Peter Craig, Chief Technical Officer at Delaney, debates the issue of biometric authentication and the importance of human factors when dealing with confidential and sensitive data.

To protect sensitive data, organisations need an authentication solution that is both easy-to-use and delivers an effective technical control against unauthorised access. Biometric authentication solutions appear to offer some easy answers to this challenge, but do they really work?

What’s the problem with passwords?

Password authentication is a widely used method of identifying users on applications, databases and operating systems.

It’s quick to implement, easy-to-use and widely available. Gartner estimates that it costs around $50 for each password-related call to the IT helpdesk, and 30-50 per cent of calls relate to password issues. Not only is password authentication expensive to manage, it is often the weakest link in the security chain.

The easiest way to gain access to sensitive data is to trick the end-user into revealing their password. There are external threats from key-loggers, screen-capture software and other malware that can be introduced through known vulnerabilities or social engineering.

There are real internal threats from written-down, guessable and shared passwords. The human factors are the most difficult to manage and pose the greatest threat to an organisation’s data security. Do passwords, even complex password, really offer adequate protection when the human factors are considered?

Which authentication solution is best?

The common alternatives to passwords include biometric (fingerprint, vein, iris), smartcard and token-based authentication solutions. Commonly organisations deploy these solutions as single-factor, dual-factor and multi-factor authentication solutions to offer greater degrees of protection.

Due to the ease of use and deployment, biometric authentication has traditionally had the lowest total cost of ownership. There are different qualities of biometric security authentication from fingerprint readers, iris scanners and vein readers.

Fingerprint solutions offer simple single factor solution, and certified solutions offer protection equivalent to smartcard or token in two-factor authentication deployments. Iris and face recognition software tend to have more specialist applications.

Vein readers are increasingly popular and easy to deploy and use. They are more secure than fingerprint readers, as it’s not as easy to replicate the vein data. Such is the new-found confidence in vein authentication that Poland's Bank BPS SA deployed Hitachi vein-readers as an alternative to PINs on its ATM machines under trial from May 2010.

Smartcards are often a convenient and easy-to-use authentication mechanism. The retail industry has widely deployed smartcards for EPOS system authentication for example. The introduction of PCI-DSS, encouraged retailers to reconsider the risks of smartcard sharing between staff as well as the risks of lost and stolen cards.

SecuGen and DigitalPersona OEM fingerprint modules have been widely deployed in EPOS solutions such as Sharp and Toshiba to reduce these risks. Despite the convenience of smartcards; the risks of sharing, loss and theft of cards (and passwords / PINs in two-factor implementations) remain key obstacles, even as a two-factor authentication solution.

Multiple factor

Token solutions, such as RSA Secure-ID, are popular two-factor authentication mechanisms particularly for remote access. Tokens offer a good level of security via a randomly generated code on the hardware token together with a user PIN number.

The risks of stolen and shared PINs and tokens are real. Users may not use the process regularly enough to remember their details, and they often use the service when the helpdesk is unavailable or for emergencies. They often write the PIN or password details down.

In September 2010, DigitalPersona launched DP Pro 5.0 that offers a software token generator delivered via mobile smart-phones.

The ‘virtual PIN number’ is generated by the fingerprint swipe process and cannot be lost, stolen or forgotten. It is potentially a strong challenger to the traditional dominance of token solutions for remote access, especially when packaged with whole-disk encryption.

Lastly, there are multi-factor authentication solutions such as Authasas’s Advanced Authentication and M2SYS Hybrid solution. Authasas offers a complete range of token, smartcard and biometric authentication options to meet legacy and operational requirements.

Acting as a central authentication server, and without expanding the Active Directory tree, it delivers secure single or dual-factor sign-on for Windows, Lotus Notes, SAP, Citrix, Oracle and SWIFT Payment Systems to name a few.

Does biometric authentication work?

The answer is certainly yes. The biometric myths, such as using dead body parts make good Hollywood movie scripts, but are largely irrelevant in commercial situations. A fingerprint becomes useless after about 10 minutes, with the iris quickly clouding.

Issues with ethnic minorities and children are already resolved by improvements in image resolution quality. In fact, children using library system and cashless catering solutions are some of the biggest users in the UK.

The fingerprint template is encrypted in certified solutions. If it were possible to replay the template submission, certified commercial biometric solutions automatically implement anti-spoofing countermeasures to prevent this.

Additionally, it is not possible to steal and reuse the biometric information from commercial systems, as the fingerprint template stores only a small percentage of the actual fingerprint. Non-commercial systems such as US-VISIT store complete biometric information, but their purpose is different from commercial authentication solutions.

Reducing risk

All multi-factor authentication mechanisms offer improved security over passwords, however, modern biometric authentication works best at reducing the human risks such as loss, theft and sharing of passwords the most. With independent certification, solutions are available to meet the requirements of ISO27001 and PCI-DSS.

Fingerprint authentication and iris authentication have anti-spoofing measures that operate effectively as part of a package of multi-factor authentication. Vein readers offer a level of single-factor authentication security that is beyond the security requirements of sensitive data protection.

The only downside is that vein reader hardware is currently priced around £260, around three to four times the cost of a fingerprint reader. With the current challenges of cost reduction, IT managers with a long term view on security and cost management should look at the reduced help desk calls for password management as a result of biometric solutions.

The operational savings estimated at around $50 or £35 per helpdesk password related call would typically cover the reasonable hardware costs in around 12- 18 months.

The medium term case for biometric security is getting stronger, and the worldwide market is growing at 20 per cent per annum. Secure, easy-to-use and affordable biometric authentication may finally be within sight of the average organisation.