Vendors Simplify Authentication

Welcome Guest. | Log In| Register | Membership Benefits

June 03, 1999 (5:22 PM EDT)

By Salvatore Salomone,

As the number of remote workers and telecommuters grows, IT managers need stronger and easier ways to authenticate these users.

This has been a tricky task for most IT managers.

"I think most people will agree that we need something stronger than a user name andpassword today," said Ronald Brendon, information systems director at the accounting company Randall, Kline and Browner.

Many IT managers are moving toward token-based systems that use one-time dynamic passwords. And some are looking to biometric authentication that uses fingerprint, eyeball, or face scans to identify users.

But other IT managers have held back deployment because of the perceived difficulty in administering the systems.

Security Dynamics Technologies and a couple of biometric industry groups are planning to change that.

Security Dynamics last month ported its SecurID token-based authentication system to 3Com's Palm Computing platform.

This eliminates the need for a remote user to have a PC or carry a dedicated authentication device such as a smart card.

And it seems to work around common problems many IT managers have faced.

"When we started using a token-based system, we had a tough time with simple things," Brendon said. For example, users sometimes left their tokens at home when traveling. "We needed to educate the users about carrying the token, and we needed to develop procedures to get them access when they were in that situation," he said.

The Palm system seems to get around that problem because users are not likely to forget to bring their Palm handhelds, since they rely on them for schedule and contact information.

The SecurID software for the PalmPilot is available now. The software operates on the PalmPilot Professional and Palm III devices and is priced at $24.

Token-based systems are fine for most IT managers, but some are interested in using biometric devices for authentication. To date, IT managers have shied away from using biometrics for a couple of practical reasons.

"There's been virtually no interoperability between different vendor devices and there is no easy way to integrate biometric authentication in existing applications," said Raymond Lopez, a consultant at Rosewall and Associates, a consulting company that designs and installs remote-access systems.

As a result, IT managers have been locked into single-vendor and single-application implementations. Lopez contends that this represents a large obstacle to using biometric devices in many companies.

For example, an IT manager might want to use a fingerprint reader in the office and a hardware token in the field, where a user simply plugs the physical device into a receptacle that reads it to gain access. "Typically, a combination like this is an administrative nightmare since it requires two different systems to be in place," Lopez said.

However, there are efforts under way to overcome such obstacles.

Earlier this year two industry groups -- the BioAPI Consortium and the Human Authentication API Working Group -- banded together to develop a unified biometric API.

The effort promises to let disparate systems work together by letting manufacturers separate out the physical device-specific software from the authentication part of an application. This way, different devices would all use the same software routines and commands to perform user authentication.

The common software architecture that a single biometric API offers also could make it easier to extend biometric authentication to multiple applications within a corporation, according to Lopez.