FOCUS

Technology – Security

Identity crisis
From hospital wards to the boardrooms of oil companies, biometric technologies are being used increasingly to authenticate access to IT systems. But does this all spell the end of the password?

There can be few less likely places to find the application of seriously cutting-edge technology than the boardroom of a staid oil giant. But one such organisation has kitted out its independent directors with the latest in biometrics - technologies that analyse physical characteristics for identity and authentication purposes. When this venerable collection of ex-politicians, lawyers and business leaders gather for board meetings, they bring with them custom-made handheld computers that can only be accessed by placing a fingerprint over a scanner built into the device.

For this ageing group of men, the selling point appears to be that they no longer have to remember PINs and passwords. For the company, the upside comes from faster decision-making, assured security and lower support costs.

The same benefits are being seen elsewhere. Intensive care doctors and nurses at the Royal National Orthopaedic Hospital (RNOH) in London are using a combination of smartcards and fingerprint readers on keyboards to access patient records at the bedside. The hospital's head of IT and networks, Steve Pickup, says there have been some teething problems - the readers may not function properly if fingertips are too dry or too greasy - but generally the project has been a success: records are more secure, and they can be accessed quicker, saving valuable time. "It's our ambition to put a fingerprint access terminal on every bedside in the hospital," he says.

There are further flavours of biometrics. Rather than roll out fingerprint-based systems, the EHS Brann advertising agency chose to install iris readers on every door when it moved into new premises in London's fashionable Clerkenwell area. "We wanted to make it a groovy, high-tech office," says Kathy Gruzas, the agency's IT manager. But there was a more serious consideration - the vulnerability of non-biometric security. "In our last office we had swipecards, which caused endless hassle - people kept losing or sharing them, and it was expensive to administer. The biometrics system works very well."

Early adopters they may be, but the positive experiences of these organisations are likely to persuade others to take a closer look. Indeed, according to some observers, biometrics is finally about to make the long-talked-of crossover from expensive, futuristic toy to fundamental enterprise security technology.

One big difference is that increasing numbers of people are about to become a lot more familiar with biometrics. Defying privacy campaigners, David Blunkett, the UK's home secretary, wants to put biometric identifiers on national ID cards, while the European Commission is exploring the possibility of making fingerprints mandatory on all European
Union passports. Already visa holders entering the US are being electronically fingerprinted as they enter the country and that data matched against their machine-readable passport information.

"We're starting to see government organisations using biometrics," says Carl Gohringer, head of new business development at NEC Security Systems, which is providing biometric systems to an ongoing UK passport trial. "They are the first to take it up for their internal employee management too."

New post-Enron corporate regulations, such as the Sarbanes-Oxley Act, have also fuelled demand. Biometric systems are helping to fulfil the need laid down by such new rules for a full audit trail of users' document access and transaction execution.
Traders at Dutch bank ABN Amro, for example, are using fingerprint authentication on every desktop terminal to speed up the authorise transactions - a critical business advantage over passwords when price fluctuations can determine the difference between a profit or loss on the deal. The system also plays another key role: it identifies exactly who authorised the deal.
As well as improving security, biometric systems are sold on the basis that once installed, they save money. There are few major costs after installation, say suppliers, and IT staff are largely freed from time-consuming administration that results from lost or forgotten passwords. In the first year, the costs of implementation are usually equivalent to the annual costs of administering a password-based system, say analysts; payback is generally obtained after about 18 months.

Companies with high staff turnover can particularly benefit. NEC Security Systems says that a major UK retailer, prior to adopting one of its biometric systems, found the job of managing passwords for its large and constantly-changing workforce so big that it felt compelled to employ six IT staff to do nothing else.

Steve Barnett, chairman of ISL Biometrics, the software specialist behind the Royal National Orthopaedic Hospital project, outlines the cost savings his fingerprint authentication systems brought for a customer that had outsourced its IT department. The customer's IT services supplier charged $70 each time it had to reset a password, which tended to generate big fees: the customer had about 4,000 employees, each using around six passwords. According to ISL figures, password management generally costs about $120 a year per employee, while a fingerprint access system has one-off costs of around $100 per user plus ongoing software support.

The eyes have it
Different biometric methods have their proponents. Some say that fingerprint-based systems are the most cost-effective solution. Others, such as Professor John Daugman of Cambridge University, who holds the patents for all iris scanning processes currently used, sees iris scanning technology as more foolproof. "The great strength of iris recognition is that it never makes false matches," points out Daugman.

But when choosing between different biometric methods, businesses should not base their decision only on the upfront cost, says Anthony Allan, an analyst at IT market consultancy Gartner. "With biometrics, you get what you pay for," he says. "Security for under $100 per user is very attractive but the characteristics are not good enough for enterprise use." Companies should budget for at least $200 per user, he suggests.

One problem that cheaper iris scanning systems encounter, for example, is that they can be fooled if a photograph of an authenticated user is held up to the reader. Daugman says this risk is eliminated by more sophisticated systems that check for signs of movement in the pupil or eyelid. Equally, the Japanese mathematician who managed to fool an older biometrics system by building moulds of fingerprints from the type of gelatin typically used to make confectionary might not have been successful if he had been testing costlier silicon sensors. Still, the Japanese test has alarmed experts. "If he could do this, then any semi-professional can almost certainly do much, much more," says security guru Bruce Schneier.

Professor Brian Collins of Cranfield University, a former director of technology at the government's signals intelligence agency, GCHQ, notes that there are other ways of abusing biometrics. By knocking out the database that holds biometrics information, 'denial of service' hacker attacks could be just as harmful on a large scale as the compromising of the data itself.

He warns that organisations must take seriously the process of enrolling new users. "Screening someone on the basis of only one credential [such as a birth certificate] is a very dangerous thing to do," he says. "Proof of originality, as opposed to identity, starts to become the main problem." Birth certificates really need DNA-based biometrics verifying them, he says.

There are other security issues. Samir Kapuria, director of strategic solutions at digital security services company @stake, says most of his corporate customers see biometrics as "an art form, not a science". Just because the technology works well in trials, it does not necessarily mean it will scale well or prove resilient to as-yet-undiscovered threats, he says. As that underscores, the technology is still maturing. Errors from some fingerprint and iris scanning systems tend to be as high as around one in every 100 people tested, say experts. Cases in which unauthorised users gain entry to a system are extremely rare, but when they occur they pose a bigger risk than when, say, a single password is hacked.

These are not insurmountable problems, but even some suppliers accept that they must be resolved before biometrics will appeal to the mainstream corporate market. "Interest is still outstripping implementation by quite a long way," admits Jackie Groves, UK managing director of Utimaco, which develops biometrics hardware and software products as well as other security products.

More of a lead bullet
As an example of a business that has so far failed to convert interest in biometrics into a widespread implementation, the case of Nationwide Building Society is instructive. In recent years, it has tested just about every available biometrics system imaginable, from iris recognition to speech verification. Although the trials were deemed successful - in that users were not unduly fazed and the installations went smoothly - executives remain reluctant to roll out biometrics. "We continue to take an active interest," says David Followell, the head of Nationwide's business futures and usability unit, "but we will only progress with it once we are convinced of the customer and business benefits of doing so." Amid the hype, it is easy to forget that biometrics is only another arm of IT security. General security principles apply; given the degree of faith that users tend to place in biometrics, it is important to follow them.
David Porter, head of operational risk at specialist IT consultancy Detica, accepts that biometrics is not the security sector's 'silver bullet'. "I don't think any technology will ever be 100% reliable, because you will always have people and sloppy processes involved. A seemingly foolproof biometric system can still be scuppered by employees using it in the wrong way."

Given that, biometrics should form only one part of a wider ID management system, he says. "I'm afraid you'd be crazy to use biometrics on its own. This nirvana of 'the end of password' is not true." He advises combining biometrics with another system - 'second factor authentication' in the jargon - such as smart cards. John Madeline, director of corporate and business development at RSA Security, agrees. "We are just beginning to see second factor authentication moving mainstream. Most people are still only taking the initial steps towards understanding that just a password is not good enough and a second factor is going to be key," he says.

