Thursday, April 17, 2008
Passwords are not the best of security solutions
fingerprints and palms.
A Burgeoning Bevy of Biometric Barriers.Biometric access control was one of the hot themes among exhibitors at the recent RSA Security Conference in San Francisco. Several companies showed off their wares, which include a back-end system for integrating biometric authentication into existing systems as well as readers for fingerprints and palms.
Passwords are not the best of security solutions, as enterprises and individual users have found over the years. They can be cracked or stolen, and not necessarily by high-tech means either.
Often, passwords created by end users in corporations are simple, being based on numbers significant to them: their birth dates, wedding anniversaries, birth dates of their loved ones, their auto licenses plates or a combination of these.
Or, where the passwords are created by the system administrator, end users tend to leave them exposed. "You'll see Post-it notes on users' computer screens with their passwords, or the Post-its are stuck under the table," Chris Collier, vice president, identity solutions, at IdentiPHI, told TechNewsWorld.
Increasingly, enterprises are looking to biometric solutions -- fingerprint, palm or retina scanning among them -- to secure access to their computers.
IdentiPHI unveiled Version 5 of its SAFSolution product at the RSA Conference in San Francisco. This lets enterprises replace passwords with biometric authentication or smart cards.
SAFSolution 5 is tightly integrated with Microsoft (Nasdaq: MSFT) Windows Active Directory and other similar platforms, and "you can either use biometrics or smart cards or both," Collier said.
The product provides a framework to replace network authentication, storing templates in the Microsoft Active Directory Server. It's "the only technology that works with Citrix FastWorks Technology," Collier pointed out.
SAFSolution 5 supports sensors from more than 40 vendors on the back end with a single install, and "you can take a biometric vendor's product and plug it into our framework," Collier said. Customers can select the authentication methods that best fit their needs.
The product also has a security framework built in for separation of duties under Active Directory so the enterprise can assign different roles to different people in the organization, a key aspect of internal control which prevents fraud and errors. "Other computers just use Microsoft Group Policy, which isn't very secure," Collier noted.
New features include last logon recall, drop-down logon customization, secret questions, SAFremote for Citrix (Nasdaq: CTXS) and Windows Remote Desktop.
SAFSolution 5 is in pilot deployments with several key customers, including a major telecom firm that has rolled it out to 60,000 users in a phase one deployment, and a tire maker, which has rolled it out to 89,000 users in the U.S., Collier commented.
It will be rolled out to the public in May.
Fujitsu's Palm Reader
Securing your PC with your fingerprint isn't enough for Fujitsu -- it goes for your palm instead.
At RSA, it unveiled its PalmSecure PC log-in kit, which consists of a PalmSecure authentication sensor embedded in a PC mouse, and OmniPass Windows Log-in and Single Sign-On software.
Here's how it works: The system administrator takes a print of the vein pattern in a user's palm and stores it in a database. When the user takes hold of the computer mouse, PalmSecure generates a biometric template of the palm vein patterns and compares it to the stored version. If they match, access is granted.
The PalmSecure log-in kit will be rolled out to the public in June.
Privaris isn't too fond of the fingerprint as a biometric security measure, either. "If you swipe your finger across the sensor at the wrong angle, you won't get access," COO Mike Kohonoski told TechNewsWorld.
His company offers what he calls a totally enclosed biometric system, the PlusID. This is a device about the size of two USB (Universal Serial Bus) drive sticks that has four programmable buttons, a built-in scanner and two rings for attachment to your keychain at the base as well as a USB port.
You hook it up to your PC with the USB port, through which the device's battery is also charged.
All data is held on the device so the question of data privacy is not an issue. "Even though you administer it from the PC, your fingerprint template is stored on the device," Kohonoski told TechNewsWorld. "And, if you lose it, it's of no use to anyone else."
System administrators program the device to accept any of the user's 10 digits, but only this information is stored on the back end server; the actual finger- or thumbprint is stored on the PlusID itself.
Each of the four buttons can be programmed for a different credential. "If you have to access more than one system, you don't have to carry separate smart cards," Kohonoski said. The device can also be used to gain access to secure areas when programmed, "so you don't have to remember key codes or carry another smart card for the door," Kohonoski explained.
The PlusID works with native Windows Smart Card architecture, which is part of Windows Server 2000 and up. "You don't need any middleware, just a mini smart card driver which installs into the system," Kohonoski said. Users don't have to make any changes to Windows' revocation plans and backup schemes when their organizations use the PlusID.
Authentication certificates are obtained from Microsoft Active Directory's Microsoft Certificate Services.
The PlusID supports Windows Smart Card and smart cards from three leading vendors: HID, Indala and Casi Rusco.
Privaris is looking to extend its reach to other operating systems: "We'll be looking at products for Unix, Linux and its derivatives later this year," Kohonoski said.
Posted by SANJIDA AFROJ at 12:24 AM