Biometric authentication a choice for banks

As banks struggle to secure their online transactions with two-factor authentication, one bank has chosen a fingerprint biometric system -- with very good results.

Since it implemented biometric authentication in 2001, the United Bankers' Bank has experienced "100% authentication success," according to Assistant Vice President of Information Technology, Daren Mehl.

Biometrics may be regarded with suspicion by some, and doubts have been cast as to its reliability. But Daren Mehl will assure you that the UBB, with its 1200+ bank clients and 2600 users, has experienced no security breaches since adopting biometric authentication. And the bank has maintained this enviable security profile while conducting many sensitive, high-money transactions in cyberspace.

When it switched from a proprietary dial-in arrangement to an internet-based system, the UBB considered a number of authentication options. There was concern, naturally about high dollar wire transfers and other large transactions.

Initially the bank looked at more traditional options such as digital certificates and USB tokens, but these methods didn't seem very secure, according to Mehl. Eventually the bank settled on fingerprint biometric authentication and, after considering several vendors, chose DigitalPersona. as a provider.

Fingerprint biometrics

DigitalPersona focuses exclusively on fingerprint biometrics. Chip Mesec, senior product marketing manager at DigitalPersona, outlines three major steps for secure fingerprint authentication.

  1. Capturing the fingerprint
    A fingerprint reader captures a compressed bit map image of the print. "Most readers encrypt that within the chip set," says Mesec. This information is then transferred to the work station or server for...
  2. Extraction
    This step is unique to DigitalPersona, according to Mesec. The image is converted to an algorithm. A template is created. The information is then encrypted again for transfer.
  3. Registration or Verification
    A new template may be registered and stored in an encrypted database. A registered template is matched to the one on file in the encrypted database.

Within the UBB system, information is encrypted "two or three times at different levels," says Mehl. And because the entire system -- all of the software and hardware -- is part of a DigitalPersona package, the various components are designed to work together smoothly and securely.

Compliance & convenience

Long before the FFIEC "guided" banks toward two-factor authentication to secure online transactions, the UBB had already embraced multifactor authentication.

The first factor is the fingerprint authentication. Another factor, according to Mehl, is the finger sensor itself. Each sensor has a serial number and acts as a kind of token. Finger sensors can be locked down so that only those registered are accepted, eliminating the possibility of rogue sensors being granted access. Additionally, individual users can be locked down to particular finger sensors, further securing the system.

With the January, 2007 FFIEC deadline looming, will more banks consider biometrics? Mehl certainly thinks so. The UBB's clients have been very satisfied with the technology, according to Mehl. A few of the banks have even adopted the technique to secure their own workstations.

In addition to the FFIEC guidelines, the DigitalPersona biometric package may help the UBB comply with other regulations, such as the Sarbanes-Oxley Act (SOX) due to its use of tracking tools. "There's an audit trail and it's convenient," notes Mesec.

Embracing biometrics

The transition to biometric authentication was easy, according to Mehl. The UBB tested the system internally to lock down its own workstations. After a year, the bank began expanding the program.

Mehl maintains that there was little resistance among clients to the authentication program, and the few concerns voiced were quickly allayed. "There were a couple of people who thought of Big Brother," recalls Mehl, "but we're not actually storing their fingerprint as a picture" in a database. DigitalPersona emphasizes in its privacy policy that once fingerprints are converted into templates and stored they cannot be converted back. An image of a fingerprint cannot be retrieved from the database.

Registering the fingerprints of 2600 people "wasn't really much of a problem," states Mehl. No training was necessary. Initially, the biggest stumbling block was teaching people how to correctly place their fingers on the sensor. But users, armed only with "instructions and a few screen shots," resolved the issue independently.

A certain percentage of people have difficult-to-scan fingerprints due to anomalies in the skin, injuries, scars and other features. However, all of UBB's users are able to work with the sensors, says Mehl. And once users are registered, they can take advantage of the system's built-in single sign-on, no password required. One of DigitalPersona's big selling points, in fact, is that its systems eliminate "password management problems."

The future of biometrics

As the market for biometrics widens, fingerprint sensors are "going to be a standard on PCs," predicts Mehl. Certain types of Dell, HP and Toshiba notebooks come with fingerprint sensors already embedded. DigitalPersona offers software to enable biometric authentication on these computers.

However, there remains a stigma on fingerprinting in the U.S. It's seen as intrusive, Orwellian and associated with criminals. DigitalPersona's Mesec mentions that biometric authentication is much more popular in Latin American and Asian countries where there is less of a stigma associated with fingerprinting.

While banks and other institutions look toward alternative authentication methods, biometrics may gain wider acceptance in the U.S. A success story like that of the UBB's, with its glowing security record, might turn a few heads. Of course, the more popular biometrics becomes, the more hackers will target it.

As an IT professional, Mehl is well aware of the limitations of any security measure. But Mehl remains very optimistic. "From my Web programmer's perspective, it's a really resilient system," he says. "I'm paranoid, and I can sleep at night."

Read more on Antivirus, firewall and IDS products