Indeed, it may be several years, at least, before the corporate use of biometrics becomes commonplace. One day, all PCs and wireless devices may come with some form of biometric reader; already, one of the world's biggest computer makers, Hewlett-Packard, is issuing staff with PDAs that are activated through built-in fingerprint readers. The hope is that such identity systems will be a key part of a single sign-on system that will automatically grant pre-defined privileges to the user, perhaps removing the need to tap in PINs and passwords to access different systems.

Even then, however, biometrics are still likely to form only one part of a much wider identity and authentication system. But when the technology matures, its use could go from the niche to the universal. Fingerprint readers or voice authentication could be indispensable to the use of wireless commerce through mobile phones, while fingerprint-activated smart cards could soon replace credit cards and loyalty cards.

Biometrics may not necessarily spell the end of the humble password, but it ought to herald a new wave of security applications. It should also one day remove many of the costs and the vulnerabilities of the current generation of security systems.
Author: Tim Bradshaw

Technology – Software

Gates presses ahead with 'Longhorn' despite EC ruling
Bill Gates appeared to brush off the European Commission (EC) ruling against his company and its alleged market abuses by insisting that test copies of the next major update of Windows will be shipped as planned by the end of 2004.
Gates, appearing at analyst firm Gartner's conference in San Diego, also said it was "valid speculation" that the commercial versions of the 'Longhorn'-codenamed operating system would appear some time in 2006.

He added, however, that it was not a "date-driven release", unlike some Microsoft products.
'Longhorn' has been subject to delays in the past, but an informal timetable of late-2004 for the 'alpha' version and late-2006 for the commercial version is believed to have been in place for some time. Significantly, its release does not appear to have been affected by the EC ruling.

Speculation that Microsoft might feel compelled to alter the make-up of 'Longhorn' – perhaps by selling some components separately – has been rife since the EC judged that its practice of 'bundling' new features, such as video applications with the Windows operating system, amounted to an abuse of market power.

By sticking to Longhorn's informal schedule, Microsoft is indicating that its plans for the release have been unaffected by the developments in Brussels.
Leaked copies of initial versions of 'Longhorn' suggest the operating system will be bundled with new security features, an updated file server and an embedded search engine product.
While some Microsoft executives and legal advisers have expressed barely disguised dismay at the EC's judgement, Gates gave little away when pressed about his reaction.

He acknowledged that there were issues still to be resolved, although there "will be several more years of process in Europe" to get to that point. He added: "People want more capability in Windows. There are some legal issues about how we package that up, how we license it, how we engineer it."

The EC imposed a record fine of $615 million on Microsoft last week. It also ordered it to open up key product interfaces to competitors and told it to unbundle its Media Player package from Windows.

Importantly, the ruling is designed to set guidelines for Microsoft's future actions as well as punish it for alleged past transgressions. Although it is a matter of conjecture, legal experts argue that Microsoft might face fresh legal challenges if it continues to bundle new features already available from other suppliers in future versions of Windows.

The ruling has provoked anger among many US politicians and the EC has reportedly come under intense pressure to reach a settlement with the software giant.
Author: Dominic Tonner

e-Business – Shopping online

BA considers options for Opodo stake
British Airways is reportedly planning to offload its stake in travel website Opodo to travel technology firm Amadeus.
A report in the Mail on Sunday said that Amadeus is planning to take full control of Opodo by buying BA's 20% share and adding it to its current EU33m or 17% stake.
Opodo issued a statement today saying that it would not comment on speculative matters. It did however say: "We can confirm that the executive board and shareholders of the company are looking at ways of growing the business. This may take the form of acquisitions, moving into new markets, additional investment, or changes to shareholder structure."
Opodo added that its shareholders were all still 'fully committed to Opodo', which was launched with the backing of nine European airlines in 2001 to compete in the fast-growing online travel sector.
BA followed up with a supporting statement: "British Airways and the shareholders of Opodo are currently looking at ways of how to grow the Opodo business. This may or may not lead to a change of shareholding structure, however, as no decisions have been taken, any reports are premature and speculative."
The airline added that it would continue to use use Opodo as a distribution channel.


HIGHLIGHTS


Internet – ISP

Wanadoo To Stop Using Freeserve Brand Name
Wanadoo, a European ISP, will replace the name of its Freeserve provider this summer with its own, the Guardian said, without saying where it got the information.
Source; The Guardian, March 04