Software with Biometrics Makes Passwords Positively Paltry

Establishing identity is the key to creating a secure environment, and even though more information — and more sensitive information — is online than ever before, our standards for authenticating users have never been lower.

Whereas access to sensitive information once meant having a key to a building or room, passing a security camera, possibly a human guard, and remaining there while you searched through file cabinets, we now log on to a computer and walk away. The more difficult passwords become and the more frequently they change, the harder they are to remember and the more likely to be written down.

While we struggle to remember the names of children, spouses, and pets we use to access sensitive information, biometric solutions, such as fingerprint, iris, and facial scans, have been relegated mostly to Hollywood.

Thanks to lower price points in the hardware and some clever work by systems integrators, the day when your software prompts you for a fingerprint may come sooner than you expected.

Livelink, a component of the enterprise content management suite from Open Text, is vulnerable to the same password and authentication lapses as most Web-based and desktop software: How does a system know the user who logged in is who he says he is? From a healthcare background that highlighted identity and privacy issues, Glenn Munroe, a former Open Text services manager, saw an opportunity to alleviate user identity issues in Livelink by adding strong user authentication at an object level (document, file, folder, workflow approval, etc.).

When Munroe started Atlanta-based Knowledge Partners, he teamed up with Eagan, Minn.-based BIO-Key, which develops and licenses biometric finger identification technologies. The result was LiveID, a value-added module for Open Text’s Livelink that utilizes a USB-based fingerprint reader for authenticating users.

“Identity management at log-in was not our focus in creating LiveID,” Munroe said. “We can work with most any single sign-on (SS0) solution, and didn’t want to reinvent the wheel. Our objective was to protect a data repository from the most common weakness of any computer system — application security compromised by users who walks away from their PC without logging out, or compromised user name and password theft.”

It’s actually quite simple. “If an object in the Livelink repository has been secured by LiveID and you have rights to that object, you will need to authenticate yourself as the person who is currently logged in order to be granted access,” Munroe said. The fingerprint portion of the authentication is fast, scalable, and not tied to any specific hardware. With the price points for USB fingerprint readers starting to reach less than $100, the costs may not seem as far-fetched as you might think.

“We’re probably at a turn where a lot of companies are looking at it much more seriously,” Munroe said. “There’s no shortage of applications for this level of security.” Not only can LiveID help secure intellectual property at pharmaceutical firms, but financial statements and earnings reports subject to new government regulations such as Sarbanes-Oxley can also be secured. “I almost see any customer of Open Text having some interest at the departmental level,” Munroe said.

Munroe and others on the leading edge of integrating biometrics with software also have to battle misconceptions about accuracy and fallibility. The latest in fingerprint technology approaches 2,000 data points derived from a print, compared to the 40 or 50 from the original FBI AFIS fingerprint system. The authentication process takes just seconds, and while users could conceivably be denied access because of an oily finger or by pressing too hard or too softly, the false acceptance rate — i.e., the chance you will be given access incorrectly — approach odds of one in 200 million, Munroe said.

“Basically, you are going to win the lottery a couple of times before you get let in,” he said.