As the prices of biometric security solutions have come down and their availability has spread, many organizations have begun considering biometrics as a viable option for enhancing user authentication, especially for high-security applications and environments. Until recently, biometrics remained an expensive and impractical solution, but with growing concerns about security, biometrics is quickly moving into the mainstream.
To help companies take full advantage of what biometric security has to offer, SAFLINK Corporation develops software solutions that integrate with current operating systems. The software allows administrators to manage authentication via a wide variety of biometric devices, including fingerprint and retinal scanners. Not only can biometrics improve authentication, but it also has the potential to ease some of the burden associated with maintaining end-user security.
Based in Bellevue, WA, SAFLINK works with biometric hardware vendors to write software that integrates with many existing systems, offering a more secure alternative to password-only authentication. SAFLINK currently offers the following solutions:
- SAFmodule for Novell NMAS
- SAFaccess for Computer Associates Etrust SSO
- SAFsolution for Windows Active Directory
- SAF2000 for WinNT/2000
SAFLINK’s Windows products integrate with Windows authentication systems to allow users to log on to their workstations and Windows domains. By eliminating the reliance on passwords, biometrics can improve network security and potentially cut down on help desk calls once the initial implementation period is over.
With biometric security devices, you know that only authorized users can actually log on. There’s no password to steal (or to keep on a sticky note within reach of the workstation), and stealing someone's biometric identity is not nearly as easy as it appears in the movies. For example, trying to fool a fingerprint scanner with a detached finger of an authorized user (if you'll excuse the gory reference) will not work. SAFLINK marketing and communications manager Tom Doggett says that many biometric devices can actually detect electrical impulses beneath the skin. So unless it’s the correct fingerprint from a living being, unauthorized access is barred.
SAFLINK’s software provides an easy way to configure the devices and enroll users in the system so that they can be recognized and authenticated. Many products conform to the Human Authentication API (HA-API) standard, the first industry standard for biometrics, which SAFLINK coauthored. Published in 1997 and sponsored by the National Security Agency (NSA), the HA-API governs high-level calls for key biometric functions, including the capture and processing of biometric data, the enrollment of users, and the matching of entries with user data.
SAFLINK is also playing a key role in a new standard, the BioAPI, which will extend the functions included in HA-API. BioAPI supports Win32 and offers easy adaptation to other platforms, including UNIX and Linux.
The standards are important to SAFLINK and to other biometric product vendors, Doggett said, because they enable companies to support many types of devices.
“The BioAPI is much more robust in terms of what it will support. It’s a much bigger plug-in and is much more flexible.”
Currently, SAFLINK’s software works with more than 18 types of biometric devices, among them:
- Fingerprint scanners
- Iris scanners
- Voice recognition devices
- Facial recognition devices
- Smart cards
- Proximity cards
- RF badges
“We test two to three new devices each month in our lab, and if we determine that a device is well suited to a desktop environment, is portable, and works well, we’ll integrate it in our solutions,” Doggett said.
Because the solutions are standards-based, it’s easier to point to how the API call must function in order for the software and hardware to work together.
The companies whose devices are compatible with SAFLINK’s software include:
- Visionics (which has merged with Identix)
- Lernout & Hauspie (now ScanSoft)
- LG Electronics
These companies manufacture a variety of biometric hardware, from fingerprint-reading mice to facial image recognition and iris scanners. Because of the wide array of products currently available, it’s become much easier to use biometrics to secure network access.
Fingerprint readers are the most popular devices because they are inexpensive, easy to use, and can be adapted to many environments. Fingerprint scanners have been integrated to include keyboards, mice, and even PC cards for laptops.
SAFLINK has also secured strategic partnerships with some key companies—including Microsoft, Novell, and Computer Associates (CA)—to ensure that their products are certified to integrate with current networking solutions.
“Two of our products, SAFaccess and SAFmodule, are designed specifically to integrate directly into CA and Novell, respectively,” Doggett said.
SAFLINK’s products are thus CA Smart certified and "Novell Yes!" approved. Because SAFLINK works directly with CA and Novell to integrate its security solutions with their products, they mesh seamlessly.
SAFLINK’s SAFsolution Enterprise Edition integrates with Microsoft Windows 2000 Active Directory to manage user identities and network authentication in Win2K AD environments.
Biometrics can be a better network authentication tool than traditional methods, but the biggest obstacle to its adoption may be the initial cost. In addition to the necessary hardware, you have to purchase the software for managing the data that makes it work. In the long run, however, switching to biometrics could have cost benefits.
Eliminating the need for passwords can pay dividends. Let’s face it—passwords are a hassle for the IT department to manage and are a major security risk. Users have difficulty remembering passwords, especially if they’re required to change them frequently, and they end up either writing them down or choosing easy-to-remember passwords that aren’t complex enough to be secure. Biometrics can eliminate this problem altogether. Tying authentication to a physical trait ensures that the person logging on to the network is an authorized user. No more password stealing or borrowing, no more password-related help desk calls, and no more of the administrative overhead associated with managing user passwords.
Although you won’t see an immediate payoff from moving to biometrics, the improvements in security and reduction of administrative tasks associated with current authentication methods can result in a good return on investment over time.
Integration and efficiency
One of the best features of SAFLINK’s products is their ability to integrate with current environments. Let's take SAFsolution as an example.
When SAFsolution is installed in a Windows 2000 AD infrastructure, it integrates with existing AD records, and biometric data becomes a part of the user’s AD sign-on identity. SAFsolution allows for what SAFLINK calls fast login, which means that users can bypass the typical logon dialog box. The verification of identity via a biometric device against the AD record gives the user immediate access to the workstation and appropriate network resources. Thus, the biometric verification acts as the logon credentials.
SAFsolution also offers a self-enrollment wizard, which allows users to add their own biometric records. This speeds deployment and reduces the burden on admins. Biometric events are logged and can be viewed in the Event Viewer to improve monitoring of user actions. Other features in SAFsolution include a disconnected logon for mobile users and identity sharing for the purpose of delegating duties.
Biometric products offer a convenient method of better securing network access. As the devices continue to drop in price and are increasingly integrated into hardware, biometrics becomes an even more viable solution. Because of their support for a wide array of devices and integration with many networking environments, SAFLINK’s software products can be a key element in a biometric deployment.