Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

B U Y E R ' S G U I D E

Are Biometrics The Answer?

February 20, 2003
By Mike Fratto

>> continued from previous page

Enrollment & Integration

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Enrollment & Integration
	More Information

As with any authentication system, users must be enrolled first. Many biometric systems let users self-enroll. They authenticate to the local computer or to a directory and then enroll with the biometric. Unfortunately, if you are using biometrics to strengthen authentication but you rely on user names and passwords during the initial identification and authentication process, you haven't made any security gains. Monitored enrollment prevents this scenario but takes more time.

After enrollment, consider where the authentication information will be stored. Biometric systems that store data on the local machine can authenticate a user to that machine only. For larger deployments and for better management, look for a system that uses centralized storage. If the biometric software is deployed on all relevant systems, users can enroll once and have access everywhere.

For backup, multiple means of authentication should be recorded. Some devices let you enroll multiple biometrics--such as all the fingers on the right hand--for a single user. If something happens to one finger, a cut across the finger pad for example, the user can use another finger to authenticate without having to re-enroll.

In all cases, you will have to use hardware and software from a single biometric vendor: Interoperability is nonexistent in biometric authentication, despite the BioAPI Consortium's rallying to provide a standardized API for biometric integration. Authentication-management applications, such as Novell's NMAS and Secure Computing's SafeWord PremierAccess, which tie together biometric and nonbiometric authentication strategies for directory logins, are available, however.

Application integration is still based on individual partnerships, so it is important to ensure the device you choose supports your applications or that the vendor is willing to develop the integration for you. Integration usually takes place on the desktop or server using a Unix PAM (Plugable Authentication Module), a Windows GINA (Graphical Identification and Authentication) or a Novell eDirectory LCM (Login Client Module). As long as a user name-password pair is cached, your login credentials are used to log in to other applications. If your applications require a separate login, expect to do some developing.

Biometrics alone shouldn't be used for access to highly confidential data unless you've thoroughly tested the technology. If your goal is strong authentication, more proven technologies--hardware and software tokens and passwords--work well. And despite a recent decrease in the cost of biometric devices, these old standbys are usually a better deal. But if your goal is ease of use and reasonably strong authentication, biometric technology might be for you.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®. Write to him at mfratto@nwc.com.