InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

March 20, 2000

Companies Strive For Simpler Security
continued...page 2 of 2

Illustration by Patrick Corrigan

Related links:

sidebar: Public Key Infrastructure Becomes E-Commerce Enabler

Act Now To Protect Your Data (2/28/00)

And from our sister publications:

TechWeb White House Presses Industry For Security (2/15/00)

Network Computing Hammering Out a Secure Framework (1/24/00)

TechEncyclopedia

Need a definition of a technology term? Look it up here:

Send Us Your Feedback

Smart cards employ an embedded memory chip that can hold authentication information about the card's owner. By swiping the card into a reader attached to a PC, users can access their data. Smart-card readers are priced at less than $100, and Windows 2000 natively supports them. In addition, smart-card users aren't limited to their own PCs or servers. They can easily be given access to any number of machines or even physical entry points.

Smart cards are also being looked on favorably in some quarters as the device that will store users' private keys in public key infrastructure encryption systems. PKI uses asymmetric encryption in addition to digital certificates to achieve secure Internet transactions. With this system, a public key is made available to everyone involved in E-commerce transactions, such as banks or Internet merchants, but the private key is known only to the user and is used to decrypt a document. Digital certificates are the electronic documents, issued by a trusted third party, that identify the holder of a private key. While Forrester Research reports that about half the companies it surveyed plan to move to digital certificates as their primary means of authenticating users within two years, the lack of interoperability standards is discouraging many companies from adopting PKI today.

Of course, smart cards have their own drawbacks--they can be lost or stolen. Some smart cards also must be used in conjunction with a PIN, which users may forget. That's why some companies are turning to biometric devices for an even more automatic approach to implementing some internal security measures. Biometrics rely on reading uniquely identifiable parts of a person's anatomy--typically a fingerprint but sometimes an iris--for authentication and access to secured data.

Compaq offers a fingerprint ID reader for $99, and NEC Technologies Inc. makes the TouchPass 2.0 hardware and software algorithm for fingerprint identification, at $200 for a PC unit and $1,000 for a server system. According to Lee Moser, NEC business-line manager for its advanced identification solutions group, fingerprint authentication falls into two categories. One-to-many identification compares an individual's fingerprint with others stored in a database of authorized users' fingerprints, while one-to-one identification ensures that a fingerprint matches only the single stored fingerprint the device is set to recognize. One-to-one ID software is faster and used mostly in offices where a single person uses the same PC all day, while one-to-many ID is useful for offices where many individuals may have to access the same system.

Gary Wood Photo by Michael DeFilippo Companies that have begun employing fingerprint ID systems often worry that users will resist the technology, because of concerns about being excessively monitored or because they associate fingerprinting with police procedures. But those fears turned out to be a nonissue for Lourdes Hospital, a 389-bed facility in Paducah, Ky., which uses nine TouchPass units. The hospital wants to record community residents' fingerprints so it can easily confirm the identity and medical history of patients who might be brought in unconscious or otherwise unable to communicate. It can also use the devices to ensure that the appropriate person is registering at its outpatient area.

Gary Wood, director of information services at the hospital, was worried about public acceptance but found that older people, in particular, liked the idea. "We were surprised most at how accepting senior citizens were of this technology," he says. He said the hospital rejected a smart-card system because users still had to be carrying the cards when they arrived at the hospital, which wasn't practical. The hospital installed the fingerprint system about a year ago, then tested it for a few months at a cost of $50,000. Says Wood: "As a potential user, I look at four things: cost, public acceptance, implementation time, and ease of implementation." TouchPass proved satisfactory on all counts.

In general, fingerprint-identification biometric devices offer security on the level of one in 500,000. In other words, in 500,000 tries, one wrong person gets in. But about one time in every 2,000 tries an authorized user also won't be able to get in. Companies can set lower thresholds to receive fewer false readings, but that slows down the recognition process.

Other biometric devices offer even higher levels of security. IriScan Inc. has three products that measure iris patterns in eyes: PCIris, for computer access control; IrisAccess, which controls doors, gates, and other portals; and Secure, for automated teller machines. Of all the biometrics available, iris recognition is touted as the most secure, with a false reading of just one in 1.2 million. This extra security has a hefty price tag, though: $995 for PCIris, $3,500 for IrisAccess, and $8,000 for Secure.

return to page 1