Biometric Security Done Right

When I wrote about current biometric security devices recently, I was a bit disappointed that the security on these devices wasn't that robust. (Actually, Fujitsu's PalmSecure sounds pretty sharp, so I shouldn't group that with the other technologies.) But shortly after that article was published, I was contacted by Stephen Nation with Nation Technologies, a small start-up that specializes in a biometric-based security product called BIOWRAP.

Unlike a lot of the current biometric products, which offer convenience and a little bit of security (plus some added risk), BIOWRAP is all business when it comes to security. It offers two-factor authentication (username/password and fingerprint recognition), and it has an extensive verification process, which I'll get to. Finally, another advantage of BIOWRAP is that it offers one central management infrastructure for the biometric identity, versus having a bunch of separate biometric identities (which is just as confusing as today's username/password situation.)

"The biometrics market today is focused on biometrics simply as a matter of convenience. I mentioned facility control and access management—that's really a convenience. Yes you have an additional level of security and transparency, but it conveniently allows you to get access to the door, or log in to your PC, but outside that transaction there's no value to the biometrics. And I say that because it's typically a self-enrolled or admistrative-enrolled biometric, and outside that enterprise or PC there's no true value to it. And it requires every time you perform a transaction in a separate system, you have to do another enrollment. So we get back to this same model where you have 10 identities, or 10 biometric identities, that are all credentialed, as opposed to having a single source of identity," said Nation.

Founding Principles of BIOWRAP
Essentially, BIOWRAP cuts through the clutter by offering one central management system, but then puts extra verification processes in place to make sure that that one identity is really secure. The primary way that they do this is in the initial verification process. Before you can get an identity, you need to meet with a notary-like individual called a registar. The registrar meets with you in person, and only by that individual being an eyewitness to your biometric scanning (and running the same type of proof-of-identity checks that a financial company would when you want a loan) can you get the identity. Oh, and they have to verify this process with their own fingerprint scan too.

Sound a little over the top? Perhaps, but if you're a financial or medical company, a government agency, or any enterprise that handles loads of sensitive data, it's better safe than sorry. "In today's environment, there's no way to prove that a person is physically present to indicate they are who they say they are. It's a username/password, or a token, or something. But with the registrar, they have to be physically present, and have to verify that they are physically present with their own fingerprint," said Nation.

So, let's assume the company has a pretty good idea that you are you. From there, Nation Technologies performs two more security steps. The first is make sure to use high-quality fingerprint readers. All readers are not created equal, and the best readers can choose what level of resolution to scan for, weighing convenience (more false positives) against security (more false negatives). According to Nation, "I've had this system up and running and have yet to hear of a false positive."

The second step is to also have a username/password authentication. The username and password are encrypted and the password isn't stored anywhere, but it promises that even if someone can somehow get your fingerprint, they still won't be able to get in. (Similarly, your username and password are useless without your finger.)

Additionally, this multi-factor authentication makes the biometric scan more accurate. Instead of skimming through a database of available fingerprints in your company, this system knows exactly who it's looking for (because of the username/password), so it's just scanning your fingerprint reading against it.

"When you perform the authentication [with other solutions], it has to scan through all the other fingerprints to match against the enrolled fingerprint. That's why we operate with multiple-factor authentication—username, password, and fingerprint. We perform a one-to-few comparison," said Nation

As one final feature, you can create contact groups and have access based on the groups. For instance, if HR is a group, you could make all personnel files encrypted access to work only for people in HR. "It's basically an Active Directory on steroids," said Nation.

Implementation Details and Cost
The BIOWRAP technology currently works for hardware logins, file access, and facility access. BIOWRAP has a standalone file management solution that comes with it, but most enterprises will prefer to integrate it with their existing content management system in place. (It currently does not integrate with SharePoint but it may in the future.) Down the road, the technology should also work with website logins.

The per-device cost of BIOWRAP is: $250 for a one-time set up, and a licensing fee is $20/month for unlimited usage and support. BIOWRAP has just recently made its national debut—Nation Technologies was founded in 2005.

To learn more, visit the Nation Technologies website. 

Related Reading: