Today’s security consensus is that password-based authentication and access is insecure, and that some form of two- or multi-factor authentication is necessary. The simplest and easiest second factor is an SMS-based soft token, and that is the route already adopted by many organizations. However, NIST’s recently published concern over some implementations of SMS-based 2FA has provided new impetus for biometric authentication.
ImageWare launched what it describes as the “first ever multimodal biometric authentication solution for the Microsoft ecosystem.” Called GoVerifyID Enterprise Suite (no connection to the UK’s Gov.uk Verify system), the system combines ImageWare’s Biometric Engine and its GoMobile Interactive products to provide true multi-factor biometric authentication.
“As the digital workforce expands, with data extended to external stakeholders and across numerous types of devices and systems, the need for high-assurance, enterprise-wide protection has intensified,” said Jim Miller, chairman & CEO of ImageWare. “The traditional security perimeters have changed and executives are being held accountable for safeguarding data against potentially devastating breaches that can tarnish a brand’s reputation. Armed with GoVerifyID Enterprise Suite, corporations have access to a scalable and affordable solution that works with their existing Microsoft infrastructure and gives them the ultimate peace of mind.”
One of GoVerify’s strongest points is the ease and speed with which it can be integrated into any Microsoft installation. It integrates with Active Directory and is essentially a snap-in to the Microsoft Management Console. It is a SaaS cloud service with the biometrics database held in the cloud, and GoMobile operating as the agent on mobile devices. As a result, costs are kept down (including Opex rather than Capex) while scalability is limitless.
The database stores only anonymized biometric information. If there were ever a compromise, the biometric data would be unusable because it is unattributable. Because it is multi-modal, customers can choose the correct level of secure authentication for different user situations: for example, voice or voice/face or voice/face/fingerprint, etcetera. And because it is cloud/device based, authentication can be achieved even when disconnected from the corporate network.
Out-of-band authentication is achieved with GoMobile on Apple or Android smart devices, while in-band authentication is achieved using any Windows Biometric Framework-compatible device. Since it uses biometrics, it promises to solve the primary weakness inherent in token-based authentication: it authenticates the person and not just the device. Having said that, biometric authentication is not without its critics. Some critics claim that there are few if any biometrics that cannot be spoofed, and that a person’s biometric definitions do not remain constant over time. Fingerprints are a good example.
However, since GoVerify offers multi-modal biometrics, it would be extremely difficult to adequately spoof multiple modes simultaneously. Other biometric options include eye and DNA; but the system can also be used in conjunction with other authentication controls, such as tokens, digital certificates, passwords, and PINS.
ImageWare is no newcomer to the biometrics field. It has extensive existing arrangements with leading biometrics companies and can incorporate existing and new biometric algorithms into its database. The intent is to be complete, yet extensible and agile.