Applications at their fingertips
- By Dan Caterinicchia, Dan Caterinicchia
- Aug 09, 2004
Remembering complicated passwords or personal identification numbers is no longer necessary for at least 1,300 Defense Department employees who are using new technology to access their computers.
The group, part of the Office of the Assistant Secretary of Defense for Networks and Information Integration (NII), is one year into the pilot test of a program that enables users to sign on to their computers and access applications using only a fingerprint authentication system.
John Woodward, director of DOD's Biometrics Management Office, said NII officials first conducted a pilot implementation of 200 fingerprint authentication systems from DigitalPersona Inc. in April 2003 and began the full-scale deployment of 1,300 devices last September.
Once users place their fingers on the fingerprint reader attached to their computers and are verified, DigitalPersona Pro's Total Password Automation application and fingerprint recognition hardware allows DOD employees to access up to 22 Microsoft Corp. Active Directory files. The system is also interoperable with DOD's Common Access Cards, which increases overall information assurance levels, said Vance Bjorn, chief technology officer and vice president of DigitalPersona, based in Redwood City, Calif.
"The core security threat our product solves is addressing the human factors of security," such as password and PIN caching and sharing and using easy-to-guess passwords or writing them down, Bjorn said. "It solves the social aspects of security. These types of threats cannot be solved by asking people to choose a longer password or carry a card."
Since the program's inception, help-desk calls for password-related assistance at DOD have declined by more than 90 percent, said Charlie Ahrens, DigitalPersona's director of government relations.
The company's solution includes fingerprint sensors and software for replacing passwords for Windows user accounts, applications and Web sites as well as the process for registering fingerprints. It also includes Pro Server, which provides secure, server-based authentication; network-based administration tools; and centralized storage of user records with replication failover support.
Users no longer have to remember their passwords to access systems and applications on their computers. Using the DigitalPersona system, administrators can recognize a fingerprint as a password and match it with the image stored on the server. This means the actual scripts can be as long, random and complex as necessary without additional work for users, Bjorn said.
"It's a [commercial off-the-shelf] solution solving a problem [users] have," he said. "We're not just providing a technology building block. Our approach is to be an out-of-the-box solution that augments Active Directory."
But that doesn't mean that DigitalPersona officials didn't tweak their product to meet DOD specifications, including CAC compliance. All users must log in using the cards by later this year.
"We had to refresh the front end to support the CAC log-in," Ahrens said, adding that the solution has also met Common Criteria Evaluation and Validation Scheme certification. "If we didn't do it, [DOD officials] wouldn't be able to buy us."
Common Criteria is an international security standard for technology products. The National Institute of Standards and Technology and the National Security Agency's National Information Assurance Partnership oversee Common Criteria implementation in the United States.
"One of the challenges was adapting the biometric application to work in an environment where information assurance systems and policies were designed for passwords," Woodward said. "For instance, policies that require changing passwords at specified intervals created some challenges when integrating the biometric application."
The desktop systems cost $140 each and there is a $40 per user charge, which means the total cost to DOD was about $250,000, Woodward said.
George Smith, a senior fellow at GlobalSecurity.org, said there's nothing intrinsically wrong with adopting fingerprint sign-on, but the technology does not solve DOD's or the intelligence community's top problems.
"The challenge is not in developing better technical processes for accessing computer-stored information nearly as much as it is raising the intellectual skills and abilities of the people using such materials once they have access to them," Smith said.
Woodward said NII officials would continue to develop the system's capabilities as new versions become available.
Caterinicchia is a freelance writer based in Washington, D.C.
Defense Department officials have distributed a fingerprint authentication system to 1,300 employees with the DOD's Office of the Assistant Secretary of Defense for Networks and Information Integration.
Some of the benefits and drawbacks of the system include:
Users no longer need to memorize complicated passwords or personal identification numbers.
The system is interoperable with DOD's Common Access Cards for enhanced information assurance.
The system is affordable and has a quick implementation cycle.
Password security isn't one of the huge challenges facing government agencies trying to enhance information security and fight the war on terrorism, according to some security experts.
The system does not significantly enable workflow. Rather, it provides a different method of entry.