The Financial Post
Saturday, December 20, 1997

Thumbs-up access

Encryption does not safeguard your system against a hacker cracking your password. But software that allows you to use your fingerprint to identify yourself to your PC promises security

by Christopher Guly, cguly@magmacom.com

OTTAWA -- Imagine how frustrating, inefficient, and costly conducting business would be if you needed to use separate phones to receive incoming calls, make outgoing calls, handle conference calls, forward others, and manage voicemail.

In the not-too-distant past, that was essentially how security ran on computer networks. Within an organization, security measures were applied at every level of computing platform, desktop, server, and mainframe.

Companies were - and some still are - often faced with assembling a patchwork of security products, including user authentication devices, access control products, firewalls, routers and standalone encryption devices, encryption modes, dial-back modems, and virtual private networking.

The introduction of public-key infrastructures (PKIs) has changed the scenario. Instead of relying on an encryption system based on multiple sites, or one in which a password is required to access a specific computer, PKIs follow the user, who is issued what's known as an X.509 certificate from a third-party certification authority.

These certificates contain a unique serial number issued by the certification authority, the user's name, a validity period for the certificate, and the user's public key (a publicly known user identification number) to which everyone on a network has access. That public key corresponds with the user's secretly held private key.

If someone receives a confidential e-mail message, the private key is used to decrypt it. If someone wants to send a confidential e-mail message, the private key is used to attach a digital signature authenticating the message.

This encryption is all well and good, but the system still has a vulnerable link; it requires a password to log on, and this can potentially be cracked or lost.

Not any more.

Starting early next year, Entrust Technologies Inc. will become the first PKI software company to support biometric identification devices. The idea here is if you forget or lose your password or personal identification number, you can always rely on your thumbprint or fingerprint to grant you access to your computer.

Entrust, based in Richardson, Tex., already provides software support for computers that are accessible with smart cards and tokens. In those instances, users carry their electronic identities within their computer's hardware.

Among the vendors involved in Entrust's expanded cross-certification initiative is American Biometric Co. A one-year-old wholly owned subsidiary of DEW Engineering and Development Ltd., a private company based in Ottawa. American Biometric makes the BioMouse Desktop Fingerprint Scanner, which retails in Canada for about $399.

The BioMouse scans, scrambles, and reduces the fingerprint to about 1% of its original size, producing a biometric password, and can work using one digit or all fingers and thumbs on both hands.

The encrypted (finger) print key is stored in the computer's hardware server and is deployed every time the user logs on to the computer.

"Being hooked up with Entrust gives our customers the best possible security available", says American Biometric vice-president Steve Borza.

Convincing Entrust to support biometric devices wasn't an easy sell, Borza says. "They didn't jump up and down at first .... We had to sell them on the concept."

Interest in the technology has been limited in Canada. While some of the major banks in the U.S., which Borza declines to name at their request, have introduced biometric devices within their organizations, Canada's financial institutions have been slow to consider the technology.

If there's any ray of light on the home front, it's in the federal government, which has 175,000 computer seats on PKI and where a few departments (which again can't be named) are using the BioMouse.

The sluggish response to body-part computer scanners might come down to the issue of cost. Says Ian Curry, director of strategic applications in Entrust's Ottawa office, "If you're going to buy a biometric device and it only works with a single application, it's going to be very painful, cost-wise. But if it secures multiple applications, then that's a different story."

That's essentially the story Entrust and its partner vendors at American Biometric want to convey to the public.

"We now will be able to support multiple applications with a single password or a single biometric authentication", Curry says.

Copyright © 1997 by The Financial Post. All Rights Reserved. Reprinted with permission.