Authenticating users

[Bill Vermillion]

In a thread this past week [and I have not message to which I can
attach a reply] fingerprint ID was mentioned.

This came in one of my e-newsletters this evening.  It's part 1 of
2 part, and follows on a previous thought Kabay had last week on
passwords, and how they hamper work.


Date: Tue, 08 Jun 2004 20:20:01 -0500
Subject: The end of passwords: Ensure's approach, Part 1
To: bv at wjv.com
From: "NW on Security" <Security at nwfnews.com>
....

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
06/08/04

....

_______________________________________________________________

Today's focus:  The end of passwords: Ensure's approach, Part 1

By M. E. Kabay

In the previous articles in this short series, I explained that 
I have long sought a system for using proximity devices as the 
basis for identification and authentication, especially in the 
medical environment where most users are under too much pressure 
to tolerate logon/logoff procedures. Such applications would 
benefit from a system that automatically allows session 
initiation when an authorized user approaches a workstation and 
then either suspends access or terminates the session when the 
user needs to - all without any particular human intervention.

Imagine my delight when I received a press release from Ensure 
Technologies announcing precisely this technology. Within a few 
seconds (literally) I was on the phone and arranged to interview 
Tom Xydis, Ensure's CEO and inventor of the XyLoc proximity 
devices.

Here is an abbreviated version of that interview. Note: This 
interview should not be construed as an endorsement of the 
products discussed. I have not personally evaluated the XyLoc 
system and I have no financial involvement whatsoever with 
Ensure.

Q: Tell me about your background.

A: I went to Northwestern University for my B.S. in electrical 
engineering (EE) and have a M.S. and a Ph.D. in EE from 
Michigan. I worked on digital radios and other equipment in the 
1970s and developed the key-fob keyless entry system for cars; 
that got me into low-power wireless. After that I was involved 
in various committees for IEEE 802.3 and .4 and .11, and now 
Bluetooth.

The genesis of the invention for Ensure was my involvement in a 
wireless controls company in the 1990s; we built wireless 
control systems for everything - lights, fans and so on. We had 
a security breach where the salary information for the 
executives ended up on a bulletin board. So people said, 
"Someone must have hacked in." Actually, somebody used an 
unattended terminal that was already logged in.

The comptroller tried to use a password-protected screen saver, 
but it kept interrupting her work, so she started locking her 
door and moved her administrative assistant in front of her 
office rather than use the screensaver. It was that incident 
that made me realize how passwords were getting in the way of 
productivity. I formed Ensure Technologies, where I invented and 
patented the XyLoc in 1998. We knew it was a good product and 
realized that healthcare was the ideal vertical market. They 
needed security but they couldn't let security get in the way of 
their efficiency and workflow.

Q: Tell us what the XyLoc does.

A: Our product automatically senses the presence of an 
authorized user carrying the badge (called the XyLoc KeyCard). 
It knows how far away the person is, so it provides 
identification information to the computer when the person is 
the "Active Zone," which is configurable by system managers. The 
bearer of the key is identified to the system automatically 
logged on for appropriate access as defined by the 
organization's policies. When the person leaves, access is 
suspended or terminated as required. But when a new person 
arrives, the system registers the identity of the new user and 
so the log files are correct and access is appropriate.

For example, if the IT manager arrives, (s)he might be able to 
access the desktop directly without closing the medical 
application; if a nurse arrives, the system can open a separate 
session for the nurse. So if the doctor has left the terminal 
without completing a critical authorization, the system may 
alert the next nurse who arrives about the situation and suggest 
that (s)he find that doctor stat (at once)! This will all depend 
on the organization's security policies in general and for 
particular classes of users.

Next time: How it works.

_______________________________________________________________

I'll send along part 2 when he writes it if anyone wants to see it.

Bill
-- 
Bill Vermillion - bv @ wjv . com