Biometrics and authentication webinar v3

City of Winter Park, Florida

Biometrics and Biometrics and AuthenticationAuthentication

City of Winter Park, Florida

Biometrics and Biometrics and AuthenticationAuthentication

George MaldonadoSystems AdministratorMCSE, CCNA, MCP, Net+

Lets Define !

“biometric: is a physiological or behavioral characteristic of a human being that can distinguish one person from another and that theoretically can be used for identification or verification of identity.”

“authentication: Positive verification of identity (man or machine), verification of a person’s claimed identity”

FBI CJIS Requires: That Each person who is authorized to store, process, and/or transmit FBI CJIS/CHRI data must be authenticated by use of a unique user ID and password or a form of advance authentication. Advance authentication is required for devices that access FBI CJIS data/CHRI from non secure locations or via the internet, wireless or dial-in connections.

Advance authentication is the term describing added security functionality, in addition to the typical use identification and authentication of login ID and password.

Who are you? Prove it.

Why Biometrics? Biometrics is the simplest and most inexpensive way to accurately identify or verify individuals

based upon each person’s unique physical or behavioral characteristics. Biometrics work by unobtrusively matching patterns of live individuals in real time against enrolled records.

It fits the basic security principal:“What You Have, What You Know, What You Are”

Biometric-based solutions are able to provide for confidential financialtransactions and personal data privacy. The need for biometrics in the enterprisewide network security infrastructure is a must technology, because single-factorauthentication methods are easy to break and therefore inherently important toour citizens. Identity thefts Something you know can be stolen Shared, predicted or hacked Fingerprints – mature enough to deter crime and even terrorism

Implementation Summary

User Statistics Total Users: 545 Users with registered fingerprints: 364 Readers deployed: 364

City Hall Emergency Vehicles (Police and Fire Trucks) Electric Division & Water Plants Central Facilities including vehicle maintenance

Fingerprints as a Biometric High Universality A majority of the population (>96%) have legible fingerprints Even identical twins have different fingerprints (most

biometrics fail) Individuality of fingerprints established through empirical

evidence High Permanence Fingerprints are formed in the fetal stage and remain

structurally unchanged through out life. High Performance One of the most accurate forms of biometrics available High Acceptability Fingerprint acquisition is non intrusive. Requires no training. .

What We Are Using

DigitalPersona Pro for Active Directory Installed on desktops Installed on existing servers

Hardware DigitalPersona U.are.U 4500 fingerprint readers Existing “swipe readers” embedded in various

models of popular notebooks and PCs.

IT Environment (Past & Present)Current Environment Single Active Directory Domain Password Authentication

Applications Login to:

Windows Domain or Network Access Naviline iSeries (AS400 Green Screen) Outlook

Any application setup for biometric logon at the City will have this icon on the logon screen

Driving Forces

Pain Points Resolve password related issues

Needed Security that couldn’t be shared Eliminated desktop sharing Excellent opportunity to put in place Password and screen

saver Policies

Meet CJIS Mandate Requirements Advance authentication is required for devices that access FBI

CJIS data/CHRI from non secure locations or via the internet, wireless or dial-in connections.

Advance authentication is required for devices that access FBI CJIS data/CHRI from non secure locations or via the internet, wireless or dial-in connections.

Available Solutions

Solutions Considered Inflexis DesktopID

Why other solutions were not selected No real AD integration “Petting” reader No centralized fingerprint storage No different than a token device (can get

expensive)

Why DigitalPersona

Easy for Users Employees embraced it Best trade off between convenience and security Faster than recalling and typing very complex passwords Intuitive to use – visual cues

Simple user registration process Single Sign on function Automatic Wizard detects login fields in applications and

web sites

Easy for the IT Administrators Easily create login templates for applications the Wizard

cannot detect Push out the templates via GPOs

Why DigitalPersona

Robust, Centralized Server Software Tight Active Directory Integration Single or Two-factor authentication options Flexible Authentication Policies

Secure and Compliant Met CJIST mandate of requiring Two-Factor Authentication Event Logs of who accessed what and when Protect sensitive information through digital signing and

encryption of email and documents

Reader is well constructed

Implementation Summary

Benefits to IT:

Met federal and state requirements Avoid fines and penalties

Compliance’s intrinsic benefit Creates a more definitive baseline for data sharing

and protection. Improve security, communications, and overall

business practices.

Create Flexible Group Policies

Implementation Summary

CJIS Compliance Impact Criminal Justice Information System

FBI Requirement Two-factor Authentication

Create and maintain criminal justice information system For authorized state, local criminal justice, and

noncriminal justice users Supports operations, policy analysis, and public

safety Must be accurate, timely, complete, appropriately

secured to protect privacy rights, cost-effective, and accessible.

General Issues

Low humidity areas may require hand moisturizer

During initial set up, shield the fingerprint reader from direct sunlight

Thank You!!

George MaldonadoSystems AdministratorMCSE, CCNA, MCP, Net+