Fingerprinting Puts a More Foolproof Touch on Prime Time 08/30/01

advertisement
Fingerprinting Puts a More Foolproof Touch on Prime Time
08/30/01
By Joab Jackson,
Staff Writer
When NASA needed a foolproof way of controlling who entered its new Triana
Science and Operations Center at the University of California in San Diego, it went
for fingerprint-based access.
Security was crucial for the facility, which is part of the Scripps Institution of
Oceanography, since it develops Earth-imaging tools for spacecraft and is tied closely
to NASA networks.
And even though the fingerprint system cost 50 percent more than the access-card
approach, it was the most secure choice as far as operations manager R.B. Smith was
concerned.
“You can loan someone your card and personal identification number, but not your
finger,” Smith said.
So in January, the center installed eight fingerprint-reading units, one for each
entrance and office, provided by BioScrypt Inc. of Toronto, an authentication
solutions company. Without using personal identification numbers, keys or pass
cards, employees now gain entry by merely placing their fingers on a reader. Access
is granted or denied by a database of fingerprints from 200 authorized users.
BioScrypt’s NASA work may be typical of the niche fingerprint authentication
market these days, but fingerprint scanning is nearly ready for far wider deployment,
experts said. Thanks to dropping hardware prices and new interoperability standards,
fingerprint scanners may soon be standard gear in laptop and desktop computers, cell
phones, handheld computers and even smart cards.
Market research firm Frost & Sullivan Inc., San Antonio, estimates spending on
fingerprint systems will grow from $25 million in 2000 to $290 million by 2006, not
including sales of high resolution units used by law enforcement agencies to identify
criminals.
“It is a very dynamic market,” said Prianka Chopra, a Frost & Sullivan analyst.
“There are a number of vendors, which makes it very competitive.” As a result,
fingerprinting units that used to cost $500 each a few years ago are dropping to less
than $100 now.
The remaining challenge is for software developers and solution providers to integrate
this technology into enterprisewide systems, industry experts said.
“Fingerprinting is good because it is very simple,” Chopra said.
A form of biometrics, fingerprinting identifies a person by his or her unique
characteristics. When coupled with digital certificates and public key infrastructure
tools, this authentication tool can guarantee the security needed for electronic
exchanges, according to supporters.
At the enterprise level, this convenience can actually save money. For
an organization with 10,000 users, password management can run as
high as $350 per person per year because of help-desk calls for
forgotten passwords, said Damon Wait, director of investor relations at
identification solution provider Identix of Sunnyvale, Calif., who quoted
Barry Keyes
a study from market research company Gartner Inc., Stamford, Conn.
In contrast, an Identix-based fingerprint authentication solution that eliminates
passwords can be installed for around $150 per seat plus a maintenance cost of about
15 percent, Wait said.
Although fingerprinting scanners have long been used in specialty areas, the industry
is being invigorated by recent price drops in silicon-based microchips.
A design for chips costing $10 to $20 each, developed by now-defunct authentication
technology developer Veridicom Inc., was sold in July to solutions provider Precise
Biometrics AB, Sweden. The technology was also licensed to information technology
manufacturer Fujitsu Ltd.
Semiconductor company Authentec Inc., Melbourne, Fla., has stepped up with its own
series of chips that cost $25 to $30 and are expected to drop below $10 each by year’s
end, according to industry sources.
Optical-based scanner producers such as Identix have responded to this competitive
heat as well, Chopra said. For instance, Identix has recently released a scanner on a
PCMCIA card.
“Systems integrators have to stay on top of the biometrics field. Almost every
company has a biometrics division,” said Michael Thieme, senior consultant at the
International Biometric Group, a New York-based integration and consulting firm.
For example, eTrue, Southborough, Mass., which signed a deal to provide NASA
with Internet-based biometric authentication system for remote log-ons, has signed
partnerships with SRA International Inc., PriceWaterhouseCoopers LLP and Sytex
Inc.
Spyrus Inc., San Jose, Calif., provides biometric solutions to three of the five prime
contractors in the General Services Administration’s Smart Access Common ID Card
contract, a $1.5 billion, 10-year contract awarded in May 2000. Spyrus is on teams led
by Electronic Data Systems Corp., KPMG Consulting Inc. and Litton PRC Inc., now
part of Northrop Grumman Corp.’s Logicon Inc. unit.
Identix has also formed partnerships for this GSA contract with EDS, PRC, Maximus
Inc. and Logicon. Logicon and PRC won their contracts before Northrop Grumman
acquired Litton Industries Inc. earlier this year.
The biometrics companies are also securing their own government contracts. Identix
was selected by the Florida Supreme Court to secure its 650-seat, wide-area network
enterprisewide, which encompasses five District Courts of Appeal and the State
Supreme Court. And Aug. 7, an unnamed Arizona county contracted Identix’s
solutions for a 1,000-seat network to ensure that only authorized attorneys are able to
access sensitive court records.
“You still see contracts coming in for several tens of thousands of desktop seats,”
Thieme said. “The pace is quickening, but with 50 million seats out there, it still isn’t
making a big dent.”
According to Thieme, the barrier to mass acceptance resides in the work needed to be
done to modify enterprise-level, back-end systems.
“Companies have done a fine job at bringing hardware to acceptable levels. It’s the
software that is the problem,” Thieme said. “If you have 15 or 20 applications that
need biometric verification where a password used to be, that’s where the biggest
obstacle is.”
Single sign-on solutions can address this problem, but “when you have one sign-on
for 20 applications, you better make sure that is the right person signing on,” said
Henry Kunicki, vice president of sales for eTrue.
Thus the need for more expensive multiple-form authentication, where fingerprinting
is paired with PKI verification, he said.
Bill Bialick, technical director at Spyrus, pointed to another problem: slutions vendors
offering proprietary models. Because of this, agencies are reluctant to trust one
vendor’s standard for an organizationwide authentication.
Part of the solution here may come from the BioAPI Consortium, which announced
the final release of the BioAPI specification last March. BioAPI defines an open
system standard application program interface, or API, for applications to interface
with a broad range of biometric technologies.
“It would be nice if this standard gains acceptance, but it’s still young,” said Barry
Keyes, vice president of eTrust Security Solutions at Computer Associates
International Inc., Islandia, N.Y. At present, Computer Associates works with
individual biometrics vendors to assure interoperability with its eTrust single sign-on
and eTrust Web Access Control tool sets.
“We have the back-end software that can provide multiple authentication across the
enterprise with complete policy management,” Keyes said. However, the adoption
rate would increase with a common standard, he said.
Once standards are recognized industrywide, then fingerprinting technology is almost
certain to gain mass adoption. “Everyone wants to get rid of PIN numbers,” Bialick
said.
© 2001 Post Newsweek Tech Media Group
Download