Bank’s Approach to Biometric Authentication a ‘Valid’ One

June 10, 2008 Alex Woodie

Keeping unauthorized users out of its core banking systems and complying with industry regulations are top priorities for the International Bank of Miami. One way to satisfy these requirements is to implement a strong password enforcement system. However, with users already inundated with passwords, the bank decided to try another strong security mechanism–i OS-based biometric authentication from Valid Technologies–which has streamlined the sign-on process, and cut down password reset calls to the help desk.

With more than $800 million in assets, The International Bank of Miami, or TIBOM, is one of the largest independent banks in South Florida. TIBOM provides financial services in the areas of commercial and real estate lending, personal and online banking, correspondent banking, and Small Business Administration lending. Powering TIBOM’s business are a collection of IBM System i and Microsoft Windows applications. These applications run on a collection of servers that the bank operates at its headquarters in Coral Gables, Florida, and its hotsite, or which are outsourced to third-party service providers.

About two years ago, the bank started preparing for new industry regulations calling for strong authentication of users logging onto any systems that have an exposure to the Internet. Heading up this endeavor was Ray Guzman, who was TIBOM’s CIO at the time, and who now services the bank as an independent consultant.

The most obvious solution to this requirement would be to implement a password-based authentication system that enforced the use of strong passwords, with a mixture of letters and numbers in hard-to-guess combinations, and a policy requiring passwords to be changed every 30 to 60 days.

Biometric Authentication

However, Guzman was hesitant to implement such a system. Like most groups of users, TIBOM employees were already so inundated with passwords that they had trouble remembering them. As a result, more than 30 percent of all the calls to the bank’s help desk were for password reset requests. Instead, Guzman started researching biometric authentication program, which enable users to sign-on to their applications with a simple swipe of their finger across a scanner that attached to their PC via a USB port.

Most of the authentication systems Guzman looked at ran on Windows, which was a concern. “I wasn’t too happy with that, because the security of the application to me was number one,” he says. “I wanted to make sure that the biometric solution was running on an OS platform that I trusted.”

Right before Guzman was to make his decision on a new authentication system, he heard about Valid Technologies’ biometric authentication system, called Valid Secure Systems Authentication (VSSA). VSSA runs on the i OS (formerly i5/OS), which is one of the most secure operating systems in use today.

Guzman compared VSSA to the Windows-based solution. They both offered equivalent functionality at an equivalent price, but the fact that VSSA runs on i was a dealmaker for Guzman. “What caught my eye was the solution would run on the OS/400 platform. I hadn’t seen that before, so I immediately became very interested,” he says.

Running a Windows-based biometric system might be OK for internal users. “But I was looking for more. I was looking for a service oriented architecture solution that would be more than for internal users. It would be for customers of the banks as well as for customers inside the bank,” he says. “Once I saw VSSA, I said ‘This is what I’m looking for.'”

VSSA Implementation

Guzman started testing VSSA on TIBOM’s System i 525 server about a year ago. The initial install, which involves inserting VSSA program calls into the target applications, went smoothly, according to Guzman. The test targeted TIBOM’s Microsoft Active Directory running on Windows Server 2003, which is used to control access to its applications and network.

“It was clear to me that it was a simple solution, yet because it was on the OS/400 server, it was very secure,” Guzman says.

The test was a success. Today, whenever one of TIBOM’s 150 internal users attempt to sign-on to specific Windows and i (OS/400) applications, instead of prompting for a password, the bank’s Active Directory server requests users to place their fingers on the USB-based scanners from APC, which check their fingerprints against the original prints (actually, a binary rendition of the prints) stored on the System i server.

Once users were enrolled in the VSSA system (which wasn’t the easiest part of the process–see below for more), the results were immediate and dramatic. Calls to the help desk dropped by more than 25 percent, freeing up TIBOM’s IT staff to focus on other problems. Guzman estimates TIBOM has recuperated most of the costs of the VSSA implementation in the first year of usage.

Not all of TIBOM’s banking applications are utilizing VSSA for authentication. Its i OS-based wire transfer application is hooked up to VSSA, as are various Windows applications. Plans are being made to use VSSA with TIBOM’s Internet banking Web site.

But its core banking system, developed by a prominent Midwestern i OS banking software company, is not yet hooked in. The integration work for VSSA has been done and tested. However, because the vendor runs TIBOM’s banking software for it as part of an outsourcing arrangement and TIBOM does not have ready access to the server, and because TIBOM is asking the vendor to tweak the RPG source code (not to mention that the vendor offers a Windows-based biometric alternative), caution has been the word in getting this application hooked up to the fingerprint scanners.

The Enrollment Process

“In my opinion the enrollment is the most important piece of the VSSA puzzle,” Guzman says. “If you don’t enroll users the right way, they will not accept the solution because they’re going to have a lot of false negatives.”

The enrollment process involves working with users to scan their fingerprints into the VSSA database, and then show them how to correctly use the APC scanners each time they want to log onto the system.

TIBOM had some user issues in the early days of the enrollment process. Guzman attributes it to a lack of training of his IT staff. Once a solid procedure was mapped out–including graphics showing the correct way to place fingers on the scanner–there were few problems with the system. “There’s a procedure, and they have to follow it exactly,” Guzman says.

The second most important piece of the puzzle is educating users about the information collected and stored by VSSA, Guzman says. VSSA doesn’t keep a copy of fingerprints or even an image of fingerprints that are scanned into the system. Instead, it creates a binary rendition–a number–based on the unique curves of an individual’s fingerprint, and it’s this unique number that’s used to authenticate the user.

Some TIBOM users were hesitant to allow their employer to scan their fingers. However once Guzman or one of his IT staff explained to the users that there they were not compromising their privacy in any way, then they were OK with it.

“You must do individual training,” Guzman says. “You have to take two to three minutes to explain to them what’s going on, how the system works, that we don’t have a picture of your finger anywhere in the systems, that there’s no way that we can reproduce the fingerprint or a picture of a fingerprint because VSSA can only use a template kind of technology . . . once you explain that to the customer, they say, ‘Oh, great, excellent.’ If you don’t do that, then they will come to you and say ‘I don’t want a picture of my finger anywhere on the network.'”

However, explaining this in such a way that doesn’t insult the user can be challenging. “You don’t want to make the customer look dumb,” he says. “You have to be very careful, and you have to explain it in a way that is not a technical way.”

Overall, Guzman is very happy with the VSSA implementation. TIBOM is complying with regulations, forgotten passwords are less of a problem, and there is less room for abuse of system privileges.