Using passwords for authentication might involve a number of cyber security risks and may also be a cause of employee inefficiency. Biometric authentication technologies can be used to eliminate the problems related to password usage.
The users do not utilize complex or longer passwords, as a rule, because these are difficult to devise and memorize. This allows an intruder to mine employee account passwords quite quickly (in 1 minute or so). The employees use one and the same password for all applications and services quite frequently. This makes the problem even worse, since, having mined the password to one of the systems, an intruder gains access to all the resources available to the compromised user.
Password disclosure and propagation
An average employee does not make point of keeping his or her passwords in secret and often writes them down immediately at his or her workplace. Besides, the employees often propagate their passwords to colleagues, asking them to do something while the password owner is out (send a report, check if there are new messages in mailbox etc.). This facilitates the task of gaining the passwords for intruder and makes it possible for him or her not to use complex technical solutions.
Using of passwords by dismissed employees
If the IT service did not block the account of dismissed employee in time or just forgot to do that, the employee can gain access to confidential information and pass it to competitors.
Even if the employee complies with all the cyber security requirements pertaining to password using, he or she might nevertheless be the reason for additional workload to IT service. Complex passwords are hard to memorize and, consequently, users forget them quite often. This, in turn, leads to account blocking and the need to reset the password to a known value.
Advantages of biometric technologies
Biometric technologies eliminate passwords from an employee everyday practice and demonstrate the following advantages.
Higher security level
Biometric authentication makes it possible to perform user verification procedure with higher accuracy (error probability is around 0.00001%, depending on the technology used). Therefore, biometrics can be used in any business scenario that requires reliable user authentication.
Inalienability of authentication data
The biometrics authentication data is always with the user, as distinct from passwords or smart cards that can be forgotten, lost or passed to third parties.
Comfort of use
Biometric authentication does not require memorizing complex passwords or keep a device (token, smart card etc.) from an employee. The latter simply cannot forget or lose authentication data.
The task of protecting a corporate PC using biometric authentication can be enunciated as follows:
- Biometric authentication of users should be provided for upon access to
- Windows operating system (domain PC)
- target applications
- The solution should support various biometric authentication technologies
- palm vein pattern
- 2D and 3D face recognition
To solve the task, the Indeed Access Manager (Indeed AM) software suite is used. The suite allows for implementation of required authentication scenarios in Windows operating system and applications.
Access to Windows system is provided for by Indeed AM Windows Logon component using the account data of the Active Directory domain. The component implements the Credential Provider - an interface for access to operating system. The standard OS login interface is substituted by the Indeed AM Windows Logon interface. The latter provides for using various authentication technologies, including biometric ones. Integration to Windows is carried out using standard protocols. This provides for compatibility with the Windows authentication subsystem and using of Indeed AM Windows Logon in different access scenarios: local logon to PC, remote desktop (RDP), authentication within OS bounds. The system is centralized, so several employees can login to one and the same PC using their domain accounts with a single scanner. Also, one and the same employee can logon to any PC in the domain.
Indeed Access Manager does not substitute the standard Active Directory authentication system, but automates the process of user password management. In such configuration, the password authentication becomes an internal mechanism used at software level only. At the moment of registering the first authenticator (biometric template etc.) in the Indeed Access Manager, the user password is automatically changed to a random value that neither the user, nor the system administrator are informed of. Thus, access to domain becomes possible with Indeed AM technology only. Later on, the user password is automatically changed either upon operating system prompt, or according to the schedule set.
The Indeed AM Enterprise Single Sign-On (Indeed AM ESSO) component is used to implement the biometric authentication for the applications used by employees on their PC (thin or thick clients). The Indeed AM ESSO allows for integration to the target application without software interference with the application operation. To do so, interception of login, password unlock and change forms is used for an application. The interception is performed by the Indeed AM ESSO agent, installed onto user workstations. When login form of the target application is displayed, the screen is locked and the user has to perform authentication: place his/her finger onto fingerprint reader etc. After that, the Indeed AM ESSO agent automatically fills in the login form and the user gains access to application.
The Indeed Access Manager contains the following main components:
Indeed AM Server (Server) is the server component of Indeed Access Manager infrastructure. The server provides for centralized storage and protection of user data and carries out user authentication procedure. It also receives and processes the requests from client components and administrator tools. The Server presence guarantees а user that the data is available from any PC. The Server also makes it possible for administrator to configure access parameters for an employee or a group of employees, as well as to make global changes to the system.
Indeed AM Windows Logon is the client software installed onto employee workstations. Windows Logon provides for access to Windows using strong authentication technologies.
AM ESSO Agent is the client software installed onto employee workstations. The ESSO Agent intercepts application on-screen forms and provides for access to those using strong authentication technologies.
Indeed Access Manager database. The database stores system settings and reference biometric templates, used by server for user authentication.
Indeed AM log. All events that occur in the system are recorded in the Indeed AM log. The log registers the date, time, username, Active Directory account name, account name in the target system, the fact of account data usage, the fact of logon to target system etc. The log also registers the way and the type of authentication technology used by the employee to gain access to the system.
The Indeed AM currently supports the following biometric technologies:
Authentication by fingerprint
Fingerprint is the most widely spread technology of biometric authentication. It is convenient to use at office PC and is suitable for a big number of authentication attempts during working day.
Authentication by 2D and 3D face recognition based on Intel RealSense technology
For authentication with 2D and 3D face recognition, Intel RealSense™ technology is used. This allows for obtaining of highly accurate face image (in IR band as well) and thus for higher authentication accuracy. The technology is contactless, and therefore it can be used at publicly available devices.
Authentication by palm vein pattern in Fujitsu PalmSecure v2 scanner implementation
This is also contactless technology of biometric authentication. It is well adapted for office mode use and can also be utilized at publicly available devices. The technology is hygienic and does not impose the requirements to skin surface state (contamination, cuts etc.).