Date: 1/8/98 5:43:14 PM From: Vin McLellan Subject: [NTSEC] Biometric User Authentication Tech - long To: ("Tagg Maiwald "@LOCAL) CC: ("NT Security Mailing List "@LOCAL) CC: (""@LOCAL) TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Philip Brass queried the List: >> I am trying to find information about NT-compatible security hardware >> such as logon devices (Security Dynamics SecurID would be an example). >> I am especially interested in information about biometric logon devices >> and encrypting network cards. If anyone knows of vendors for this kind >> of equipment (aside from Security Dynamics) please let me know. SDTI has a rather special situation, since Microsoft added an undocumented call in NT to support their ACE/SecurID authentication. Prominent Microsoft/NT officials like Carl Karanan have also publicly recommended SecurID for high-security NT networks. I know of no other third-party security product that NT has been adapted to support. (Although symmetric and public key algorithms from RSA, an SDTI subsidiary, are woven into NT throughout the Microsoft product line, crypto seems a special case, not really a parallel.) Tagg Maiwald responded to Mr. Brass by referring him to The National Registry, Inc. -- a good source, since NRI's Secure Authentication Facility (SAF) family of products, available for a variety of platforms including NT, have absorbed some of the newest developments, in both fingerprint imaging and voice authentication. (See: http://www.nrid.com) See also KeyTronic at -- a big keyboard manufacture which (like NRI) is expected offer any day a much less expensive fingerprint reader which will use new technology from Veridicom, Lucient's first technology spin-off since was itself split from Bell Labs, on KeyTronic keyboards. (See: http://www.veridicom.com/) By rumor, these finger-image readers are expected to priced at under $300, with the potential for rapid price drops with volume manufacturing. Tagg also noted: > Really, it is rarely dependent upon the hardware itself to be >compatible >with Windows NT. True enough, but with the growth in the NT market (and particularly, the popularity of NT standardization in government at all levels) none of the app vendors who develop or promote biometric solutions will slight the NT users. Guaranteed! >That being said, there are a few companies out there that offer such >products > Mostly, medical and info-secure centers are the primary consumers >of this >technology; since, during its present infancy, effective technology is >prohibitively expensive for casual implementations. Whoa! That's just not true. I respectfully suggest Tagg is about three years out of date with his information on biometric technologies, price/performance, and the market -- which means he might as well be sending in a commentary from Mars. Biometric authentication technologies (using a digitized record of "something one is") are blazing into the market like a swarm of comets: with new and rapidly improving technologies and a price/performance curve that seems to be approaching Moore's Law (as the previously-modular circuitry is integrated in silicon.) Lucient, IBM, Oki, Novell, and Thomson-CSF, among others, have made huge investments in this area in just the past year. As an example, it is widely expected that one of the new hotshot digital finger-imaging technologies -- Veridicom's technology, developed by Lucient/Bell Labs here in the US, or the new "thermal imaging" FingerChip tech from Thomson-CSF Semiconducteurs Specifiques (TCS) in France -- could soon drop to $100 per scanner with volume manufacturing. That's low enough to expect it to be incorporated in mid-range laptops, for example. (The Lucient and Thomson breakthroughs both seem to use a single chip-sensor to capture the finger-image. On these chips, tiny capacitive sensors capture the fingerprint image by measuring the differences in electrical charges between the fields and ridges of the skin. This is far beyond the "advanced" optical scanning tech that Tagg described.) Actually, it's unclear to me whether the most important advances have been in the innovative finger-imaging technology, or in advanced one-chip designs (and manufacturing processes they permit.) Clearly, however, the sky is falling in biometric pricing! Three years ago, the typical biometric reader was priced at about $2,000. I would not be surprised to see the mean price for popular biometric readers hit $200 in 1998. Among the most savvy commentators on the rapidly evolving biometric tech are the Biometric Consortium (a group of federal agency reps who have paced the industry with their efforts to develop effective benchmarks, http://www.vitro.bloomington.in.us:8080/~BC/ ) and the leading US state-level social service agencies, many of which appear to be deeply committed to this technology. For an awesome display of buyer savvy -- the dream or the nightmare of vendor salemen;-)-- check out the last couple issues of Dave Mintie's newsletter for the Biometrics in Human Services User Group at: http://www.dss.state.ct.us/faq/dihsug.htm See also the Association For Biometrics: http://www.vitro.bloomington.in.us:8080/~BC/afb and the Human Identification System Project, at: http://www.asti.dost.gov.ph/~shoreadm/HIS.html International Biometric Group, Inc., at: http://www.biometricgroup.com And don't miss the incredibly informative Connecticut Biometric Web Page: http://www.dss.state.ct.us/digital.htm Market demand for an ID authentication mechanism that requires nothing but the physical body of the person whose identity is being matched against a pre-recorded digital record seems to be most notably fueled by an enormous government demand in the US (and doubtless elsewhere) for better ID authentication to control fraud (double dipping, within a state and multi-state) in social services and welfare payment systems, as well as an apparent demand for new and supplementary systems for ID and authentication to more effectively support immigration and border traffic controls. Both the US and the European Union seem to be making major committments in both categories. Benefit fraud in the US is estimated at $10 billion annually, according to the GAO; with comparable figures likely in other industrialized nations. That's a lot of political capital (and surveys seem to reveal widespread support for technology which supports anti-fraud programs among recipients, as well as in the body politic.) I presume military personnel applications are also being widely considered, although I haven't heard of any big contracts. Token-based authentication systems (like