IBM i Security Firm Looks To Mobile Biometrics For Growth
June 3, 2013 Alex Woodie
The day is fast approaching when people who need access to sensitive data will be able to authenticate themselves using biometrics embedded right on their smart phone. Industry experts anticipate Apple to embed a biometric scanner of some sort into the next version of its iPhone. And when it does, the folks at Valid Technologies will gleefully ride Apple’s coattails as it rushes to keep up with orders for its IBM i-based biometric authentication software.
At least that is the hope for Valid, which is based in Boca Raton, Florida. Liberty-loving Americans display a general wariness and resistance to using biometrics, under the mistaken impression that it will somehow compromise their privacy. The Great Recession hasn’t helped some new technologies take off, either. But there are signs that Valid’s fortunes are beginning to shift.
Perhaps the biggest one was Apple’s $356 million acquisition of biometric device maker AuthenTec last summer. Under Apple’s control, AuthenTec has continued to build biometric scanners that plug into PCs and other computing devices, as well as selling SDKs that allow customers and ISVs to modify applications to work with the scanners.
Apple hasn’t publicly discussed its plans for AuthenTec, but it is clear that it acquired the company and its intellectual property (including about 200 patents) to accelerate its efforts to embed biometric sensors into its products. An SEC filing made by AuthenTec (which was then a public company) shows that Apple at first was working with AuthenTec to use its new 2D fingerprint sensor. The talks soon shifted to acquisition, and after the deal was sealed, Apple ordered AuthenTec to stop selling biometric technology to Apple’s competitors, including Samsung.
While the world waits to hear about Apple’s biometric plans, Samsung is moving forward. The South Korean company last week was granted a patent for fingerprint scanning functionality in its Galaxy S3 firmware.
Having a high-end fingerprint scanner embedded directly onto the screen of an iPhone would provide a better form of authentication for iPhone users. It could be used to lock or unlock the device, to authenticate individual transactions, or even used with near field communication (NFC) payment applications, which are popular overseas and will eventually catch on in the United States, too.
The bring your own device (BYOD) movement has made authentication an important issue, says Patrick Botz, president of Valid and a widely respected IBM i security expert. “It’s really very simple to retrofit a legacy app running on the ‘400 to, before completing a sensitive transaction, to go out and verify that the person at the device is the person who was originally authenticated. Our software makes it real easy to add that.”
It will take a tech behemoth like Apple to get the biometric ball rolling, at which point other tech giants like Google, Microsoft, and Samsung will keep the ball rolling. If and when that happens, there will be a sea change in market perceptions for smaller biometric players like Valid Tech and its IBM i-based product, which is called Valid Secure System Authentication (VSSA).
“We’re going to need one of the big companies to overcome some of the initial objections that are, for the most part, invalid with biometrics,” Botz says. “We’re going to need somebody like Apple coming out and putting the money behind it that’s necessary to A, provide credibility, and B, educate people with respect to what biometrics is, what it can do, and what its real problems are.”
No authentication mechanism is 100 percent accurate, but biometrics has a big advantage over the old standby–user names and passwords–which Botz calls “the weakest form of authentication we have.” Botz knows of plenty of cases in which businesses have been comprised due to bad passwords and password management practices.
The next step up from user names and passwords is often two-factor authentication. An example of this is utilizing a pass code that an organization texts to a user’s cell phone. But even this has its weakness, since it’s reliant on what a user knows (a user name) and what a user has (a cell phone), and both of those can be compromised.
Biometrics, on the other hand, isn’t dependent on what a user has or what a user knows. Instead it is dependent solely on users themselves. A fingerprint is the most common form of biometric authentication, but it is not the only form. Iris scanning technology has been around for quite a while, and facial recognition is picking up steam. There are other more esoteric forms of biometrics, such as ear lobe size, or even the detection of subtle patterns in how a user types a certain phrase. VSSA can support all of these, with a little work.
The problems with biometrics boil down to the rates of false positives and false negatives generated by the scanner and the authentication system. Some laptop users reported difficulty in getting fingerprint scanners to work, but those were mostly the result of PC makers embedding cheap scanners into their laptops, Botz says. The need to re-scan has basically been eliminated with the latest generation of fingerprint scanners, such as the Secugen Hamster 4, he says.
Making Biometrics Easy
Another positive market trend for biometrics is standardization. If companies, organizations, or government agencies are forced to move from one proprietary product to another, biometrics will never catch on. Thankfully, the National Institute of Standards and Technology (NIST) has stepped up and defined a standard for the federal government, called ANSI 378. The standard has been in place for several years now, and has been adopted by many of the biometric scanner manufacturers.
For Valid, the fact that its software runs exclusively on the IBM i server complicates matters. There is no coincidence that Valid chose the IBM i server to function, basically, as an authentication appliance. After all, the IBM i server has a reputation as being a very secure machine and tough to crack (if configured properly). “What makes IBM i security great is that it will cost you less to do security right on IBM i than, I contend, on any other platform,” Botz says.
While some companies will buy an IBM i server just to run VSSA, there are also some companies that will not buy VSSA because they don’t want to adopt a server platform that is new to them. For these types of companies, Valid offers a hosted option through its business partner, Premise, a managed service provider (MSP) that runs IBM i workloads in its private Power Systems cloud.
“It’s cheapest for people running on IBM i to implement our software,” Botz says. “But we also have the cloud capability. You don’t even have to have the server running in your environment. In that case, essentially all you have to do is get our agent and the fingerprint sensor installed on a workstation and add our API calls to your applications.”
Biometrics hasn’t caught on yet with the masses, but it’s looking like it may, which would be great news for Valid and VSSA. “Once biometrics really becomes cool in the IT shops, then we’ll be sitting pretty,” Botz says. “The other thing is, it would be so cool if IBM could claim that there’s more biometric authentication being done on IBM i or Power servers than any other platform.”
VSSA is licensed based on the number of users, and pricing typically starts in the low five figures. For more information, see www.validtech.com.