Biometrics to enhance rights elevation for Administrators and secure applications

With 10,000 network administrators responsible for over 700,000 computer systems, enforcing 2-factor authentication is not only a challenge, it’s THE challenge.

Deployments of smart cards to users for network login and system access have demonstrated a significant improvement over simple usernames and passwords. Not only does an organization benefit from the improvement delivered from a security perspective, but also from the ease of use that is offered to the end users.

The issue that arises from this scenario becomes apparent with network administration staff utilizing multiple domain accounts for differing levels of administrative privilege. A user account with administrative rights can utilize a single credential as the system must only recognize a single role. However, when an organization requires separation of user and administrator accounts, a significant limitation of smart cards becomes apparent. Currently, there is no ability for a Java smart card to support multiple roles from a single card. Though multiple certificates may be stored on a card, only the primary certificate may be used for authentication.

“Unless we issue two separate smart cards for our network administrators, we must still rely on passwords for all administrative tasks both on the workstation and servers.”

Federal agencies that require CAC and/or PIV credentials for authentication to network systems will face the similar challenges as were apparent with the Common Access Card (CAC) which presented limitations in the ability to enforce 2-factor authentication for applications and administrative functions. When security policies are not met, agencies fall out of compliance and regulations are neglected.

IdentiPHI was deployed to further enhance standard users and smart card holders alike by providing biometric authentication to sensitive applications that do not natively accept certificate based login or . The result: 2-factor authentication is achieved, security is increased and regulations are met. In addition, IdentiPHI allows for biometric authentication to servers and applications accessed locally and remotely via Citrix. The ability to use a remote login request to a local biometric device is supported from a fat client or thin client terminal.

Administrators were able to benefit from IdentiPHI by leveraging biometric login at the server-level where the smart card credential (user role) could not be used. Network Administrators are ever increasingly managing infrastructure from remote workstations. Therefore IdentiPHI developed one of the only solutions that allow for biometric login over RDP to target servers. Additional use cases have been addressed by IdentiPHI in response to requests from current government users. Such tasks include elevating of rights to administrative level for a user authenticated with CAC to join a workstation to a domain, to manage local and network services, to map a network drive as an administrator, to add a printer, to join a workstation to a domain, and many more other functions that may require the use of “Run As” access.

Typical projects in the past have focused primarily on the ability to enforce 2 factor authentication for standard users while lacking in a solid solution for the a smaller, but more restricted group of network administrators. This was previously attributed to the desire to increase usability with biometric authentication products that offered little in the form of security. IdentiPHI successfully delivered the only solution that truly allowed for centralized management and policy enforcement for biometric authentication.