Integrating biometric authentication into multiple applications

Abstract

The Internet has grown from its modest academic beginnings into an important, global communication medium. It has become a significant, intrinsic part of our lives, how we distribute information and how we transact. It is used for a variety of purposes, including: banking; home shopping; commercial trade - using EDI (Electronic Data Interchange); and to gather information for market research and other activities. Owing to its academic origins, the early developers of the Internet did not focus on security. However, now that it has rapidly evolved into an extensively used, global commercial transaction and distribution channel, security has become a big concern. Fortunately, the field of information security has started to evolve in response and is fast becoming an important discipline with a sound theoretical basis. The discipline views the twin processes of identification and authentication as crucial aspects of information security. An individual access attempt must be identifiable prior to access being authorised otherwise system confidentiality cannot be enforced nor integrity safeguarded. Similarly, non-denial becomes impossible to instigate since the system is unable to log an identity against specific transactions. Consequently, identification and authentication should always be viewed as the first step to successfully enforcing information security. The process of identification and authorisation is, in essence, the ability to prove or verify an identity. This is usually accomplished using either one or a combination of the following three traditional identification techniques: something you possess; something you know; or something you are. A critical consideration when designing an application is which identification method, or combination of methods, from the three described above to use. Each method offers its own pros and cons and there are many ways to compare and contrast them. The comparison made in this study identifies biometrics as the best solution in a distributed application environment. There are, however, two over-arching hindrances to its widespread adoption. The first is the environment’s complexity - with multiple applications being accessed by both the public and the private sectors - and the second is that not all biometrics are popular and no single method has universe appeal. The more significant hindrance of the two is the latter, that of acceptance and trust, because it matters little how good or efficient a system is if nobody is willing to use it. This observation suggests that the identification system needs to be made as flexible as possible. In a democratic society, it could be argued that the best way of ensuring the successful adoption of a biometric system would be to allow maximum freedom of choice and let users decide which biometric method they would like to use. Although this approach is likely to go a long way towards solving the acceptance issue, it increases the complexity of the environment significantly. This study attempts to solve this problem by reducing the environment’s complexity while simultaneously ensuring the user retains maximum biometric freedom of choice. This can be achieved by creating a number of central biometric repositories. Each repository would be responsible for maintaining a biometric template data store for a type of biometric. These repositories or “Biometric Authorities” would act as authentication facilitators for a wide variety of applications and free them from that responsibility.