Biometric - A World without Passwords

For years, we’ve seen characters in science fiction movies using a hand, an eye, or voice to gain

access to highly secure areas in a building. The hero always manages to find a way to around these

barriers and save the day. It’s not quite so simple, but it’s more challenging for the hot shot spy to

access areas using physical characteristics than using passwords.

How much of your day is spent helping end-users track down, reset or gain access to the network

because they lost or forgot their passwords or other security issues? What if you could have extra

security and added convenience by not using passwords again?

This no-password technology is here and is growing rapidly. It is called biometrics and you’re on your

way to becoming a hero like those in the movies.

Biometrics is the use of automated methods of recognizing an individual based on physical or

behavioral characteristics. Common commercial examples are fingerprint, face, iris, hand geometry,

voice and dynamic signature recognition.

Adopting new technology

Not all cool technology becomes viable. The old ‘build it and they will come’ concept only works if the

buyer is looking for something to solve a business problem. Not just a minor irritant, but a major pain.

Think about the main motivator behind most of the technology purchases you make. There is likely a

loss of productivity, existing stress point, or both behind each one.

Password scenarios

In the security world, there is continuing pressure to make your network more secure. Each layer of

additional security implemented also adds more complexity to the process. One of the major time

wasters for a help desk staff is assisting end users with password problems. Password issues have also

become an annoyance for the end user.

Consider three different basic password scenarios. You operate either with no passwords, simple and

same passwords, or complex ones for logon screens, applications and secure Internet sites. Here are

the rationalizations for the scenarios regarding passwords and their tribulations:
  No passwords: it’s effortless, but not secure. It’s an open invitation for hackers and peers,

and it’s highly vulnerable. There are many people using this method today. Startling, but

true.

 Simple or same passwords for all logons: simple to remember, but not secure, easily

guessed, and leads to havoc if one password is cracked on a system.

 Complex passwords: these are perceived as secure, but they’re inconvenient. They can be

cracked by patient hackers with a little help from password generating programs.

Here is story from the front line involving a “simple password” usage policy in a particular company. A

company’s passwords policy for employees was as follows:

1. Use first initials of the first name,

2. Then the last name
3. Add the number one (1) at the end of the string of characters.

Therefore, Joe Shmo’s password was “jshmo1.”

This policy applied for all 70 plus employees. Management’s insecurity for wanting to know all the

passwords caused this unsecured inefficiency. They did not see the other side of the coin; a wicked-

minded employee with minimal technical expertise could access the company’s intellectual property for

snooping.

There is another contributor to the already complex password issues. It’s bad enough there are

password generator programs, which enable hackers to crack passwords when they want to infiltrate

into a network; even when complex passwords are used companion such a network.

This contributor is called, social engineering. People share passwords with their peers, co-workers,

friends and bosses. In a corporate setting, when network break-in issues occur, it creates finger

pointing. Worst of all, it causes the loss of valuable time, money and resources. Furthermore,

company intellectual property is exposed to the wrong individuals with potentially catastrophic

consequences for the company.

If someone breaks into your network, which of the previously mentioned password issues will come to

mind? Most likely, none. The media and marketing firms have brainwashed the public because they

want to frighten, to promote and to sell security prevention products blocking outsiders from

infiltrating your network.

The reality is there is good likelihood that the infiltrator could be working within your department,

sitting in an adjacent office or in the cubicle at the end of the hall or even the person who greets you

every morning and offers you a cup of hot cocoa in the hallway.

As big as a problem as passwords are for everyone, not being able to secure your network is

unthinkable.

A more efficient solution

Biometrics is the solution for simplifying these password security issues. Biometrics provides an

additional layer of security, efficiency and convenience for users and IT administrators. The passwords

are there if you need them. Nevertheless, you can implement a simple policy to use back-door

passwords—say 30 characters long—so no hacker or program can easily break it—and use biometric

authentication for all logons, applications and secured internet sites.

Here are a few facts about most biometric solutions:

1. In general, it’s a non-intrusive solution. Often people relate biometrics devices to those

fingerprint imaging devices used by law enforcement agencies. In biometrics during

fingerprint enrollment, the fingerprint image is converted into often-encrypted binary data

and stored onto the hard drive. Reverse engineering, to convert this data back into the

fingerprint image, is virtually impossible.

2. It’s easy to setup and to use.

3. A combination of different biometric devices with Boolean authentication methods can be

used for additional layers of security. For example, using a fingerprint together with iris

recognition methods of authentications, or even combined with passwords.

4. It can significantly minimize the cost and the time wasted on administration and

maintenance of password related issues for IT departments.

5. It maximizes efficiency and convenience by avoiding the need to remember passwords.

The wide spectrum of industries that already have adopted biometrics solutions are as follows:

 financial institutions
 pharmaceuticals
  small businesses
 medium and large corporations
 healthcare industry
 educational institutions
 remote corporate employees
 health clubs
 government agencies
 hospitality industry
 consumer industry

The “password” future is here

Firewalls, virus protection programs, intrusion detection and prevention, and programs and operating

systems patches for their vulnerabilities and loopholes are examples of the nuisances embrace even

though it comes with additional costs and headaches.

Biometrics is ready for embracing by those who require and understand the benefits of added security

(from insiders and outsiders), efficiency and convenience for our everyday computing experiences.

Just like online transactions, once you start using it, you can’t imagine returning to the older and

inefficient technology. Biometrics adoption is real and not an underground movement nor a fictional

scene from a James Bond movie. It is the road we will travel.

Discussion: There’s talk that the next step is to protected access is passphrases. What do you think?

About the author: Nick Farzanfar, founder of FOQUEST Incorporated, has worked in research,

consultation, recommendation and implementation of advanced biometrics solutions for organizations

in all sizes. He is acting as a forefront in educating the market regarding the inefficiencies of

passwords—as being the “weakest link in IT infrastructure.” He is working with Boston University,

Vermont University and Massachusetts General Hospital to assist them with research and

implementation of biometrics solutions. Nick holds a Bachelor Degree in Computer Mathematics from

San Jose State University, San Jose, CA.