FOR

With this product, BioNetrix has designed a method of managing an authentication process based on multiple-factor authentication. It supports many commercial third-party biometric authentication systems and hardware, as well as tokens and passwords. It facilitates authentication to all Windows-based networks and applications, Novell NetWare servers and Entrust Entelligence-based PKI systems. Other platforms and applications can be accommodated on request.

BioNetrix Authentication Suite takes a policy-based approach to authentication management to allow various methods of authentication and levels of security as appropriate. This means that certain computing facilities may be protected by a high level of multiple-factor authentication, while others may be more easily accessible using simpler authentication techniques. The suite can also be configured to cope with alternatives, where the desired method of authentication is not available to the user. Most commercial verification methods are supported, including passwords, USB tokens, fingerprint, voice, face, iris and signature recognition. However, a most notable omission from the set of standard drivers in version 4.0 is a smartcard application, although this could be supported by specially developed drivers.

For the server, supported operating systems are Windows NT Server 4.0 (SP5 or later) or Windows 2000. Installation is fairly easy but TCP/IP and DNS lookup must be installed and working before you start the install. The system can be distributed among several BioServers, as they are called, to distribute the workload in a large organization and to provide a level of redundancy. The Authentication Suite relies on a SQL Server 7.0 backend database, which can be installed on the same machine as the BioServer or a separate machine. Like the BioServer, you can use multiple SQL servers and standard replication techniques to provide redundancy and load sharing. You can choose to install the BioServer and its administration client on a single machine, or you can use a separate administration workstation, which must still be running Windows NT/2000 but need not be the Server version. Clients that are to be used to authenticate to the system must merely be running any 32-bit version of Windows, or have any web-browser for the optional web-based approach.

The management interface is highly graphical and uses a tree-like structure to show the hierarchy of authentication methods, which are connected by various policy operators, such as the Booleans AND and OR, plus a number of others. It's pretty obvious how AND and OR policies may be combined to enforce, for example, two-factor authentication but allowing a multiple choice of methods for each factor. However, there are some more versatile policy operators, which we will now describe.

A random policy requires the user to authenticate successfully to a randomly presented authentication method, chosen at random from a list. A contingent policy requires successful authentication using one authentication method, but may require a second method depending on how well the user has authenticated using the first method. This can be advisable with many biometric authentication schemes that are not 100 percent reliable and present a probability that the user is not who he or she claims to be. A threshold policy requires users to achieve a predetermined authentication score - for example, they may be asked to authenticate using three methods, but will be accepted if they are successful with two out of three. This is designed to cope with situations where, for example, voice recognition may fail due to user stress or illness. All of these policies may be combined or nested using the AND and OR policy operators to provide a most flexible and versatile overall authentication policy.

One of the reasons that you may need this degree of flexibility, is that the most desirable method of authentication may not be available at all workstations from which users need to log in. For example, mobile users and teleworkers may not have biometric hardware. Using the BioServer's policies you could allow such users access at a lower level of privilege provided they authenticate using both a USB token and a password. Where biometric hardware is available, you may choose to accept a single-factor authentication from one of two methods, such as fingerprint or iris verification.

BioNetrix secures its own dialogues between clients and servers using a Diffie-Hellman key exchange and then all communications are encrypted using industry-standard algorithms, such as Blowfish and triple-DES. Selection of the encryption algorithm is random to reduce the possibility of eavesdropping and playback attacks. Roaming access is also provided by the industry-standard https encryption protocol, which is employed to transfer authentication data securely using a web-browser interface, in support of secure access to web-based applications.

Administration responsibilities may be distributed throughout the organization to multiple administrators in a role-based manner so that each administrator has limited rights and privileges. This can therefore easily meet a corporate security policy that requires the deliberate separation and distribution of security administration duties.

Any security package must have good reporting facilities, and BioNetrix clearly understands this fact. All authentication activity is logged in real time, and detailed auditing reports are produced. These enable administrators to know who is attempting to gain access to what application, at what time, and from which workstation. The reports also indicate whether the authentication was successful and what authentication policy is governing the user's access. This information is easily exported into SQL-aware reporting packages, such as Crystal Reports, for further analysis of trends or to investigate authentication attempts.

In conclusion, BioNetrix Authentication Suite integrates well with existing security applications and biometric systems to provide a most flexible policy-based approach to authentication. It is also highly scalable and may be implemented redundantly on multiple BioServers to deliver a high-availability authentication service that also supports load balancing. BioNetrix has designed a versatile product that enables security managers to bring together the best-of-breed biometric and other authentication technologies because of its wide support for third-party products and systems.
   

SC On-Line
SC Magazine
www.scmagazine.com