Biometric login replacing domain passwords for all users and SSO to all applications

With $200M in revenues and over 70,000 employees, a manufacturing giant struggled to solve the problem of passwords and finally put their finger on a solution.

It is common knowledge that usernames and passwords are the weakest form of authentication. Network administrators and policy makers must struggle to protect and control access to resources while common users continue to negate those struggles by their inability to select and use passwords of sufficient length and complexity.

“Passwords are not only the weakest link in any security policy, but they require constant maintenance and create expensive overhead.”

After evaluating many biometric solutions there are many apparent solutions. Upon closer examination, however each solution is based upon a specific biometric device (sensor) that typically works well in one environment but not well in another. There are some devices that are more popular than others, and are hence available in more than one form factor. This seems to lessen the limitations somewhat, but still don’t resolve the issue of software. “It’s the chicken and egg scenario all over again.” There is much risk in selecting an authentication solution based on any given biometric device, and equal risk in selecting a biometric authentication software package that is limited to only one or a few biometric devices.

IdentiPHI successfully overcame this dilemma with IdentiPHI Advanced Authentication. IdentiPHI incorporates an open BSP (Biometric Service Provider) provided by Bio-Key International, Inc. Bio-Key developed a fingerprint matching algorithm called VST (Vector Segment Technology). This technology allows IdentiPHI users to enroll and use over 35 biometric sensors using a common template. No longer are current and future biometric sensors a major factor in the equation. There is very little risk in selecting and deploying any sensor type based on a certain user requirements in any given location or area of business.

“As you would expect in the manufacturing industry, there are certain areas where biometrics seemed impractical. Therefore ruggedized readers were better suited for manufacturing plants and shop floors, wile less-expensive readers seemed more practical for office use. Further, there were other important options that allowed selection of USB or PCMCIA readers, optical and capacitive sensors, readers integrated into mice and keyboards, readers with swipe sensors and panel sensors.”

This functionality is ever important as notebook manufacturers begin to integrate biometric sensors with their products. This will naturally lend to the growth of biometric deployment in the US and worldwide, however this alone does not address every user and every user scenario. Most laptop users keep their notebook docked when in the office. With the lid closed, the biometric sensor is concealed and unavailable for login and unlocking the workstation. By leveraging the multiple sensor support offered by IdentiPHI, users are able to use the integrated sensor when remote, and authenticate with a different sensor on their desk while in the office. Each client can support up to 3 different readers. If one reader is unavailable or if the laptop lid is closed, IdentiPHI will automatically default to the next reader available.

Enrollment stations were an important part of the equation. There are forensic quality biometric sensors available on the market are perfectly suited for enrolling users into IdentiPHI. These sensors are very high quality, but the higher price prevents wide-spread deployment to thousands of users. The ability to use these readers for enrollment and any other reader for authentication was a very significant advantage to the project from a functional and financial standpoint.

Scalability concerns were also addressed during evaluation. Architectural limitations of using a database for biometric template storage were overcome by IdentiPHI who leverages a schema extension to Active Directory as well as local cache options. Concerns around the single point of failure that a DB repository can create were no longer an issue. With AD schema available from all Windows Domain Controllers, the entire network would have to go down in order for loss of an authentication point to occur. Even in the case of complete loss of connectivity, IdentiPHI can authenticate against a locally encrypted cache file to prevent users from logging into the system.

Additionally, fingerprint templates are encrypted using AES256 so there was little concern over storage in AD which is considered by most organizations to be an hostile environment. Another requirement was for server-side authentication when possible to minimize the risk of rogue software interacting with the authentication process.

Another requirement was the ability to allow authentication in the event of a non-functioning biometric device. IdentiPHI addressed this two ways. A substitution policy was put in place that allowed users to answer a series of passphrase questions similar to the standard questions used by banks to confirm a users identity. For users connected to the domain, the help desk has the ability to generate a temporary “emergency” password that can be used for up to 24 hours.