Cyber-Sign gives secure feeling
- By Patrick Marshall
- Sep 20, 2000
Looking for an inexpensive, nonintrusive and secure way to control access
to applications and data? For many agencies and departments, Cyber-Sign
Enterprise Server 2.0 may be just the ticket.
We all know the problem with passwords: They can be forgotten, guessed
or stolen. That's the rationale behind biometric security systems, such
as fingerprint and retinal scanners. Unfortunately, many users are uncomfortable
having their biological characteristics measured and stored. That's where
Cyber-Sign's dynamic signatures come in.
Unlike security systems that depend upon passwords and even such static
biometrics such as fingerprints, Cyber-Sign measures a dynamic human behavior — the act of writing. In addition to the shapes of the characters in the
signature, Cyber-Sign also measures the speed of signing, the pen pressure
and the stroke order. Even an excellent forgery wouldn't fool Cyber-Sign.
Signature profiles are stored on a single secure server. And because
Cyber-Sign employs TCP/IP, you can easily use it over the local-area network,
your wide-area network or the Internet. The Cyber-Sign Enterprise Server,
which runs on Microsoft Corp.'s Windows NT 4.0 Service Pack 4 or above,
stores signature profiles in a relational database. You have your choice
of employing either Microsoft's SQL Server (6.0, 6.5 or 7.0) or Oracle Corp.'s
Workgroup Server (7.3 or 8.0).
We found it extremely easy to register signatures, and it was significantly
easier than registering fingerprints with most fingerprint security systems.
The program prompts the user to sign his or her name three times in succession,
then reports whether the signatures registered successfully. The only trouble
we had registering signatures was that one user, whose normal signature
was an illegible scrawl, had to "clean up" his signature a bit.
Cyber-Sign strikes the right balance of flexible reading of signatures
and strong security. Even with significant variations in signing, legitimate
users were verified in each case. Test users attempting to copy signatures
were detected and flagged.
Cyber-Sign also does a good job of ensuring the security of its own
data. All communications between the server and clients — including signature
registrations — can be encrypted, and the administrator can set up to four
levels of client access, ranging from complete access to the ability to
verify only one's own signature.
For now, at least, the major weak point of Cyber-Sign is its lack of
software. If you want to use Cyber-Sign for accessing computers or operating
systems, you'll have to do some programming yourself using the Cyber-Sign
software developer's kit. The personal version of the kit and the client/server
Enterprise SDK each cost $2,750.
Similarly, little software is available for integrating Cyber-Sign with
applications. A Lotus Development Corp. Notes plug-in, which costs $100
per user, allows users to attach Cyber-Sign signatures to documents for
authentication. You can also use the plug-in to substitute signatures for
Another plug-in for Microsoft Windows ($30 per user) enables users to
attach signatures to Microsoft Office application documents. A new plug-in
for Adobe Acrobat ($100 for Acrobat itself and $50 per user for Acrobat
Capture) rounds out Cyber-Sign's offerings for integrating with other applications.
There is one other potential Achilles heel in the Cyber-Sign system:
the pen. All computers accessed through the Cyber-Sign system must be equipped
with writing tablets and pressure-sensitive pens. Simply keeping track of
the pen can, for some users, be a major challenge.