Biometric Readers
The most common type of biometric reader in use today is the fingerprint reader. More and more laptops are being shipped with built-in fingerprint read-ers, and USB fingerprint readers are readily available. Less common types of readers include the palm reader and a reader that measures the spread of the user's fingers and the pressure exerted against raised posts on the surface of the reader. Iris and voice recognition systems aren't routinely used today except in high-risk environments.
The principle behind biometric readers is simple. The reader measures the biometric being scanned and reduces it to a unique value, usually a hash. For example, a fingerprint reader might calculate the ratio between ridges and troughs on the presented finger and convert that into a hash value. A word of caution is necessary: Less-expensive biometric readers might present more Type I and Type II errors than more expensive readers. A Type I error is a false negative (e.g., a valid fingerprint or other biometric is falsely rejected). A Type II error, which is more worrisome, is a false positive (e.g., an invalid fingerprint or other biometric is wrongly accepted). Because of the fallibility of biometric technology, manufacturers of many biometric readers, including Microsoft with its Fingerprint Reader, recommend that you don't use the devices to control access to corporate networks or sensitive financial information. A biometric reader is inherently a one-factor authentication device, based on the assumption that everyone has unique biometrics. Some biometric authentication systems will require a user to also enter a PIN in an attempt to reduce the number of Type II errors.
If you choose to use biometric readers, you'll also need to deploy the software used to authenticate users. Before a biometric reader can be used, the people who will be authenticating via the reader will need to record their biometrics. Often multiple scans of each biometric are taken, and occasionally multiple biometrics are scanned (e.g., the index finger on the left and right hands). These recorded biometrics are then associated with the user's account. Each time a bio-metric is presented, the reader scans it and compares the resulting unique value against the values associated with user accounts to find the user who presented the biometric.
Biometric readers are best used to minimize the number of credentials that users need to remember, not to eliminate the need for credentials. For example, when a user logs on to a Web site, the biometric authentication system records the credentials used and the action that submits the credentials to the Web site (e.g., clicking a logon button). When the user returns to the Web site, he or she simply presents their biometric to the reader and it will fetch the credentials from a secure store, fill out the Web form, and simulate the action necessary to submit the credentials to the Web site and log on the user.
Federated Authentication Systems, SSO Solutions, and InfoCards
Although not replacements for credentials, federated authentication systems and single sign-on (SSO) solutions provide a way to reduce the number of credentials a user must manage. A federated authentication system is one in which Web services that a user accesses contact a directory or authentication server in the user's domain or forest (or equivalent) to obtain an authentication token that can be used to identify the user. The token is either mapped to a user account on the target system or is trusted in its own right by the application running on the target system. You can read more details about Microsoft's implementation of federated authentication, Active Directory Federated Services (ADFS), at http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx.
An example of a Web-based SSO solution is the Microsoft Passport system (http://www.passport.com). Although predominantly used by Microsoft, there's no reason why an enterprise can't use Passport to permit users to authenticate themselves to that enter-prise's Web sites. There's even support for Passport in Windows Server 2003 and Microsoft Internet Information Services (IIS) 6.0. For more details about how to use Passport with your Web sites, visit http://technet2.micro soft.com/WindowsServer/en/Library /3 4 1 5 3 b 8 f -c 4 b a -4 8 b 0 -8 2 e 4 -7e0a568aacd71033.mspx, where you'll find step-by-step instructions and links to additional resources. Note that before you can deploy a Passport-enabled Web-application, you need to register with Microsoft and pay a fee. Microsoft has committed to ensuring interoperability between the Passport service and the solutions developed by the Liberty Alliance Project, a consortium dedicated to developing specifications that define federated identity management protocols (http://www.projectliberty.org).
Perhaps the most exciting development on the horizon that will address the problem of managing multiple sets of credentials is Micro-soft's new InfoCard technology. Despite its name, InfoCard isn't a hardware device; it's a means to manage multiple identities in a consistent manner and is integrated into the user's Windows profile. You can find more information about InfoCard at http://msdn.microsoft.com/windowsvista/building/infocard.
The Password Dilemma
Managing access to networks and Web sites is a problem that every IT pro faces. Because of the problems associated with authentication methods that use a username and password, many companies are moving away from using them. I've given you some common and easy-to-use alternatives to usernames and passwords. In future articles, I'll delve into the details of how to deploy and use some of the technologies and solutions I've described.
Register
There are a number of medical practitioners in my neighbourhood (UK, hence the spelling!!) such as Phlebotomists, Diabetic Nurses etc that are employed by the State (National Health Service, roughly comparable with your Blue Cross organisation I believe) that spend time working in local practices.
For example, my phlebotomist is employed by the State, but actually works in 5 different medical practices, each with its own privately owned Windows network. She has a username and password at each location, each of which has a password renewal policy at different intervals, making remembering passwords difficult. What's a solution that would work across each location?
alizian July 31, 2006 (Article Rating: