Biometric authentication a choice for banks

By Jennette Mullaney, Assistant Editor 12 Oct 2006 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

Biometrics may be regarded with suspicion by some, and doubts have been cast as to its reliabilty. But Daren Mehl, assistant vice president of information technology at the United Bankers' Bank (UBB) will assure you that it is trustworthy.

The Bloomington, Minn., bank, with its 1,200-plus bank clients and 2,600 users, hasn't experienced one security breach since adopting biometric authentication in 2001, Mehl said. And it has maintained this enviable security profile while conducting many sensitive, high-money online transactions.

When the UBB switched from a proprietary dial-in arrangement to an Internet-based system, it considered a number of authentication options. There was concern, naturally, about high-dollar wire transfers and other large transactions.

Initially the bank looked at more traditional options such as digital certificates and USB tokens, but those methods didn't seem very secure, Mehl said. Eventually the bank settled on fingerprint biometric authentication, and after considering several vendors chose DigitalPersona as a provider.

1. Capturing the fingerprint
   A fingerprint reader captures a compressed bitmap image of the print. "Most readers encrypt that within the chip set," Mesec said. This information is then transferred to the workstation or server.
2. Extraction
   For the extraction process, DigitalPersona uses its own unique algorithm to convert the fingerprint information to minutiae points .The information is then encrypted again for transfer.
3. Registration or verification
   A new template may be registered and stored in an encrypted database. A template for verification is matched to the registered template on file in the encrypted database.

Within the UBB system, information is encrypted "two or three times at different levels," Mehl said. And because the entire system -- all of the software and hardware -- is part of a DigitalPersona package, the various components are designed to work together smoothly and securely.

Compliance & convenience
Long before the Federal Financial Institutions Examination Council (FFIEC) "guided" banks toward two-factor authentication to secure online transactions, the UBB had already embraced multifactor authentication.

The first factor is the fingerprint authentication. Another factor is the finger sensor. Finger sensors are attached to UBB workstations, as well as workstations at the bank's client offices. Each sensor has a serial number and acts as a kind of token. Finger sensors can be locked down so that only those registered are accepted, eliminating the possibility of rogue sensors being granted access. Additionally, individual users can be locked down to particular finger sensors, further securing the system.

With the January 2007 FFIEC deadline looming, will more banks consider biometrics? Mehl said they will. The UBB's clients have been very satisfied with the technology, he added. A few of the banks have even adopted the technique to secure their own workstations.

In addition to the FFIEC guidelines, the DigitalPersona biometric package may help the UBB comply with other regulations, including the Sarbanes-Oxley Act (SOX) due to its use of tracking tools. "There's an audit trail, and it's convenient," Mesec said.

Embracing biometrics
The transition to biometric authentication was easy, Mehl said. The UBB tested the system internally to lock down its own workstations. After a year, the bank began expanding the program.

Mehl maintains that there was little resistance among clients to the authentication program, and the few concerns voiced were quickly allayed. "There were a couple of people who thought of Big Brother," recalls Mehl, "but we're not actually storing their fingerprint as a picture" in a database. DigitalPersona emphasizes in its privacy policy that once fingerprints are converted into templates and stored they cannot be converted back. An image of a fingerprint cannot be retrieved from the database.

Registering the fingerprints of 2,600 people "wasn't really much of a problem," Mehl said. No training was necessary. Initially, the biggest stumbling block was teaching people how to correctly place their fingers on the sensor. But users, armed only with "instructions and a few screen shots," resolved the issue independently.

A certain percentage of people have difficult-to-scan fingerprints due to anomalies in the skin, injuries, scars and other features. However, all of UBB's users are able to work with the sensors, Mehl said. Once registered, users may log on using only their fingerprint, no password required. One of DigitalPersona's big selling points, in fact, is that its systems eliminate "password management problems."

More on authentication Biometrics replacing passwords: Authentication implications  Authentication & authorization: Learning guide  OWASP Guide to Building Secure Web Applications: Authentication

The future of biometrics
As the market for biometrics widens, fingerprint sensors are "going to be a standard on PCs," Mehl predicted. Certain types of Dell, HP and Toshiba notebooks come with fingerprint sensors already embedded. DigitalPersona offers software to enable biometric authentication on these computers.

However, there remains a stigma on fingerprinting in the U.S. It's seen as intrusive, Orwellian and associated with criminals. Mesec said biometric authentication is more popular in Latin American and Asian countries where there is less of a stigma associated with fingerprinting.

While banks and other institutions look toward alternative authentication methods, biometrics may gain wider acceptance in the U.S. A success story like that of the UBB's, with its glowing security record, might turn a few heads. Of course, the more popular biometrics becomes, the more hackers will target it.

As an IT professional, Mehl is well aware of the limitations of any security measure, but he remains optimistic. "From my Web programmer's perspective, it's a really resilient system," he said. "I'm paranoid, and I can sleep at night."

Tags: Building security into the SDLC (Software development life cycle),  Software security testing tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' Software security testing tools Beating software's cross-site scripting, authentication problems Free tools for Agile testers Put a stop to software espionage by watermarking source code How to make your software tamperproof How can I tell if my software security has been breached? Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool Rich Internet applications security testing checklist Finding cross-site scripting (XSS) application flaws checklist Webgoat Tutorial

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary