Beyond user names and passwords

Corporations spend a great deal of money protecting data from hackers who take advantage of software application holes, while resigning themselves to the fact that legitimate users often have nothing more than a name and password to verify themselves.

At the recent Comdex 2002 in Toronto, however, there was a sense this is no longer enough.

Even today, with security policies in place almost everywhere, a hacker masquerading as an IT manager requesting password verification still works. The problem is that gaining access to the corporate network requires nothing more than information. There is a move in IT to use either multiple source authentication (something you know and something you have) or biometrics (which uniquely identifies individuals using their face, fingerprint or iris) to gain access to corporate data.

For many years this technology has been used at highly secure locations around the world. But is has had two factors limiting its widespread acceptance and use in the corporate world: cost and accuracy. It is OK to spend $50,000 on an iris reader which takes two or three tries to let you in if you are entering a top-secret military base. But this is of absolutely no use to business travellers trying to access corporate e-mail from their laptop.

David Troy, senior project manager, access control solutions division with EDS Corp. in Washington, D.C., said price is coming down while, at the same time, accuracy is going up. “The question (now) is which one is more appropriate for your identification (needs),” he said.

dozens of solutions

There is much debate over the use of biometrics. The technology is undoubtedly very secure, since fingerprints and irises are theoretically unique. But issues of privacy and social stigma arise when they are the solution of choice.

Although actual fingerprints, for example, are not stored, there are legitimate concerns about how this information is stored, who has access to it and whether future technology could make reverse engineering possible.

Whether a company chooses biometrics or hardware, there are literally dozens of solutions, from swipe cards and USB keys to fingerprint readers and iris scanners.

But even Troy, an admitted biometrics fan, has reservations about vendor’s claims. Do not blindly accept their accuracy claims, he said.

The most likely biometrics technology to gain wide use is the fingerprint reader. It is accurate and cheap. Readers are now under US$100. Its main downside is the criminal connotation, Troy said. Another downside is that templates from different readers are, at the moment, not interoperable.

Face readers are more accepted by the general population since most of us have had our picture taken, but they are more expensive and can be sensitive to both light situations and skin tone. Those with darker complexions are more difficult to read.

And as for cards and keys, they are easily lost, stolen or passed on to other users, so many security experts do not view them as an ideal solution.

But Glen McLeod, an Ottawa-based IT manager, has a unique idea on how we can make the swipe card really work. Have it double as your bank card, he said. “It is unlikely you’d give it to someone else and you have more invested in its protection…since it’s (your) money.”

As for biometrics, McLeod still has issues with the privacy side. He is not ready to trust companies to keep the data completely secure.