And now for something completely different. I promise nothing about provisioning and/or federation this week. In this issue, and the next, it's straight-forward, clear-cut authentication we'll discuss, but with a twist.
First, a review. There are generally considered to be three modes of authentication – something you know (username/password); something you have (security token, smartcard, etc.); and something you are (biometric). Passwords can be guessed or stolen. Tokens can be stolen or lost. Biometrics are harder to misplace but haven’t caught on as fast as I thought they might when I first wrote about fingerprint readers over 10 years ago.
People mistrust fingerprint devices, mostly because they associate fingerprinting with criminal activity. The average citizen thinks that the fingerprint registration could be stolen and used to implicate them in a crime. It can't, of course, but that doesn't change their perception. The same problem faces facial scanning/recognition software which has been used (unsuccessfully) to identify wanted criminals at sporting events. Retina scanners simply scare people – they don’t want anything being shined into their eye. So what can we do?
The smart folks at Fujitsu have come up with a new system to read a biometric. It’s non-intrusive, isn’t likely to be featured at a crime scene on a TV series but does provide a unique signature with little effort on the user’s part.
PalmSecure is a system with a reader (and software) which images the veins in your palm via an infrared beam. The best known implementation is in a PC Mouse: simply wave your hand over the mouse and you can be authenticated. Fujitsu claims better than 99.99% accuracy in the read – even through latex gloves (it’s used in health-provider environments).
There’s no need to touch the device, nor to have it touch you. A wall panel, a reader on a vending machine, eventually, maybe, a plate on your car’s dashboard! Just wave your hand in front of it and get authenticated. How easy is that?
It also checks for blood flow in the vein so it can’t be spoofed.
Fujitsu has now released LOGONDIRECTOR, which ties a PalmSecure device to leading SSO implementations (Sun, Passlogix, Oracle, Citrix, etc.) for even better access control.
It’s both user-friendly and secure – well worth checking out.
Upcoming event: Another Courion Webinar in the near future: “The Benefits of Access Assurance and Access Certification” - Featuring: Ian Glazer, Senior Analyst, Identity and Privacy Strategies, Burton Group and Kurt Johnson, Courion vice president of corporate development. March 31, 11am ET. Register at the Web site.