Identity confirmed

Token, smart card and biometric authentication schemes are making their way from the movies to the mainstream.

By Frederick M. Avolio,
Network World, 08/24/98p

[Copyright 1998 by Network World Inc., 161 Worcester Road, Framingham, MA 01701. Reprinted from Network World.]

The tall, slim, tuxedo-clad figure moves purposefully. He approaches a console and lays his hand on a flat glass plate that scans the geometry of his hand and checks his fingerprints. "Identity confirmed," a recorded voice says. He enters an elevator and the thin red line of a laser crosses his right eye, scanning the retina. "Identity confirmed," the recorded voice states again. The elevator door opens in front of an abyss. While taking his first step into what appears to be a 100-foot drop, our hero speaks, "Bond. James Bond," and a metallic walkway flashes into place as the recorded voice says, "Access permitted to Agent 007."

The hidden walkway is a bit much, but this television commercial for Visa and the movie Tomorrow Never Dies isn't all that far off in terms of depicting the kinds of biometric authentication mechanisms mainstream businesses are now deploying to ensure no unscrupulous types access their systems and networks.

Authentication is the process by which users prove they are who they claim to be. For this Buyer's Guide, we're exploring three basic types of authentication products: tokens, smart cards and biometric devices.

If you need an authentication system that works with firewalls and dial-in servers, tokens or smart cards are your best bets. If you want products that lock a PC unless its user is physically sitting in front of it, biometric devices are a good choice. If you want to be able to do both plus control access to network and application servers, be prepared to compromise or wait.

Proving your presence

Tokens have been available for several years. Priced at about $50 to $100 each, the products use cryptography and passwords or personal identification numbers to establish identity. Some of the first tokens include Axent Technologies' Defender Security Server and Defender Hand Held Tokens, Crypto Card's CryptoAdmin 3.0 and Tokens, and Security Dynamics' SecurID.

Smart cards are credit card-size devices that work in much the same way as tokens. The products cost about $100 each and typically come with a smart card reader. Smart cards in the online Buyer's Guide chart include ActivCard's ActivCard's ActivPack, GemPlus' GemSAFE tokens and V-ONE's SmartGate.

Biometric devices use personal characteristics to verify a user's identity. These characteristics can include face recognition, fingerprint or eye scans, and voice identification. Pricing for biometric products ranges from just under $100 to several hundred dollars per unit, depending on the device type and amount purchased.

Face recognition requires a digital or video camera. Products such as Miros' TrueFace Network and Visionic's FaceIt identify users by having them mug for the camera.

As you might expect, fingerprint recognition requires a fingerprint reader. Packages that check users' prints include American Biometrics' BioMouse Plus, Biometric Access' SecureTouch 98, Mytec Technologies' Touchstone and NEC's TouchPass.

Although eye recognition is very accurate, few vendors have developed products that use the technology to provide network access. IriScan is expected to release an iris recognition system for network authentication next year. Eye recognition requires a specialized camera and light.

Voice identification uses a microphone and sound card, both of which come as standard equipment on most PCs. Qvoice's Who Is It!, T-Netix Voice Entry II and Vasco Data Security's VACMan/Enterprise Security Suite perform voice recognition.

Although biometrics have been around for several years, affordable mid- and low-end biometric systems are relatively new. The market is in its infancy, but more vendors are releasing biometric authentication products and usability is improving, says David Harper, program manager of the International Computer Security Association's (ICSA) Biometric Consortium in Carlisle, Pa.

The chief benefit of biometric authentication is the technology's convenience to users. For ironclad security, look for a product that links biometrics with another authentication method. For example, American Biometrics' BioMouse Plus fingerprint scanner can be used in conjunction with a password system.

Integration is essential

One of the most important considerations when choosing an authentication product is integration. Does the product integrate with your firewall, network operating system (NOS) and desktops? The lack of standard application program interfaces means authentication products often work with one NOS or firewall but not another.

Tokens typically integrate with more products than biometric devices because the cryptographic products got a head start in the market. However, there are numerous biometric API standards efforts in the works, including Biometrics Application Program Interface, Human Authentication API and Speaker Verification API, to name just a few.

Integration will also get a boost when companies such as BioNetrix of Bethesda, Md., step up to provide middleware that allows authentication devices to interoperate with servers and applications.

But be patient - widespread integration of strong authentication devices with computer and network systems will happen in a few years. Consumer demand for the products should help spur this process, as will certification and testing programs in organizations such as the Biometric Consortium and the ICSA.

As you evaluate authentication products, remember one size doesn't fit all. Tokens or smart cards might suit the road warriors in your company who need to be able to authenticate themselves from hotels using notebook PCs, whereas face recognition and the accompanying video cameras might be perfect for desktop users.

Check to see if intruders can thwart the authentication device by rebooting the PC or copying a datastream from a fingerprint reader to a server and later replaying it. The tokens listed in the online chart will give you little cause for concern - all use strong cryptographic methods and very random numbers to make a replay attack practically impossible.

However, biometric authentication is somewhat less secure. Biometric products must use Data Encryption Standard or Triple DES between the device and the server to protect against intrusion.

By asking the right questions and combining different authentication techniques, you can obtain network security that's easy for users and difficult for potential intruders to thwart.