Forget Passwords, Check the Body

For years, we’ve seen characters in science fiction movies using a hand, an eye, or voice to gain access to highly secure areas in a building. The hero always manages to find a way to around these barriers and save the day. It’s not quite so simple, but it’s more challenging for the hotshot spy to access areas using physical characteristics than using passwords.

How much of your day is spent helping end-users track down, reset or gain access to the network because they lost or forgot their passwords or other security issues? What if you could have extra security and added convenience by not using passwords again?

This no-password technology is here and is growing rapidly. It is called *biometrics* and you’re on your way to becoming a hero like those in the movies.

*Biometrics* is the use of automated methods of recognizing an individual based on physical or behavioral characteristics. Common commercial examples are a fingerprint, face, iris, hand geometry, voice, and dynamic signature recognition.

Adopting new password technology

Not all cool technology becomes viable. The old ‘build it and they will come’ concept only works if the buyer is looking for something to solve a business problem. Not just a minor irritant, but a major pain.
Think about the main motivator behind most of the technology purchases you make. There is likely a loss of productivity, existing stress point, or both behind each one.

Password scenarios

In the security world, there is continuing pressure to make your network more secure. Each layer of additional security implemented also adds more complexity to the process. One of the major time wasters for a help desk staff is assisting end-users with password problems. Password issues have also become an annoyance for the end-user.

Consider three different basic password scenarios. You operate either with no passwords, simple and same passwords, or complex ones for login screens, applications, and secure Internet sites. Here are the rationalizations for the scenarios regarding passwords and their tribulations:

• No passwords: it’s effortless, but not secure. It’s an open invitation for hackers and peers, and it’s highly vulnerable. There are many people using this method today. Startling, but true.
• Simple or same passwords for all logins: simple to remember, but not secure, easily guessed, and leads to havoc if one password is cracked on a system.
• Complex passwords: these are perceived as secure, but they’re inconvenient. They can be cracked by patient hackers with a little help from password generating programs.

Here is a story from the front line involving a “simple password” usage policy in a particular company. A company’s passwords policy for employees was as follows:

1. Use first initials of the first name,
2. Then the last name
3. Add the number one (1) at the end of the string of characters.

Therefore, Joe Shmo’s password was “jshmo1.”

This policy applied for all 70 plus employees. Management’s insecurity for wanting to know all the passwords caused this unsecured inefficiency. They did not see the other side of the coin; a wicked-minded employee with minimal technical expertise could access the company’s intellectual property for snooping.

There is another contributor to the already complex password issues. It’s bad enough there are password generator programs, which enable hackers to crack passwords when they want to infiltrate into a network; even when complex passwords are used companion such a network.

This contributor is called social engineering. People share passwords with their peers, co-workers, friends, and bosses. In a corporate setting, when network break-in issues occur, it creates finger-pointing. Worst of all, it causes the loss of valuable time, money and resources. Furthermore, a company’s intellectual property is exposed to the wrong individuals with potentially catastrophic consequences for the company.

If someone breaks into your network, which of the previously mentioned password issues will come to mind? Most likely, none. The media and marketing firms have brainwashed the public because they want to frighten, to promote and to sell security prevention products blocking outsiders from infiltrating your network.

The reality is there is a good likelihood that the infiltrator could be working within your department, sitting in an adjacent office or in the cubicle at the end of the hall or even the person who greets you every morning and offers you a cup of hot cocoa in the hallway.

As big as a problem as passwords are for everyone, not being able to secure your network is unthinkable.

A better password solution

Biometrics is the solution for simplifying these password security issues. Biometrics provides an additional layer of security, efficiency and convenience for users and IT administrators. The passwords are there if you need them. Nevertheless, you can implement a simple policy to use back-door passwords—say 30 characters long—so no hacker or program can easily break it—and use biometric authentication for all logins, applications and secured internet sites.

Here are a few facts about most biometric solutions:

1. In general, it’s a non-intrusive solution. Often people relate biometrics devices to those fingerprint imaging devices used by law enforcement agencies. In biometrics during fingerprint enrollment, the fingerprint image is converted into often-encrypted binary data and stored onto the hard drive. Reverse engineering, to convert this data back into the fingerprint image, is virtually impossible.
2. It’s easy to set up and to use.
3. A combination of different biometric devices with Boolean authentication methods can be used for additional layers of security. For example, using a fingerprint together with iris recognition methods of authentications, or even combined with passwords.
4. It can significantly minimize the cost and the time wasted on administration and maintenance of password related issues for IT departments.
5. It maximizes efficiency and convenience by avoiding the need to remember passwords.

The wide spectrum of industries that already have adopted biometrics solutions are as follows:

• financial institutions
• pharmaceuticals
• small businesses
• medium and large corporations
• healthcare industry
• educational institutions
• remote corporate employees
• health clubs
• government agencies
• hospitality industry
• consumer industry

The “password” future is here

Firewalls, virus protection programs, intrusion detection and prevention, and programs and operating systems patches for their vulnerabilities and loopholes are examples of the nuisances embrace even though it comes with additional costs and headaches.

Biometrics is ready for embracing by those who require and understand the benefits of added security (from insiders and outsiders), efficiency and convenience for our everyday computing experiences. Just like online transactions, once you start using it, you can’t imagine returning to the older and inefficient technology. Biometrics adoption is real and not an underground movement nor a fictional scene from a James Bond movie. It is the road we will travel.

Discussion: There’s talk that the next step is to protected access is passphrases. What do you think?

About the author
Nick Farzanfar, the founder of FOQUEST Incorporated, has worked in research, consultation, recommendation and implementation of advanced biometrics solutions for organizations in all sizes. He is acting as a forefront in educating the market regarding the inefficiencies of passwords–as being the “weakest link in IT infrastructure.” He is working with Boston University, Vermont University, and Massachusetts General Hospital to assist them with research and implementation of biometrics solutions. Nick holds a Bachelor’s Degree in Computer Mathematics from San Jose State University, San Jose, CA.