Case Study: Biometrics Eases City's Network Access, Security Woes

When the IT department in the city of Oceanside, Calif., got tired of fielding "lost password" calls from users, it found relief in biometrics. Find out how Oceanside employed a fingerprint logon system to eliminate the calls -- and in the process also boosted its network security.
The IT department in the city of Oceanside, Calif., used to get blitzed every day with calls from users who forgot their passwords and were locked out of their accounts.

With 1,100 municipal employees in about a dozen departments (fire, police, economic development, finance, etc.), dealing with password problems became a costly and time-consuming pursuit.

Michael Sherwood, Oceanside's IT director, said a typical day would bring 50 or more calls requesting password help (about a quarter of the daily calls for support). He estimated each call cost the city $50-$75, including the time spent by the IT staff plus the unproductive time of employees waiting to access the network, among other costs.

"If we're busy and have six or seven password re-sets, you might have to wait 30-45 minutes," said Sherwood, who oversees a 17-person IT staff. "We can't afford to have somebody sitting around waiting for a password."

Like any other large enterprise, the problem had its roots in the numerous user ID/password combos that workers in Oceanside had to remember. Workers either forgot their passwords outright, wrote them on sticky notes on their desks (a big security risk) or left their password list at home.

Help for the help desk
In 1998, Oceanside went looking for technology that would rescue its help desk. It came away with a product that does just that, and goes a step beyond to significantly enhance network security.

The solution: A biometric fingerprint authentication system called BioLogon, made by Identix, a Los Gatos, Calif., company founded in 1982. Identix's customers include the U.S. Department of Defense/National Security Agency, the FBI, and others with high-security needs.

Now, instead of remembering a user ID/password combo for logging into the network (and for each database they need to access), employees in Oceanside place one finger on a small biometric reader attached to their PCs and get logged in immediately.

For Oceanside's IT department, the new approach to network administration was immediately successful. Calls for log-on assistance were reduced to one or two a day. Once new users are given a 10-minute tutorial and register a fingerprint with the system, they rarely have to call the IT department for assistance. (The biggest problem: Smudges on the fingerprint reader.)

'Remembering' with sticky notes
Recalling his search for a technology solution, Sherwood said his primary goal was to relieve the pressure on his IT staff, which was busy managing more than 40 systems across all departments. Improving network security was a secondary goal.

It was easy to see why they were fielding so many password calls. The city supports more than 40 systems, and many of the 1,100 employees need to access more than one system to do their work and must remember different user ID/password combos for each one.

By way of example, he cited the variety of systems a police detective in Oceanside might need access to: the overall network (with integrated email, voice and fax), computer-aided dispatch; records management; motor vehicle records; mug shot archives, parking enforcement database; and more.

"Each system maintains its own security, so the user had to remember each password and user ID for each system," Sherwood said. Add that to the other passwords in their brains (ATMs, home alarm codes, etc.) and it becomes too much for many people to remember.

Their ways of "remembering" brought on security issues -- namely, many people were writing their log-on info on sticky notes next to their computers, leaving the possibility open that unauthorized users could get into critical systems (financial information, police records, etc.)

Smart-card idea: not so wise
Sherwood first looked at a "single sign-on" technology under which users get one user ID/password combo to let them into all systems. That solved the problem of remembering multiple passwords, but left a bigger security gap: An unauthorized user could access multiple areas of the network if they obtained one ID/password combo.

The second solution Sherwood considered was a "smart card" for network access. With that technology, each user would be issued a chip-embedded card that they swiped through a reader to access the network. There were problems with that. Users still had to remember a password. They had to remember to bring the card to work. And they also were prone to losing their cards (which cost up to $60 each to replace).

In a pilot program among 15 IT staffers, three smart cards were lost within two weeks. The thought of issuing more than 1,000 cards to citywide employees dissuaded Sherwood from that solution.

Sherwood then looked at BioLogon from Identix. BioLogon's fingerprint ID system is one of a variety of James Bond-like authentication solutions that employ biometrics, using biological traits to identify users and grant access. Fingerprint solutions are the simplest, cheapest and most common.

Other biometric solutions being used for various authorization systems include eye and palm scans (the latter mainly for door access systems), as well as facial- and voice-recognition systems. (Sherwood said other biometric solutions cost up to $1,000 per user and could not promise the same reliability as fingerprint solutions.)

The hardware component of BioLogon is a small fingerprint reader -- about $100 -- that attaches to the user's PC. (The biggest maintenance problem is keeping it clean.) The other component of the system, software for the users' machines, costs about $50 per user, plus server software, meaning the solution cost around $150,000 to roll out.

BioLogon software is loaded onto users' computers to translate the fingerprint image on the reader into digital data. Server software compares that to the record in the database. The system analyzes a section of a fingerprint (not the whole print), looking at the ridges and valleys for a match. When the match is confirmed, the user is logged on to the network (including all systems they're authorized to use.) The process takes about one second.

ROI is there
With the cost per user around $150, Sherwood said the system easily pays for itself. At an estimated $75 per call for password support, an employee would only have to avoid making two calls for it to pay for itself.

Sherwood said there's just a 1 in 100,000 chance the wrong user would gain unauthorized access to the network with the fingerprint scan.

BioLogon quickly won approval in Oceanside. It took 120 days from pilot program to total rollout. Users had one major concern, over the privacy of their fingerprint information. Sherwood said the system does not capture a record of their print itself, just the traits of a small portion of the print. But he said that better communication at the time of roll-out would have addressed users' concerns more effectively.

BioLogon is "simple to use," Sherwood said. "It's a software application that you load to the workstation, and there's no need to go back to the workstation." Training is minimal, failure rate is low (less than 2%) and most of those problems relate to keeping the fingerprint reader clean.

"I've had more people come by my office and want to know (how it works). They're amazed," he said.

Above all, it has increased network security and solved Oceanside's biggest concern, eliminating "lost password" calls.

Says Sherwood: "Most people don't forget their fingers when they come to work."

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.