
Just like online transactions, once you start using it, you can’t imagine
returning to the older and inefficient technology. Biometrics adoption is real
and not an underground movement nor a fictional scene from a James Bond movie.
It is the road we will travel.
Discussion: There’s talk that the next step is to protected access is passphrases. What do you think?
About the author: Nick Farzanfar, founder of FOQUEST Incorporated, has worked in
research, consultation, recommendation and implementation of advanced
biometrics solutions for organizations in all sizes. He is acting as a
forefront in educating the market regarding the inefficiencies of passwords—as
being the “weakest link in IT infrastructure.” He is working with
