Integrating Enterprise Single Sign-on with Finger Biometrics to Strengthen Your Overall Security Posture

David Ting, Imprivata
January 15, 2007

These days, credit unions are realizing a growing awareness of the risks involved in protecting IT-based resources from identity theft, malicious outside attacks, or generally inappropriate use. They must also adhere to strict mandates — FFIEC, Sarbanes-Oxley, GLBA, and Basel II, etc. — from government and industry regulators that require financial services organizations to take significant steps to strengthen defenses against these misuses. As a result, many credit unions are deploying strong multi-factor authentication policies that are more secure than the basic password schemes that had been so commonplace in the past.

Federal Financial Institutions Examination Council (FFIEC) guidelines are drawing more attention to the need for strong authentication technologies to secure customer information in the banking industry. These guidelines are spurring banks and credit unions to tighten up security within their customer base. Bank employees are another source of breach of customer information and it is only a matter of time before FFIEC will sanction implementation of strong authentication for internal application access. Implementing and requiring strong authentication is a prudent part of an organization’s overall security policy and is a topic that comes up often at banking industry conferences and exhibitions.

Strong authentication is the use of at least two factors to authenticate a user based on “what the user knows,” “what the user has,” and “who the user is.” Implementations include the use of strong password schemes, ID tokens, proximity cards, smart cards and biometrics.

To secure a credit union’s internal applications, we’ll examine the advantages and complexities of using finger biometrics as one form of strong authentication and how it ties to enterprise single sign-on to strengthen an organization’s overall security posture.

Enterprise Single Sign-on

Enterprise Single Sign-On (ESSO) solutions require a company’s employees to remember and provide just one set of credentials — user name and password — to access the full portfolio of applications, data, and services for which that user is authorized. While ESSO technology is not new, many solutions have been expensive, time-consuming and rarely lived up to expectations. However, there are new, more cost-effective solutions on the market today that help organizations benefit from increased user productivity and reduced password management costs by enabling single sign on (SSO) to all enterprise applications.

When examining single sign-on technology options, one can benefit from an affordable, easy-to-implement appliance that enables SSO without modifying the applications that employees use everyday. This will result in companies being able to benefit through centralized password administration, lower help-desk costs, increased productivity, and compliance to policy – without modification of existing applications or interruption or downtime of business activities. In addition, to maximize the enterprise-wide benefit, an ESSO solution should fully-support multiple strong authentication methods and centralized password policies to allow companies to implement levels of security that are appropriate for their environments.

Biometrics

Biometrics—the measurement of one or more physical or behavioral characteristics of an individual—is used to increase a system’s security level dramatically without increasing the complexity. Biometric identifiers are highly-reliable since they cannot be easily faked, altered, or misappropriated.

Biometric identifiers include both physical (fingerprints, hand geometry, eye patterns, facial features) and behavioral (voice prints and signatures). Behavioral identifiers are more subjective than physical identifiers. They can vary because of external conditions such as illness, and can conceivably be imitated. Physical identifiers are virtually impossible to replicate, and are considered to be the more reliable of the two identifiers.

The most technically-advanced, proven, and recognized physical identifier is the fingerprint. These were first used for positive personal identification more than one hundred years ago, when it was proven that each finger of every individual has a unique arrangement of ridge detail. In the years that followed, organizations throughout the world have had growing requirements for positive identification systems resistant to high technology fraud. This requirement has created increased interest in biometrics, and fingerprint technology has remained the most effective, economical, and widely used biometric identification system.

Combining the ease-of-use of a quality ESSO solution with the identity-uniqueness of biometrics can help credit unions improve employee productivity and adhere to better security practices, while strengthening their overall security posture and minimizing the burden on IT to manage such a central security system.

Key Considerations for Combining Biometrics with ESSO

Integrating ESSO and biometrics can deliver significant increases in security while decreasing helpdesk calls and IT costs. To maximize the benefits of such an integrated system, it is important that any implementation of a biometric-enabled ESSO solution adhere to the following key criteria:

• Matches each user by correlating against known set of references, taking into account:

• Variations in pressure and density
• Aging- or dirt-induced variations in the print
• Orientation of finger on the sensor

• Utilizes a capture algorithm that:

• Captures images at higher speeds, resulting in less image blur distortion
• Normalizes for humidity variations in the finger
• Is “device neutral,” and not associated with a specific sensor or reader

• Credentials are stored centrally, using strong security and privacy safeguards by:

• Ensuring that each captured fingerprint image is destroyed and cannot be misused
• Maintaining mathematical descriptions of a print’s landmarks, but not the actual print itself
• Never shipping a username with the template
• Storing username in a double-blind alias mechanism on server

Performance Drives User Adoption, IT Efficiencies, and Overall Value

In conjunction with the key consideration criteria above, solution performance remains the critical element to the success of any security system, and a balance between security and convenience must be maintained. Follow these performance guidelines when selecting an integrated biometric-ESSO solution:

• Ensure high-end image processing technology is embedded into a commercial product at an affordable price – there are many solutions out there, and some cost more than they should, so keep an eye out for the balance between cost and system capabilities.

• Look for solutions that limit failure rate, or “false accepts” and “false rejects,” to a rate of <1 in 1 million reads or better.

• Most end-users want to get past authentication to focus on getting their job done, so speed is paramount. Acceptable time for authentication is two-three seconds for throughput to applications. Anything more than five seconds is ineffective and will result in user rejection. Consider the verification speeds of integrated ESSO-biometrics solutions and do head-to-head comparison of the best alternatives.

• Focus on solutions that can handle a wide range of finger image presentation with higher accuracy. Most solutions’ algorithms allow a finger to be +/-10 degrees off-center. Better solutions support +/- 30 degrees, so keep that under consideration

Closing Remarks

The FFIEC authentication requirements deadline of Dec. 31, 2006 for customer-facing two-factor authentication is driving greater interest in authentication technologies overall in the financial services industry. It is important to understand how finger biometrics and single sign-on technology can play a part in strengthening the security posture of your credit union, and what to consider when evaluating strong authentication options for both customer-facing and internal applications.

Any finger biometric solution choice needs to consider these critical factors: usability and convenience, system performance, security and user privacy, and cost. In today’s security-conscious world, it is integral to combine security with convenience to enable a company to adhere to strict government and industry mandates for security, privacy and accountability. Finding the right biometrics and ESSO technologies that can help organizations meet and exceed these stringent requirements in a cost-effective way strengthens a credit union’s overall security posture.

David Ting is founder and CTO of Imprivata. Ting was recently named one of Infoworld's  Top 25 CTOs of 2006. He has more than 20 years of experience in developing advanced imaging software and systems for high security, high-availability systems. For more information or to contact Ting, visit www.imprivata.com.