CTOs and other business leaders must constantly walk the tightrope of evaluating emerging technologies. When it comes to e-business authentication practices, careful steps are needed now to avoid falling into the negative ROI abyss that may lie just ahead.
A recent Gartner Group report on authentication and e-business shows an alarming trend. The report states that by 2005, 60% of enterprise sites will continue to extend the use of ID and password constructs to ever more sensitive e-business applications. Gartner expects the impact of this extension to cause a rise in fraudulent accesses that will negatively impact the ROI.
Does this mean we should abandon ID and password constructs? Not at all. We just need to begin looking at ways to merge ID and password access with emerging authentication techniques. This will greatly reduce the threat of fraudulent accesses.
You'll want to choose different authentication strategies based on how critical individual applications are to your overall operation. The good news is that there are a lot of techniques (some new and some evolving) to choose from. Some of these include biometrics, digital signatures, smart card, and single sign-on.
For high-impact applications, you'll want to use a multilayered approach that leverages ID and password constructs along with one or more authentication techniques. The authentication marketplace will meld together during the next couple of years and many of these authentication technologies will begin to be more interwoven into single solutions.
In particular, expect to see biometric technology merge with smart card solutions. Moreover, expect to see biometric techniques combine with digital signature technologies. These trends are particularly important given the move to online contractual business.
So what is biometric authentication? Biometrics use unique physical or behavioural characteristics to verify identity. Physical biometrics validate things such as faces, hands, fingerprints, and the retina in your eyes. Behavioural biometrics has to do with things such as voice or handwriting. Of these two, physical biometrics is viewed as being more accurate.
There are two ways that biometric technology can work. The first is a closed-search method, in which the user provides a unique identifier to match against a previously stored image or record. The second is an open-search method that tries to identify the user based on information at hand.
As with any emerging technology, there are challenges to deal with before you can blend biometrics (and other authentication options) into your e-business application access strategy. Some biometric issues will dissolve as the technology reaches a more mature state, whereas others will require leaders to communicate and resolve user-related issues.
In particular, biometric solutions need to be easy for users to employ. Many of the current solutions require significant end-user training or produce many errors because they are difficult to carry out. For example, to do a retina scan today, the user needs to know just what head position will produce the desired results. By contrast, fingerprint-based biometrics is straightforward and produces fewer training requirements or errors.
Producers of biometric solutions also need to find ways to reduce error rates. Today, time and environmental conditions can cause error rates that are too high. For example, facial biometrics will change with age while voice biometrics will vary based on background noise. The technology will need to better address error rates or flexibly let customers set acceptable error rates before they will be viable.
Another big hurdle is the investment required to implement biometrics. Although the costs are coming down, these solutions are still too expensive for many sites. In particular, you'll need to invest in hardware to capture biometrics and in databases and server power to house and process the information. Then you'll need to account for staff or service provider costs for those who can design and implement a biometric system. You'll have to factor in user education, too.
Beyond user education there exists a more complex problem in gaining acceptance of the use of biometrics, whether it be with internal employees, external customers, or business partners. The more intrusive the biometric, the less acceptance you will find. People may express health concerns surrounding the use of the technology or feel that their privacy is being invaded or that biometrics might be too much of a Big Brother approach. CTOs and business leaders will need to find ways to deal with these very valid concerns.
It is clear that IDs and passwords alone are no longer enough to maintain appropriate security measures. Although biometric authentication techniques may not be viable in many settings for three or more years, it is wise to keep tabs on the authentication marketplace now.
In particular, be mindful of digital signature or smart card solutions you might be implementing. With the expected convergence among authentication techniques, it is wise to research the plans of long-term solution providers that relate to biometrics.
We may indeed reach a time in the not too distant future when biometrics is the norm and passwords are passe. Those who keep an "eye" on emerging authentication strategies will be biometric-ready and far less likely to expose the corporate jewels to fraudulent interests.
Send email to Maggie Biggs. Biggs is director of the InfoWorld Test Center.