The Password is Biometrics
Many government agencies have recently turned to fingerprint scanning to secure computer-based assets such as software applications. In southern California, for example, the Los Angeles County Employee Retirement Association (LACERA) has implemented biometric technology from Novell and Identix Inc. to replace cyber-security formerly provided by computer passwords.
Essentially, LACERA collects, deposits and manages retirement funds and death and disability benefits for L.A. County employees and their families. “We are the fiduciary agency for the county, so data security is one of the most important things we do,” says LACERA Director of Technology James Pu.
Until two years ago, LACERA depended on passwords to safeguard computerized financial information. Extra measures of protection included different passwords for each software application and password changes to each account every 30 to 45 days.
Understandably, the staff found it difficult to remember so many passwords. “Help desk support became a nightmare,” Pu says.
Staff members began to tape their passwords to computer monitors. “When that happens, the whole purpose of passwords is defeated,” Pu says.
Pu and other technical staffers began thinking about biometrics to solve the problem.
“We started talking about how nice it would be to be able to use some kind of biometrics — fingerprints, handwriting recognition, or voice recognition, for example — for identification. But we discovered there isn’t a lot of industry knowledge about the subject,” Pu says.
General Networks, a Novell partner, sold LACERA the software used for the biometric solution, and Novell helped out with the implementation. Pu also worked with three or four other technical staffers from LACERA on research and development, plus a team of about a dozen people on the implementation.
LACERA rejected the idea of eye scanning on the grounds that some employees might think the procedure too invasive. Pu and his co-workers found fingerprint recognition to be a widely available form of biometric identification, and it was reasonably priced. “You can buy fingerprint readers for about $150 each,” Pu notes.
In the course of its research, LACERA looked into Nsure, a solution from Novell for secure identity management. Nsure brings together several software components from Novell, known as eDirectory, SecureLogin, and Novell Modular Authentication Services (NMAS), and in many implementations, hardware devices from other companies enter the biometric picture, too.
Pu liked the flexibility of Novell’s NMAS software, which supports about 60 different types of identification technologies for accessing software from PC desktops. The Identix fingerprint reader plugs into the back of a PC, according to Pu, and doesn’t require a built-in mouse or keyboard — a solution that clearly wouldn’t work for people with disabilities. The Novell software also allows an employee or other user to access multiple software programs by logging in just once.
When LACERA employees first log on to their PCs, they are prompted by the computer to enter a user name, and then to place fingers on the fingerprint reader. The computer system next tries to locate an encrypted software algorithm representing the employee’s fingerprints. Whenever a match is found between the actual fingerprints and the algorithm, employees gain access to software programs running on their desktops.
LACERA has chosen to eliminate passwords entirely. That is why employees only need to enter a user ID. Alternatively, a password could be required in conjunction with a user ID for single sign-on.
Some of LACERA’s employees raised privacy concerns about the fingerprint readers. Pu and his staff advised those concerned that the software algorithm simply represents certain “geographic descriptors” of the fingerprint. “We’re only storing an image. We certainly can’t reconstruct an actual fingerprint from those descriptors,” Pu says. “We made the use of fingerprint readers an organizational policy.”
LACERA finished its two-year implementation last August. On the whole, Pu is pleased with the results. “Calls to the help desk for password assistance are now way down,” he says, “But about six to 10 percent of our employee population cannot use the fingerprint readers, because their fingerprints are too faint.”
LACERA has alleviated this problem by giving high-contrast stamp pads — also available from Identix — to those employees who need them. Pu describes the high-contrast stamp pads as “moisture-based components that refresh the fingerprints.”
“What I’m seeing for the future, though, are fingerprint readers with higher recognition,” Pu says.
