New biometric technologies can let agencies tighten access controls to critical systems
By Pete Loshin
Special to GCN
The government needs to keep secrets, whether they are about national security or a citizen's medical records. And most government secrets are kept on computer systems, a fact that can complicate the task of keeping them secret.
The challenge for any secure system is to provide ready access to approved users while keeping unauthorized users out. Increasingly, passwords or passphrases of multiple words, on their own, are not enough to do the job.
Biometric devices are popping up more frequently where both security and convenience are necessary. Biometric recognition systems depend on physical traits and characteristics that can be used to identify an individual. The best-known and most commonly used biometric trait for system security is the fingerprint; other traits include the face, retina, iris, speech, handwriting, hand geometry and wrist veins.
Until recently, biometric approaches to access control were priced out of reach for most government uses. The need for accurate scanning devices coupled with the complex algorithms necessary for recognizing and verifying identity made for expensive systems.
But in the past few years, advances in scanning and recognition technologies, along with increases in computer system speeds, have brought biometric security into the ballpark.
You can limit access to secure systems based on what you know, what you have, or who you are'or on some combination of the three.
What you know translates to a password used in a challenge and response sequence when attempting to access a system. This is what most users are familiar with. What you have means using a token, card key or other physical tool to access a system.
And what you are means using a physical trait that can uniquely identify a user. When you use two of these, you've got a two-factor access system that should be more secure than single-factor systems; a three-factor system would be the most secure.
Despite simplicity and familiarity, passwords can be easy to subvert if not used correctly. When they are too short or obvious, they can be easily guessed. But when they are too long and involved, users tend to write them down, making them even more easily stolen.
Attackers have been known to shoulder-surf and steal passwords just by watching them being entered. The need for frequent password changes and different passwords for each system tend to exacerbate rather than mitigate these problems.
Tokens have become quite common throughout government agencies to control access to both physical areas and computer systems. When combined with a password, the threat from lost or stolen tokens can be reduced.
The problem with tokens and passwords, even when used in a two-factor system, is that they are lightly bound to a person's identity. A token may be lost or stolen, a password intercepted or guessed. This is where biometrics comes to the rescue.
Depending on which trait is used, biometric identification systems can be quite effective at controlling access. The advantages of using biometric traits are that they are tightly bound to identity, tend to remain constant and are difficult to fool when properly implemented.
And you won't leave your speech pattern on the kitchen counter at home or forget your fingerprints.
Biometrics do present problems. A false positive can occur when someone fools the system and gets in; a false negative is when an authorized user is not recognized.Middle of the road
The trick is to keep system sensitivity high enough to screen out all impostors, yet low enough that authorized users can pass through. Some systems can be fine-tuned for accuracy or ease of use. In high-security applications, a system can be adjusted to be so strict about matches that some authorized users may have to submit their fingerprints for scanning two or more times before they are accepted.
In applications where convenience and speed is vital, recognition thresholds can be set lower, with the understanding that the system will be more vulnerable to unauthorized users.
Which trait is most effective to use? For now, fingerprints win, hands down.
Fingerprints have long been accepted as unique identifiers that do not change over time, and reliable fingerprint scanners are available for as little as $100, with prices even lower when bought in quantity.
The greatest drawbacks to using fingerprints are cultural.
''Association with criminality and overly intrusive monitoring, as well as the reluctance of people from some societies to touch something that many other people have touched, are frequently cited as objections by vendors of competing biometric products.
''Not all people have scannable fingerprints. Members of certain occupational groups, for instance, tend to have problems scanning fingerprints.
''In general, though, most other biometric traits are less acceptable for system access control. Some require sensitive and expensive equipment to differentiate among individuals. Facial recognition requires costly optical or thermal sensing devices, and voice recognition requires relatively expensive microphones for reliable control.
''Retina scanners depend on lasers to probe the human eye. Iris recognition systems, while less expensive, can still cost $1,000 or more each. Scanning for the shape, size and relative positions of hand and fingers'hand geometry'calls for a much larger scanner than does fingerprint scanning. And handwriting, facial characteristics and voice can all change over time and are relatively easy to fool.
''Fingerprint biometric systems generally don't store scans of fingerprints, but measure certain attributes of the fingerprint patterns and then perform a secure hash function on the values.
''When a user's finger is scanned, the system measures those attributes, performs the hash function on the scan, and compares the results with the hash stored for that user ID in its database.
''The products listed in the chart include those that work in one-, two- and three-factor access control systems. Some permit access based only on scanning an authorized fingerprint; some can be used with a password, and some combine a fingerprint scanner with a smart-card reader, capable of providing three two-factor combinations
or a three-factor combination with fingerprint recognition, a smart card and a password.
''All of the devices listed are intended for use with computer systems. Biometric devices that control other kinds of access, such as to buildings, are not included.Picking a winner
''Computer access devices differ in several ways. Some rely on software installed on the controlled computer for processing, database and access control services. Others are autonomous, performing all processing and data storage onboard.
''Some are intended for use as standalone devices, controlling access to a single system, although most are designed to be integrated into existing network security infrastructures such as those provided through Microsoft Windows NT 4.0, the Entrust public-key infrastructure, or Novell Network Directory Services.
''Almost all biometric products require software to make the recognition, compare the recognized biometric value with a database, store and access the database, and control what happens after a biometric value is evaluated.
''Almost all users want a challenge and response style interaction, in which users are scanned before gaining access to a system.
''Many vendors make available an application programming interface, software development kit or other programming tools to allow users to build custom security applications to restrict access.
''Choosing the right product is a matter of doing all the research on vendors' products and your own requirements. In a networked environment, you'll need a product that can be integrated with existing, single sign-on products and other elements of a security infrastructure.
''In a mixed-platform environment, you'll need either a product that can work with all platforms or several products that can interoperate.Watch for updates
''The more vital security is to your mission, the more important it is to scrutinize biometric products for potential security flaws or weaknesses. And keep in touch with vendors; many of those on the chart have announced or are about to roll out updated or new versions of their products.
''Digital Persona plans to ship a networked version of its U.are.U fingerprint scanner, and vendors indicated they would be adding to their interface options and platforms.
''To find more information on the technology, particularly as biometrics relate to government activities, visit the Biometric Consortium's Web site, at www.biometrics.org.
''The consortium is a group that serves as a focal point for the government's activities relating to research, development, testing and application of biometric-based personal identification and verification technology.
''Pete Loshin, author of Extranet Design and Implementation, writes about networking and can be reached at firstname.lastname@example.org