The recent stories of data loss and increasing compliance regulations are giving organisations good reason to reconsider their security precautions. Jim Fulton, VP, DigitalPersona, explains why biometrics might be the way ahead when it comes to the realm of internal security.
Identity management and authentication have been a problem for some time now and the weaknesses of traditional methods such as passwords, PINs and smartcards are becoming more apparent. Biometrics have moved into the mainstream in order to solve these identity and authentication problems.
Traditional methods of authentication have for a long time been the most pervasive tools used to secure digital and corporate assets. The problem with passwords, PINs and smartcards for ID verification is that in order to remain secure they are reliant on individuals using them correctly 100 percent of the time.
Passwords, for example, are the most common method of authentication but are vulnerable for a number of reasons. It has been shown that people regularly choose passwords which are very easy to break. These will generally follow the same pattern and will often be something personal like a date of birth or the name of a family member or pet.
Users will also use a single password for a number of different systems and applications. These practices counteract all of the recommended procedures which are intended to keep networks secure. Individuals are encouraged to use a variety of passwords for different systems and make their passwords more obscure, but even observing these guidelines can cause problems.
By making passwords more complex or numerous the chances of them being forgotten or written down dramatically increases and whilst the writing down of passwords presents an additional threat to security the increase in forgotten passwords becomes a drain on resources. It is estimated that 25 - 50 percent of help desk calls are for password resets and that each of these resets can cost £10 - £19.
Smartcards are no better than passwords and suffer from the same fundamental flaws. Neither method can guarantee that the person accessing a network is legitimately authorised to do so and there is nothing to stop employees from sharing passwords and smartcards, with security audits regularly finding that the practice is common even when colleagues do not possess the required authorisation.
A major concern is that if identity cannot be verified there is less of an incentive for users to be accountable for their actions thereby increasing the probability of an internal attack. The truth is that a potential attacker only needs one password or smartcard in order to use other methods to gain access to data and systems.
One password failure may be sufficient to compromise overall security on every system to which the user has access. It's a scary thought, but digital and corporate assets are only as secure as your least responsible user.
These weaknesses in current authentication methods have brought biometric authentication to the forefront as a realistic alternative. Biometric security, the measurement of a unique physical characteristic, is significantly more secure than other methods of authentication for one simple reason, it is not based on something you remember like a password, nor is it based on something you have in your possession, like a smartcard - a biometric is based on something you are. A biometric cannot be guessed, shared, written down, forgotten or lost, and ensures that authentication is not vulnerable to the fallibility of the people that use it.
The added accountability which biometric authentication provides is especially useful in helping organisations to comply with the increasing level of corporate governance and industry regulation. This technology provides clear user-unique audit trails that track which data has been accessed, when and by whom.
Mobile technologies have threatened to make the task of remaining compliant even more challenging. Organisations including Gap, Marks and Spencer and HM Revenue and Customs have all been victims of recent data loss as a result of digital assets being removed from the safety of the office.
Increasingly, biometrics are being used to secure access to digital assets while on the move, with fingerprint readers now being embedded into mobile devices including notebook computers, PDA's, mobile phones and even USB sticks.
Fingerprint technology can be used to provide more protection than simply verifying authorised individuals. Certain software provides users with the capability to encrypt and decrypt data simply be applying their finger to the reader.
At present, fingerprint authentication is proving to be the most popular form of biometrics with many users believing it to be the most practical and efficient while also being the least intrusive of the biometric technologies.
This technology is now being adopted successfully in a diverse range of sectors including retail and finance. The retail industry has found fingerprint biometrics particularly useful for reducing cash till shrink due to theft as well as fraudulent voids or returns.
In addition, by adopting biometrically enabled time and attendance machines, practices such as buddy punching (logging in for a colleague who is not present) and lollygagging (employees logging in but then wasting time before actually starting work) can be significantly reduced.
While some UK banks have conducted trials of this technology, as of yet, none have implemented any customer facing solutions. In Latin America some banks are using fingerprint biometrics for much more than just identity verification.
Banco Azteca in Mexico, for example, uses fingerprint readers to biometrically register new customers allowing them to conveniently review balances, track transactions, withdraw cash, transfer funds and exchange currency. Internally, staff use fingerprint identification for time and attendance control, access to the bank vault and even to pay for meals at corporate restaurants.
Biometric authentication is recognised for providing unrivalled ease of use and increased security. The implementation of a biometric solution saves organisations significant sums of money by reducing helpdesk calls, increasing productivity and assisting with compliance regulations.
Major implementations of fingerprint biometrics in retail, finance and other sectors are paving the way for more mainstream adoptions. As businesses continue to look for ways to tighten up security we can confidently predict that it is only a matter of time before placing your finger on a biometric reader will feel as natural and actually replace the action of entering your password or PIN.
