Is Biometrics Ready as a Security Solution for Enterprises?

UPEK has partnered with Dell, Toshiba, Lenovo and others to push biometric authentication and biometric device security deeper into the enterprise. Now UPEK is pushing biometrics devices and biometric security as mechanisms for online authentication. Are enterprise business customers ready to begin widespread adoption of biometric devices and biometric security technologies?

To hear some tell it, all signs are pointing to an era when biometrics will be a key element of authentication for enterprises. Just how close that era is depends on who you ask.

For companies like UPEK, the time for biometrics is now. The company strategy has involved partnering with notebook vendors such as Dell, Lenovo and Toshiba to embed its fingerprint scanning technology into laptops. Now, UPEK is pushing biometrics as a mechanism for securing online transactions.

"A set of Web components can be dropped into any existing Web site that will then allow the user to authenticate using his fingerprint, assuming the user has the appropriate hardware, instead of a password," said Bill Bockwoldt, director of software solutions at UPEK.

The service, Bockwoldt explained, is built on industry-standard SAML (Security Assertion Markup Language) tokens to enable integration with existing identity management and access tools. At the moment, UPEK is demonstrating the online authentication service to Web services providers.

Still, talk of using biometrics for Web authentication raises fears about MITM (man in the middle) attacks where the biometric token could be intercepted. According to UPEK, the online authentication service uses the SAML-token infrastructure and encrypts all information passed between the server and local systems. This, in addition to the encryption provided by the SSL (Secure Sockets Layer) pipe, provides two layers of encryption to help prevent MITM attacks, Bockwoldt explained.

"To ensure security at the local machine, each UPEK chip-set solution has a discrete identification and information sent to a device can only be opened by that specific device," he said. "This prevents device swapping or tampering at the local level."

A company called Pay By Touch launched a similar service called TrueMe in 2006. However, Pay By Touch, which specialized in using biometric authentication for financial transactions, folded earlier in 2008, raising this question: Are enterprises ready for biometrics in a big way?

According to Forrester Research analyst Geoffrey Turner, enterprises are five to 10 years away from hopping on board the biometrics train wholesale. Government support for biometrics-as illustrated by the U.S. government's Homeland Security Presidential Directive 12, which requires that federal agencies issue a credential to employees for accessing logical and physical resources-and the requirements of FIPS (Federal Information Processing Standards Publication) 201 will speed enterprise adoption by providing an example by which different biometrics technologies can be judged, he said.

"So I think the handwriting on the wall is that if the governments of the world are beginning to implement biometric as the default authentication to proving who you are, then that ubiquitous availability of both the credential and the availability of commercial products to make use of that credential are going to make biometric authentication credentials across the board default in the ... five-to-10-year time frame," Turner said.

But before biometrics can be widely adopted by enterprises, vendors have to overcome public fears of a loss of privacy, particularly in the United States. In certain use cases, there is also concern about the prospect of errors when large numbers of people have to be authenticated.

Bob Blakley, vice president and research director at the Burton Group, opined that there are other, more cost-effective, answers to password security and management problems than biometrics. The first step, he said, is simply to reduce the number of log-ins people need.

"Third-party authentication methods like Kerberos help do this; so do information card systems like Microsoft Windows CardSpace [and] so do single sign-on systems," Blakley noted. "All of these systems, of course, aggregate risk at the point of initial log-in, so that point needs to be strongly defended. The second step should be to replace the initial log-in password with something which is stronger-a cryptographic key which resides and is used on the client, or a time-variant secret like a one-time password. Open-source versions of both information cards (the Higgins project) and one-time passwords (OATH) are available, so the cost of these schemes is all in design and deployment."

Two somewhat promising configurations for broad use in a server-based deployment are voice biometrics and keystroke dynamics, he said.

"A better configuration is using a biometric to unlock a personal device and using the device as a strong authenticator using a cryptographic protocol, a one-time password mechanism or some other strong authentication technology," he said.