Biometrics may be regarded with suspicion by some, and doubts have been cast as to its reliabilty. But Daren Mehl, assistant vice president of information technology at the United
The Bloomington, Minn., bank, with its 1,200-plus bank clients and 2,600 users, hasn't experienced one security breach since adopting biometric authentication in 2001, Mehl said. And it has maintained this enviable security profile while conducting many sensitive, high-money online transactions.
When the UBB switched from a proprietary dial-in arrangement to an Internet-based system, it considered a number of authentication options. There was concern, naturally, about high-dollar wire transfers and other large transactions.
Initially the bank looked at more traditional options such as digital certificates and USB tokens, but those methods didn't seem very secure, Mehl said. Eventually the bank settled on fingerprint biometric authentication, and after considering several vendors chose DigitalPersona as a provider.
DigitalPersona, which is based in Redwood City, Calif., focuses exclusively on fingerprint biometrics. Chip Mesec, senior product marketing manager at DigitalPersona, outlined three major steps for secure fingerprint authentication:
- Capturing the fingerprint
A fingerprint reader captures a compressed bitmap image of the print. "Most readers encrypt that within the chip set," Mesec said. This information is then transferred to the workstation or server.
For the extraction process, DigitalPersona uses its own unique algorithm to convert the fingerprint information to minutiae points .The information is then encrypted again for transfer.
- Registration or verification
A new template may be registered and stored in an encrypted database. A template for verification is matched to the registered template on file in the encrypted database.
Within the UBB system, information is encrypted "two or three times at different levels," Mehl said. And because the entire system -- all of the software and hardware -- is part of a DigitalPersona package, the various components are designed to work together smoothly and securely.
Compliance & convenience
Long before the Federal Financial Institutions Examination Council (FFIEC) "guided" banks toward two-factor authentication to secure online transactions, the UBB had already embraced multifactor authentication.
The first factor is the fingerprint authentication. Another factor is the finger sensor. Finger sensors are attached to UBB workstations, as well as workstations at the bank's client offices. Each sensor has a serial number and acts as a kind of token. Finger sensors can be locked down so that only those registered are accepted, eliminating the possibility of rogue sensors being granted access. Additionally, individual users can be locked down to particular finger sensors, further securing the system.
With the January 2007 FFIEC deadline looming, will more banks consider biometrics? Mehl said they will. The UBB's clients have been very satisfied with the technology, he added. A few of the banks have even adopted the technique to secure their own workstations.
In addition to the FFIEC guidelines, the DigitalPersona biometric package may help the UBB comply with other regulations, including the Sarbanes-Oxley Act (SOX) due to its use of tracking tools. "There's an audit trail, and it's convenient," Mesec said.
The transition to biometric authentication was easy, Mehl said. The UBB tested the system internally to lock down its own workstations. After a year, the bank began expanding the program.
Registering the fingerprints of 2,600 people "wasn't really much of a problem," Mehl said. No training was necessary. Initially, the biggest stumbling block was teaching people how to correctly place their fingers on the sensor. But users, armed only with "instructions and a few screen shots," resolved the issue independently.
A certain percentage of people have difficult-to-scan fingerprints due to anomalies in the skin, injuries, scars and other features. However, all of UBB's users are able to work with the sensors, Mehl said. Once registered, users may log on using only their fingerprint, no password required. One of DigitalPersona's big selling points, in fact, is that its systems eliminate "password management problems."
The future of biometrics
As the market for biometrics widens, fingerprint sensors are "going to be a standard on PCs," Mehl predicted. Certain types of Dell, HP and Toshiba notebooks come with fingerprint sensors already embedded. DigitalPersona offers software to enable biometric authentication on these computers.
However, there remains a stigma on fingerprinting in the U.S. It's seen as intrusive, Orwellian and associated with criminals. Mesec said biometric authentication is more popular in Latin American and Asian countries where there is less of a stigma associated with fingerprinting.
While banks and other institutions look toward alternative authentication methods, biometrics may gain wider acceptance in the U.S. A success story like that of the UBB's, with its glowing security record, might turn a few heads. Of course, the more popular biometrics becomes, the more hackers will target it.
As an IT professional, Mehl is well aware of the limitations of any security measure, but he remains optimistic. "From my Web programmer's perspective, it's a really resilient system," he said. "I'm paranoid, and I can sleep at night."