Handbook of Information Security Management:Access Control

Previous Table of Contents Next


Signature Dynamics Systems

The signature pen-stroke speed, direction, and pressure are recorded by small sensors in the pen, stylus, or writing tablet.

Enrollment Procedure and Time

As directed, the subject signs a normal signature by using the pen, stylus, or sensitive tablet provided. Five signatures are required. Some systems record three sets of coordinates vs. time patterns as the template. Templates are encrypted to preclude signature reproduction. A PIN is added through using a keypad. Total enrollment time required is less than 2 minutes.

Template or File Size

Enrollment signature input is averaged into a 1,000- to 1,500-byte template.

User Actions Required

The user states identification through PIN entry on a keypad or cardreader. The signature is then written by using the instrument or tablet provided. Some systems permit the use of a stylus without paper if a copy of the signature is not required for a record.

System Response Time

Visual and audible annunciation of the verified or not verified decision is annunciated after about 1 second. The total throughput time is in the 5- to 10-second range, depending on the time required to write the signature.

Anticounterfeit Method

This feature is not applicable for signature dynamics systems.

Accuracy

Data collection is underway at pilot projects and beta test sites. Current signature dynamics biometric systems have not yet been tested by an independent agency.

Field History

Approximately 100 units are being used in about a dozen systems operated by organizations in the medical, pharmaceutical, banking, manufacturing, and government fields.

Problems Experienced

Signature dynamics systems which previously performed well during laboratory and controlled tests, did not stand up to rigorous operational field use. Initially acceptable accuracy and reliability rates began to deteriorate after months of system field use. Although definitive failure information is not available, it is believed that the tiny, super-accurate sensors necessary to measure the minute changes in pen speed, pressure, and direction did not withstand the rough handling of the public. It is too early to tell whether the current generation of signature systems has overcome these shortcomings.

Unique System Aspects

Among the various biometric identification systems, bankers and lawyers advocate signature dynamics because legal documents and financial drafts historically have been validated by signature. Signature dynamics identification systems are not seen as candidates for access control and other security applications. There are several companies producing signature dynamics systems.

INFORMATION SECURITY APPLICATIONS

The use of biometric identification systems in support of information security applications falls into two basic categories: controlling access to hard-copy documents and to rooms where protected information is discussed; and controlling computer use and access to electronic data.

Access Control

Controlling access to hard-copy documents and to rooms where protected information is discussed can be accomplished by using the systems and technologies previously discussed. This applies also to electronic data tape and disk repositories.

Computer and Electronic Data Protection

Controlling access to computers, the data they access and use, and the functions they can perform is becoming more vitally important with each passing day. Because of the ease of electronic access to immense amounts of information and funds, losses in these areas have rapidly surpassed losses resulting from physical theft and fraud. Positive identification of the computer operators who are accessing vital programs and data files and performing vital functions is becoming imperative as it is the only way to eliminate these losses.

The use of passwords and PINs to control computer boot-up and program and data file call-up is better than no control at all, but is subject to all the shortcomings previously discussed. Simple, easy-to-remember codes are easy for the “bad guys” to figure out. Random or obtuse codes are difficult to remember and nearly always get written down in some convenient and vulnerable place. In addition, and just as important, is that these controls are only operative at the beginning of the operation or during access to the program or files.

What is needed is a biometric system capable of providing continuing, transparent, and positive identification of the person sitting at the computer keyboard. This system would interrupt the computer boot-up until the operator is positively identified as a person authorized to use that computer or terminal. This system would also prevent the use of controlled programs or data files until the operator is positively identified as a person authorized for such access. This system would also provide continuing, periodic (e.g., every 30 seconds) positive identification of the operator as long as these controlled programs or files were in use. If this system did not verify the presence of the authorized operator during a periodic check, the screen could be cleared of data. If this system verified the presence of an unauthorized or unidentified operator, the file and program could be closed.

Obviously, the viability of such a system is dependent on software with effective firewalls and programmer access controls to prevent tampering, insertion of unauthorized identification files, or bypasses. However, such software already exists. Moreover, a biometric identification system replacing the log-on password already exists. Not yet available is a viable, independently tested, continuing, and transparent operator identification system.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.