FRAMINGHAM (02/19/2001) - In the race to improve security infrastructures faster than hackers can invent methods to penetrate firewalls, it is important to ascertain a user's identity before permitting access to protected data. Given the pervasive use of passwords and personal identification number codes for user authentication across all aspects of our daily life, attackers have developed powerful password-cracking tools.
New technologies that aim to directly strengthen user authentication include the use of tokens and smart cards combined with digital certificates. The most compelling and intriguing authentication technologies involve biometrics matching - the measurement of physical and behavioral characteristics such as facial structures, voice patterns and fingerprints.
In the past few years, biometrics technology has rapidly pushed through barriers that have slowed its adoption in mainstream environments. Performance, accuracy and reliability have increased among all types of biometrics methods, and prices for capture devices have plunged, making biometrics an attractive addition to security systems. The remaining challenge for biometrics is to address the requirements for large-scale deployments in complex governmental, institutional and commercial systems.
To gain widespread acceptance in businesses, multiple individual biometrics methods must coexist in a single system solution, and the underlying architecture must better support conditions of interoperability, scalability and adaptability that govern total cost of ownership calculations. A multitiered authentication system built around these notions is one solution.
At the center of the authentication system, a server orchestrates interaction among clients devices, an authentication validation policy system, multiple authentication matching engines and databases housing user information. Applications and transaction systems request a centralized authentication server to confirm or deny a user's identity. The server receives incoming requests for authentication and directs actions to gather appropriate user credentials and evaluate them against a set of validation criteria.
The policy system might maintain extensive rules to meet security requirements that may differ depending on the user, application or transaction task.
The authentication security policy may require many biometrics for validation. Thus, the validation system must be able to layer biometrics approaches, balance matching scores from each matching process and interpret these results in light of preset policies. This process is computationally expensive. It's critical that companies scale with system demand. Because each biometrics method requires a different matching process engine, the authentication system should distribute the matching task to the correct algorithm and thread the processes across a farm of processors.
The user-interaction tier collects credentials from live users in real time. To collect a new biometric sample, a prompting system must request a specific user action, such as presenting a particular finger for scanning or repeating a voice phrase in a microphone. Many types of point-of-service access devices, such as desktops and laptop computers, mobile phones, wireless pocket devices and airport kiosks, may be used at any time by end users. Each device may have limited capabilities to request and gather a specific biometric from the user. Therefore, the authentication server must dynamically determine what biometric to request, based on the client device.
To complete the process, a user's credentials must be evaluated against a stored pre-enrolled user information profile, such as biometrics templates, digital certificate keys and text passwords. Repositories of this information may be centralized in protected databases or decentralized within personal tokens or smart cards. With the use of a smart card that contains the enrollment data, the authentication server would also prompt users to present their template cards instead of accessing them from a central database.
While there are advantages to using biometrics, authentication should not forego other methods as part of the overall authentication solution. Even old-fashioned PIN codes and passwords provide an extra layer of protection and may be preferable in lower-risk security systems. Other security technologies, such as public-key infrastructure, also perform critical roles in an overall security model.
Benado is director of product management at Keyware Technologies Inc. He can be reached at firstname.lastname@example.org.