Valid Tech Delivers Biometric Authentication Solution for OS/400

by Alex Woodie

Valid Technologies recently took the wraps off a new product called Valid Secure Systems Authentication (VSSA) that uses fingerprints to grant users access to computers, programs, and data--or more importantly, prevent the wrong person from gaining access. While it can be used to grant access to a variety of applications, the product itself runs only under OS/400, because it is the most secure platform on the market, according to company officials.

In development for the past 20 months, VSSA became generally available in August as version 1.4. The software works in tandem with biometric fingerprint readers from American Power Conversion to bolster password protection in critical applications. When a user tries to access an application, or even just a specific area of an application, he is prompted by a pop-up window to place his finger on the APC reader, which plugs into their workstation via a USB port.

The server component of VSSA requires OS/400 V5R3. Information about users' fingerprints (but not images of the fingerprints) are encrypted and stored on the iSeries server. If the fingerprint data taken from APC readers matches the data gathered during the initial enrollment period, the user is granted access. If it doesn't, the user is denied access, and the event is noted in the log.

The VSSA software development kit provides code samples for embedding the VSSA calls directly into business applications written in ILE RPG, COBOL, C++, Java, and Visual Basic. While it takes a bit of work to open applications and embed the VSSA calls directly into the source code, it's done this way for security reasons, says Greg Faust, president of the Boca Raton, Florida, company. "We don't provide a fence or a wrapper or an API, because they can all be spoofed. All our calls are bound into the source code," he says.

Valid Tech takes security seriously. The company collaborated with IBM engineers in the Rochester, Minnesota, lab to make VSSA work. That work with Pat Botz, an iSeries security expert with IBM, and others appears to have paid off, as VSSA has already achieved ServerProven status.

Faust says IBM officials told him they are not aware of any other biometric authentication engines that run natively on OS/400, making VSSA a one-of-a-kind. But that's not to say Valid Tech was the first to try. Faust and his partner, Tom Secreto, were involved with a previous attempt to bring to OS/400 a Linux-based product called the Ethentica Biometric Trust Engine designed by a company called Security First, which has since been bought or gone out of business (see "Tangent Porting Fingerprint Engine to OS/400").

That port never worked, so Valid Tech started fresh with VSSA, Faust says, although it didn't start entirely from scratch. VSSA uses core fingerprint sensing technologies from AuthenTec. VSSA also integrates with key single sign-on (SSO) technologies, including IBM's Enterprise Identity Mapping (EIM), which correlates users' identities on a variety of platforms, and Kerberos ticketing, which provides a secure, cross-platform method for confirming authorization. ("We are not an SSO solution," Faust says. "We don't identify, and we don't authorize. We authenticate.")

VSSA also works with Microsoft Active Directory, albeit not in its strongest configuration. In fact, Faust has quite a difficult time concealing his astonishment at the number of companies using Windows machines as their main repository for user identities and their main platform for authentication.

"If you use Windows Active Directory, as your domain server, and you just want to take away the password part, we can do that. Personally, I don't care what you do with Windows, because Windows is inherently un-securable," he says. "While we have that, and it seems that 90 percent of the world seems complacent with Windows level of security, and the Windows world wants it, that's not what our recommendation would be."

Valid Tech's recommendation would be to base user authentication solutions for key applications on VSSA running on an iSeries. "Put everything you don't care about on your Windows domain, and put everything else on the i5," Faust says. "If availability and security are important to you, you should be running away from a Windows box as fast as you can."

Users can take as fine-grained an approach to deploying biometric authentication with VSSA as they need. Instead of authenticating a user when he first accesses a system, VSSA can be used to authenticate a user at practically any step along the way, according to Faust. For example, some users may just want to protect access to the accounts payable program, or maybe just to the check writing part of AP. "VSSA can be bound in to as many different applications, and as many parts of applications, as needs will require," Faust says.

Valid Tech also sees a use for VSSA in SSO implementations. While SSO can be a boon to organizations by solving the forgotten password problem, putting all that power into a single password can raise new security concerns, the company says. Implementing biometric authentication provides a level of insurance that the user accessing sensitive data is allowed to be there.

VSSA, while initially developed to run under WebSphere, has recently been adapted and now runs under OS/400 HTTP Server (which is powered by Apache). There are currently 10 to 12 customers at various stages of deploying VSSA, Faust says.

VSSA will be demonstrated at the upcoming COMMON conference in Orlando, Florida. Valid Tech will be working with its business partner, CMA (Cherbonnier, Mayer and Associates). CMA, an IBM reseller based in Baton Rouge, Louisiana, plans to attend the conference despite the devastation that Hurricane Katrina caused in CMA's hometown, Faust says.

Software license fees for VSSA start at around $10,000, while companies deploying VSSA authentication to larger groups of 500 to 1,000 users will pay initial license fees equal to about $100 per user. The APC biometric sensors cost about $40 each. For more information, visit www.validtech.com.