ACE/SecurID) for large systems and networks will remain a dominant IT technology for some time, I think, but largely because that technology is so inbedded in the dominant network technologies and has made such strides in developing the authentication servers to support the administration of tokens for large corporate user groups. Security Dynamics (SDTI) -- for which I've been a consultant for years -- has also moved to dramatically broaden its technical base by buying RSA Data Security (http://www.rsa.com) -- the leading US developer and vendor of cryptography, symmetric & public key -- and Dynasoft, the Swedish firm which developed the BoKS single-signon technology which major financial institutions like Citibank, Chase, and Wells Fargo have recently made major committments in. See: http://www.securid.com Security Dynamics is integrating the BoKS multi-server SSO technology into its popular ACE/SecurID authentication servers and interweaving RSA crypto throughout its product line. This year, SDTI's ACE/Servers will begin to support cryptographic key and X509 certificate management and support. In many IP environments, the attraction of a public-key crypto infrastructure (PKI) goes far beyond user authentication, since if offer not only (smartcard/token-based) two-factor authentication, but also machine-to-machine and process authentication, encryption for confidentiality, and digital signatures for message-integrity checks and non-repudiation. (We have only begun to see the power of digital signatures unfold, both within bureaucracies, in business-to-business transactions, and in e-commerce.) Withall, there is a dynamo bursting into the (NT) market with new biometrics implementations. Tagg suggested that voice recognitions was "on the way out," but Novell has a very different idea of its potential. Finger-imaging using a variety of new sensor technologies is hot right now, and new designs seem to allow major price breaks with high-volume manufacturing-- but IBM is still very active in developing hand-geometry technologies (and product under federal contracts from INS) and iris-imaging like that used by IriScanand Sensar (which, unlike retina-scans, can be picked up on the surface of the eye, from a camera two or three feet away,) and full-face image recognition (e.g., Visionics's Face-it) have also been associated with major breakthroughs, new price/performance ratios, and new customer categories. It remains to be seen how cautiously the vendors package their technologies. Companies new to security and overly confident in their technology tend to rely too much or wholly on their widgets and the ability of their neural nets or somesuch to differentiate between, for instance, a living eyeball and one forcibly removed from a potential financial-fraud victim. Personally, I can't see trusting a biometric identifier which is not reinforced by one of the other two factors by which a computer can authenticate a pre-registered identity: ie., "something you know" (like a password, perhaps reinforced for transit by EKE protocols,) and/or "something held," as in a physical token.) Soon, I presume, high-security apps will require three-factor authentication in place of the now industry-standard two for "strong authentication." I also like to keep an eye on Canadian firms, like Mytec, because Canada -- like most of Europe -- has a legal system that places a higher value on personal data and gives its citizens a property claim on data about them that American citizens sold off to the finance and credit companies long ago. Mytec's use of biometrics often seems to me inherently more protective of what is, after all, a digitized representation of a physical characteristic that can not be changed like a password, if the security or integrity of an authentication system is breached. I expect to see European applications modeled on the same traits, and it will be informative to compare the handling of user data in products from US vendors against the norm in the EC countries. Pardon the burden on the bandwith, this is longer than I had planned. Below is my list of vendors of biometric authentication tech. It is doubtless US-centric and painfully light on Asian and European developers, but such is life. I think I originally swiped much of this list from a collection of URLs developed by the security mavens at the Connecticut (US) Social Services Department. An impressive team, there. I hope it will be as helpful and useful to others as it has been for me. Suerte, _Vin Vin McLellan The Privacy Guild --- Vendors of Biometric Authentication Technology & Products -------------------------------------------------------------- (1) Finger-Imaging Technologies http://www.nrid.com/ The National Registry http://eastview.org.ImEdge/ Edgelit Holography Fingerprint http://www.fingerprint.com/ Fingerprint Technologies http://www.fpusa.com/ Fingerprint USA http://www.w3bit.com/www_star.html Startek Engineering, Inc. http://mytec.com Mytec http://www.identix.com/ Identix http://www.printrakinternational.com/ Printrak International http://www.camneuro.stjohns.co.uk/ Cambridge Neurodynamics http://www.cogentsystems.com/ Cogent Systems http://www.identicator.com/ Identicator Corporation http://www.xcheck.com/ Crosscheck Corp. http://www.biometricID.com/ Biometric Identification, Inc. http://www.east-shore.com/ East Shore Technologies http://www.mbnet.or.jp/melsys/fingre03.html Mitsubishi Electric Corp. http://www.gotnet.net/home/idyou Identification Systems http://www.netid.com/ Net-ID, Inc. http://www.veridicom.com/ Veridicom http://www.vitrix.com/ Vitrix, Inc. http://www.parlant.com/ideas/ideas.htm IDeas International http://www.iosoftware.com I/O Software, Inc mailto:tommi@morpho.wa.com North American Morpho Systems http://www.tcs.thomson-csf.com/standard/finger.htm Thomson-CSF http://www.marketplace.unisys.com/bioware UNISYS, Inc (2) Facial Imaging http://www.viisage.com/ Viisage Technology http://www.miros.com/ Miros http://www.wp.com/IVS_face/ Intelligent Vision Systems http://www.faceit.com/ Visionics http://www.cjis.com/ CJIS (3) Facial/Voice http://www.keywareusa.com/ Keyware USA (4) Handwriting http://www.penop.com/ PenOp http://www.aeat.co.uk/ AEA's Check Match & Countermatch http://hwr.nici.kun.nl/ Handwriting Recognition Group http://www.quintetusa.com/ Quintet Signature Verification (5) Iris scan http://www.iriscan.com/ IriScan http://www.sensar.com/ Sensar (6) Hand Geometry http://www.recogsys.com/ Recognition Systems (7) Veincheck http://innotts.co.uk/~joerice/ Veincheck Biometric Homepage Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --