Solving Password Proliferation

nferris@govexec.com

T

ired of trying to remember all the passwords and personal identification numbers (PINs) that you need to get your work done these days? You're not alone. As more federal business is done online and as security and privacy concerns are amplified, agencies are piling on layers of security for their information systems.

You may need one password to use your networked personal computer, another for your e-mail and a third for agency applications, such as a financial system or database. If your system administrators are following the security rulebook, they're changing these passwords frequently and forbidding the use of easily remembered passwords such as your name or your spouse's. In the most by-the-book settings, passwords are issued by the systems staff and aren't words at all, but an unmemorable, random combination of letters and numbers.

Add these passwords to the PINs for your credit card, calling card and bank ATM card, plus the ones for your home computer's Internet service, and you have a nightmare in the making. It's no surprise that many people end up writing a password or two on sticky notes just inside their desk drawers-or even posting them in plain sight on a cubicle wall. Needless to say, this defeats the purpose of passwords.

That's why many experts are predicting a surge in the use of biometric identifiers. These devices recognize some unique body attribute quickly and easily, so that no password is needed. Biometrics-usually a fingerprint or facial image-provide extra security for information systems while making log-ons more convenient for the user. It's a rare win-win combination with very few downsides.

Smaller, Faster, Cheaper

Until recently, biometrics were quite expensive, both in terms of capital outlays for the hardware and software and in terms of system overhead-the extra network, processing and storage capacity they demanded. In addition, most biometrics products came from small, young companies that did not inspire confidence. But that situation is changing. Well-known companies such as Compaq Computer Corp. are building fingerprint-recognition capabilities into PCs for less than $100 apiece.

Small fingerprint readers can be built into an ordinary PC keyboard or mouse, or mounted on a monitor or other surface. They capture the print, then reduce it to a mathematical formula or template. That number is matched with those on file at the network server. The user is allowed to log on to the network only when there is a match.

Forgotten passwords are perhaps the most common cause of calls to network help desks, according to Compaq officials, who are marketing their Compaq Fingerprint Identification Technology as a way to reduce help desk operating costs and make things easier for individual network users, in addition to improving security.

To security experts, there is something reassuring about biometrics. Passwords can be borrowed, or extorted by force. Passcards can be stolen. Biometric identifiers are less likely to be misappropriated. High-end fingerprint readers, in fact, read two or more fingers and check that they are within the range of normal body temperature, to guard against duplication with plastic molds and other gruesome possibilities.

Although fingerprinting is the most common and accepted form of biometrics, there are many others. The state of Illinois is installing a facial recognition system for drivers' licenses, to improve verification of license applicants' identities and avoid duplicate licensing. The Immigration and Naturalization Service is testing a facial recognition system to speed border crossings for commuters between California and Mexico. PC-based facial recognition systems can cost less than $300 per PC.

Scans of the retina or the iris also provide unique identity verification, but many people are disturbed by having a camera or scanner directed at their eyes. The iris scanner developed by Sensar Inc., a small New Jersey company, is less intrusive than retinal scanners, company officials claim, and doesn't require the customer to stand in a precise spot or touch a surface.

Hand geometry devices, which add up a number of measurements for each user's hand, appear less common, but they are used in federal prisons to open gates for guards and visitors. Voiceprints, which translate voice tones into unique mathematical patterns, make sense particularly for remote access to information systems because they require only an inexpensive microphone and sound card, plus software.

Consumer Resistance

While these techniques may comfort the security experts, they generate anxiety in some prospective users. Representatives of biometrics companies admit that people object to being fingerprinted, or scanned, and worry about unforeseen and unauthorized uses of the personal identification data. To allay such concerns, the makers of some fingerprint ID systems publicize their products' lack of compatibility with law enforcement fingerprint systems.

Consumer resistance can sometimes be helpful. The Defense Department and various state and local agencies that dispense welfare have discovered that simply introducing more powerful identification technology can help curb fraud based on false IDs. In the first 18 months after the county social services department in San Diego installed fingerprint identification for welfare recipients, it paid out $200,000 less than had been expected. Some recipients refused to be fingerprinted, probably because they were applying for aid under more than one identity. The county withheld payments from others because the fingerprinting showed they were receiving duplicate payments.

Paul Collier, director of operations for Identicator Corp. in its Rockville, Md., office, says the public's dislike of biometric approaches seems to be becoming overshadowed by the desire to use electronic commerce and networked information systems without being hacked or intruded upon. At a recent series of focus groups, he says, private citizens reacted mostly positively, saying things like, "You mean, if I lose my credit card [one requiring a biometric verification], no one else can use it?"

Collier points out that biometric techniques can be used to protect individual privacy as well as organizational or corporate information. Verifying people's identification protects them against identity theft, in which an impostor appropriates the name, address, Social Security number, credit cards numbers and other information pertaining to the victim. Verification also can limit access to personal information. In Spain, Collier says, the national health system uses identity cards with biometrics to give people access to service providers and also to unlock their medical records, which are not available to doctors alone.

In this country, biometric devices are fairly common in places such as airports, where they permit authorized individuals to enter runway and refueling areas, and in law enforcement and national security offices. But now Collier and many others are predicting that they will become commonplace means of fortifying information systems security in federal agencies and corporations within the next year or two.

Big Test

The organizations in which information-systems applications of biometrics are making the first inroads are financial institutions, such as stock brokerages and banks. Not surprisingly, one of the first large-scale, unclassified federal tests involves money as well-the pay advanced to new Army recruits at Fort Sill, Okla. During a year-long pilot program, each of the 20,000 new soldiers there is receiving a smart card with monetary value, up to $260.

On the first day of basic training, the recruit enrolls in the system by having left and right index fingers scanned. The system stores the fingerprint data on a computer chip embedded in the card. When the recruit goes to buy toiletries and running shoes at the Post Exchange (PX), he or she verifies ownership of the card by placing a finger on a reader at the cash register.

Lt. Col. Joseph E. Pedone III, commander of the 95th Adjutant General's Reception Battalion at Fort Sill, says of the more than 3,000 cards issued between March (when the pilot program began) and July, none was stolen and 10 were lost. Lost cards are easily replaced, Pedone says.

During their eight weeks at Ft. Sill, recruits need not memorize PINs for their cards nor worry about theft, as they would with cash. Meanwhile, Pedone says, "it gives us [the Army] time to activate the pay system" for the newcomers.

But the biggest benefit is to the concessionaires who operate the PX, barber shop and other Fort Sill facilities where the recruits spend money. Lynda Aguon, manager of the PX annex, where the recruits go for shoeshine kits and flashlight batteries, says she used to spend up to four hours a day on paperwork. The recruits would arrive with paper vouchers. She had to accept them and record the transactions, then submit claims for reimbursement later. Not only is the new system faster at checkout, but the transactions are tallied automatically and forwarded to a bank for payment, just as with credit card purchases. "It's working out a lot better than the manual charge voucher," Aguon says.

Biometrics is not a perfect technology. The inexpensive new fingerprint readers probably could be fooled by a determined intruder, and some of the systems that rely on biometrics are subject to "sniffer" attacks in which the data could be hijacked. Unless used in combination with smart cards, as at Fort Sill, biometrics is more suitable for fixed systems with recurring users than for casual use.

Some knowledgeable observers view biometrics as one of those technologies that is perpetually going to be ready next year-never this year. It's true that most of the concepts are not new, but there have been some real technical advances recently that give people inside the industry hope. The science of capturing and encoding mathematical information about body features has made strides, while affordable desktop computers have gained processing power. Growing reliance on networks has driven security concerns to the foreground.

Biometric Consortium

Meanwhile, an industry that was balkanized by its origins in small, entrepreneurial companies is coalescing. Under the sponsorship of the National Security Agency, an organization called the Biometric Consortium (www.biometrics.org) serves as a focal point for information sharing and technical activities within the federal government. Sixty federal agencies are participating in the consortium.

The industry also is coalescing around two or three newly developed standards for linking biometrics to other systems. In the absence of standards, a federal agency wishing to employ biometrics may be forced to buy all the elements of the system from a single vendor. The participation of IT industry leaders such as Microsoft Corp. in developing standards is regarded as an important sign of maturity for biometric technology.

On the other hand, standards will make it easier for organizations to share biometric information, a prospect that alarms privacy advocates. In other nations, such as Costa Rica, fingerprints, faces and digital signatures of citizens are being stored in a national database. In a $4.7 million project, Costa Rica's 2 million voters will receive ID cards for voting, cashing checks and other purposes such as applying for health care. The biometric information will prevent duplicate voter registrations, but if such a project were to be proposed in the United States, it would be difficult to convince Big Brother-wary U.S. citizens of the value of a national fingerprint registry and national ID card.

Because of the many unresolved policy issues associated with biometrics, some observers say the technology will take hold in the commercial world before it becomes commonplace in government.