System iNetwork

Whenever a lot of money or physical security issues are involved, biometrics is there. Many upscale hotels do retinal scans and if you are not on their list, you don't come in.

--John deCoville

Not sure about Workforce Central, but we have Kronos iSeries Central for our time & attendance. Although it does use biometrics, the System i doesn't appear to be involved in that part of the work. Instead, they have a Windows program that's used to register user's fingerprints with the system and send them to the clocks. Ultimately, the employee's punch-in and punch-out data is sent back to the i5, but as far as I can tell, the i5 isn't involved in the biometric part of the equasion.

One of the big problems we had when we set the system up was employee resistance. Because fingerprints are used in criminal investigations, many employees felt that it was an invasion of their privacy having our computers store this information. Some employees actually quit.

I find it very hard to believe that biometrics would be easier, less expensive, etc, than passwords. Think about it: Every PC would have to be equipped with a biometric scanner. That alone would cost a great deal of money. IT people would have to maintain these devices. There'd have to be software to drive the whole thing, that wouldn't be cheap. Like all packaged software, the vendors would charge for maintenance and mandatory upgrades periodically. You'd need a maintenance contract when the biometric devices break. This is NOT an inexpensive undertaking...

When a biometric scanner doesn't work, then what? You can't just reset the password. The scanner has to be fixed, or you don't sign on. A central help desk can't fix a bad scanner over the phone. A tech has to go on site to determine the problem.

You say that it would be more convienient for the user... maybe, it would... but that'd mean having some sort of "single sign-on" solution in place. You'd need the fingerprint to be validated once, and some sort of cryptographic authentication (like a kerberos ticket) to be used everywhere else. If that's the case (and it would almost certainly be the case) then is it really more convenient than doing the same thing with a password? If you only type the password once when you sign on to your workstation, and never again, is the password really that inconvenient?

I really challenge your statement that it would save money. I work for a small company, and passwords cost us next-to-nothing.

I could see it's value in a high-security environment, but I just can't see it in an ordinary shop. It just doesn't make sense.

Scott: You're probably right that for a fairly small company, biometrics wouldn't be as simple as passwords are. But for some small companies, and most medium-sized or larger ones, I think the time savings would make it worth at least considering. Naturally, maintenance expenses would have to be part of the equation.

As for a fingerprint scanner failure, sure that's bound to happen, but the simple solution would be to just plug in a spare reader and you're back in business. Like any piece of equipment, you'd want to have a few spares. But most scanners should work for several years.

You're also right that there is some misperception about threats to privacy from taking fingerprint readings. The VSSA solution doesn't actually store those, just information about their characteristics. Perhaps I'll do a followup blog getting into some of those issues down the road. As I said, I personally would favor a solution that uses keystroke dynamics, partly to bypass this concern on the part of users, but one's not available yet for System i.
--jg

I agree right now I have way too many passwords to remember. I have passwords to access the AS/400 or iSeries, client access, my PC, my Lotus Notes, my WMS or Work Management System. Then the administrator set my PC and WMS password to expire on a regular basis. I change the password for this but my AS/400 or iSeries password is been the same for almost 2 years. Interesting!

With Bio-metrics and finger print I can simply turn my PC on place my finger on the finger print reader this should do it for my PC. Then the same for accessing the 400, WMS, Lotus notes etc.

The software behing the Bio-metrics should be able to read more than one fingerprint so that the administrator can access the PC.

But how do we allow remote access to a PC?

I've been interested in the use of biometrics, but I'm concerned about how to handle one user with multiple signon IDs. Does the biometric scanner perform its scan and deduce the identity from the scan (limits the user to one ID), or does the user supply the ID, and the scanner then authenticates the biometric data against the stored data about the user? This second approach would allow one user multiple IDs.

Steve:
I couldn't answer this so I asked Greg Faust. He provided the following response:

"Good question and highlights the confusion over 'on device' or 'on PC' biometrics versus enterprise biometrics. The multiple user name problem is real in the 'local device' world. However, five or six user names are per person are typical in the enterprise world, and accommodation of this requirement was an original design spec for VSSA back in 2004. VSSA is built to integrate with Enterprise Identity Management (EIM) environments, be it the wonderful EIM solution that is included with i5/OS or EIM from another platform or vendor. VSSA leverages EIM to map to the main EIM identity, so one set of user authentication credentials works for all user names covered by the EIM solution."

Hope that helps. -- jg

Because Adam and Jamie were able to defeat it, so easily...and that's no myth!!

-sarge

Note to Readers: Sarge is referring to the "Mythbusters" TV show on Discovery Channel. In episode 59, broadcast about a year ago, the Mythbusters duo outfoxed a fingerprint reader security system.

Similar to my response to another posting, I asked Greg Faust to comment because my expertise on the technical side of biometrics isn't very deep. His reply:

"Biometric readers come two primary flavors - optical and RF. Optical scanners are usually very expensive, generate heat, and are susceptible to 'spoofing' with an image of a fingerprint. RF devices, such as the AuthenTec chip used in the APC Biopod deployed by VSSA, scan the sub-surface layers of the skin and, in the case of the Biopod, deploy technologies that require at real, live finger to be touching the sensor. This is not true of all sensors, and not true of all solutions taking the information from the sensor. Hence the need for a fully integrated solution. The protections against spoofing on the AuthenTec chip, when fully leveraged (as VSSA does) delivers a very high protection against malicious use. While there are laboratory environments where prosthetic fingers have been produced to 'spoof' a real finger, these materials are very unstable, last only a few moments, and require connection to very sophisticated electronics to mimic the human central nervous system. In short, the biometrics, as deployed by VSSA, pose hurdles to those wishing to gain unauthorized entry that are much, much higher than alternatives, such as hacking the application server itself.

VSSA contains multiple protections against replay of an authentication transaction as well. VSSA has undergone security reviews by the IBM Rochester labs that addressed both issues to their satisfaction."

Valid Technologies offers a white paper with additional information at
http://www.validtech.com/index.html?page=privacy.html&lsm=ls.html .

--jg

John raises three points.

Regarding access to systems in addition to his PC, VSSA easily authenticates applications and transactions on virtually any operating platform.

Regarding admin access, VSSA lives on the server, not on the PC. So the enterprise uses its normal authorizations to determine who has access to what; VSSA simply confirms that the person accessing the system is who they say they are.

Regarding remote access, I VPN in to my company domain, then authenticate using remote desktop. Just like in the office, I don't use a password; I simply touch the sensor attached to my notebook.

Full disclosure: I am a colleague of Greg's at ValidTech.

I would just like to add some additional comments that might help potential solution seekers. VSSA was designed with several key elements in mind, the most important of which is that it starts at the transaction level for re-authentication regardless of the host application server, and then works outward to the logon if required.

In addition, VSSA focuses on protection of the transactions in motion even when set up in an n-tier environment, and on the actual storage of the encrypted credentials (which are a mathematical representation of a person's biometric). Also, the design was based on the authentication needs of the largest companies using a single system, yet it is able to run extremely fast on the smallest System i for the SMB market. Finally, it's quick and easy to install. For example, a customer's application program can be enabled in as little as 20 minutes.

A personal issue I have in a Single Sign on solution with only passwords is that if the password is compromised then access is granted to many things. VSSA can tighten that all the way down to a transaction.

Full disclosure: I am the CTO at ValidTech.

Full disclosure: I'm acquainted with one of the VSSA principals.

I can't imagine that a 'keyboard analytics' solution would be viable. ID me (and only me) through 'keystroke dynamics'? Doesn't that sound physically impossible? It seems to me that a solution that stores fingerprint characteristics, rather than an actual image, would be infinitely more reliable. With the VSSA product, I can secure business processes at any level I want - transaction, application, at sign-on, wherever, with or without the need for a User ID. And it runs on what has to be the most secure, reliable, scalable server on the planet (System i). Is there a better way to insure the user is who he says he is? Seems to me it's the proverbial 'no brainer'.

Arthur:

There are a number of PC-based authentication products that use keystroke dynamics already. The ones I'm aware of have you type a string of characters you type frequently, such as your user name, several times, and analyzes the user's speed and rhythm from that. The advantage I see from using keystroke dynamics is that it avoids some of the problems Scott Klement's post referred to, namely maintaining fingerprint reader hardware and avoiding end user privacy concerns about the IDEA (even if not the actuality) of having a copy of their fingerprints computerized and stored. --jg