How many keyboards in your enterprise are hiding yellow sticky notes bearing any number of different user names...
Passwords are a necessary evil in any company to secure access to systems and applications. As much as users may complain about having to remember several passwords in order to have access to the resources necessary to do their jobs, and as much as companies may complain about the wasted resources help desks relinquish doing password resets, enterprises often balk at the cost and interoperability issues that accompany available alternatives like tokens, smart cards and biometrics.
The Los Angeles County Employees Retirement Association (LACERA), however, wasn't deterred from its effort to eliminate password problems and the expensive additional workload that reset issues caused its help desk. LACERA is a fiduciary that administers the retirement funds for county employees and their beneficiaries. It is one of the top 30 public pension funds in the United States.
During the third quarter of 2002, LACERA completed the implementation of a biometrics system as a login method for the desktops of its 300-plus employees. Now, instead of having to remember any number of passwords, specific policies for each of those passwords, and rules about changing them periodically, users are identified by their fingerprints and granted access once via a single sign-on technology to all the necessary applications and systems required to do their jobs.
"When accessing applications on different systems, our users had different passwords for each, each with its own policy requirements, like the number of characters they were allowed to use. Some policies did not support specific characters as well. When changing passwords, users would have to keep in mind the policy for each," said LACERA director of technology James Pu. "Our goal was to deploy a system that leveraged the bio-login system to access multiple platforms, without having to refurbish a credential."
Already heavily invested in Novell technology, Pu turned to the Provo, Utah-based software firm to further secure the LACERA network and assets and trim help desk costs. LACERA selected a Novell Nsure secure identity management solution based on Novell eDirectory, Novell Modular Authentication Services (NMAS) and Novell SecureLogin, as well as Identix fingerprint readers. Pu said he evaluated several fingerprint readers, but most, like Siemans' product, required the reader to be integrated into a keyboard and mouse. Pu opted instead for Identix's standalone product, noting the different preferences users have for their keyboards and pointing devices.
"We were already using Novell products, and we wanted to leverage our existing user database, so it made sense to go with them," Pu said. "The bio-login product was quite bleeding edge. There were some challenges."
Pu noted interoperability roadblocks that had to be hurdled. In particular, there were issues getting the hardware and single sign-on software to coexist and work in a predictable way, Pu said. There was also work to be done in tuning the fingerprint readers to be able to read the fainter fingerprints of some users.
Yet conversion to a biometric login was important to LACERA and had the endorsement of the CEO, Pu said.
"The password issue was so difficult. Our help desk was taking a lot of calls every day; most of those calls [were] for password resets," Pu said. "The support overhead was high. For our CEO, it was not a question of 'can we afford this?' It was a question of 'can we afford not to do this?' "
Pu also had to hurdle some apprehension from users concerned about their privacy.
"People were concerned about what we were going to do with the fingerprint information," Pu said. "We had to explain to them that we don't physically capture the fingerprint, just unique properties of the print. We don't take a picture of the fingerprint."
Pu estimates that LACERA was able to secure the hardware and software at a cost of less than $250 per user. The implementation, tuning and testing took close to a year and involved several members of his staff, including the help desk, which tested the system once it was installed.
"It took us anywhere between six and 12 months to resolve the interoperability and compatibility issues," Pu said. "This technology was quite bleeding edge. At that time, there was little industry knowledge base and experience implementing this. There was a lot of trial and error on our part.
"Cost was less of an issue. It was important to secure our system. The cost of password-related support and overhead can only grow."
FOR MORE INFORMATION:
- FEEDBACK: Is your company dumping passwords for biometrics?
Send your thoughts to News Editor Michael S. Mimoso.