The need to move toward multi-factor biometric authentication of the authorized user has become a desired requirement for the DOD (Department of Defense) and healthcare. It just makes sense.
Passwords and the current “use model”
To date, the way folks authenticate to their mobile device is pretty much defined to a user name and password.
Passwords simply are not safe. Many on-line tools are available to break them...easily and quickly. Just witness all of our security breaches across the enterprise at all levels in many vertical markets! However, the most obvious problem is that users use the least resistant method; that is easy to remember passwords and they are the often the same; without any two step authentication.
To make things easier…which adds to more risk is some users store passwords in the cloud or store a fingerprint which may be on your phone (for two step). The problem is magnified if someone breaks into the cloud to steal your passwords: (which has happened several times to cloud based password storage solutions) or worse yet they steal your phone with your fingerprint. You are then compromised forever / For instance they now have your biometric! Or even without your biometrics; they steal your phone. next step then they get your password and now also have your two step authentication process.
Consumer mobile "smart devices and tablets devices" simply were not designed to be “enterprise security devices”, they were designed to provide a great consumer “experience”!
To prove this example, just try to use your “smart phone” with the WLAN radio on while roaming in an enterprise WLAN. It will fail in a miserable fashion. Why? …because the radio is low cost and was designed to be used in a “hot-spot” environment. It was not designed to work in a highly mobile WLAN environment where you need robust roaming to ensure a persistent and secure WPA-2 enterprise supplicant connection.
Medical Devices and Passwords
Passwords simply were not designed for (high security) and are not used to authenticate the right user to the right device. How do you know that this is the right person who has the authorized use? In fact through an available web site, you actually can obtain passwords for most of the CT and MRI scanners on the market. So in the case of secure authentication of the authorized user to the networked medical device this has become pretty much an afterthought. Passwords are often just used for maintenance requirements.
Even when the BCMA (Bar Code Medication Application) was introduced over 15 years ago, clinicians still found “work arounds” This pretty much negated the whole issue of validating the five rights.
See the latest Bloomberg article which should open a lot of eyes!
Could not now these "networked medical devices" also become the back door to our enterprise networks? This was the concept that pretty much happened at a large retail chain...the simple HVAC network became the back door to the internal networks.
http://www.bloomberg.com/features/2015-hospital-hack
Why has not multi-factor biometric authentication widely been adopted?
1. It is simply because current legacy “smart cards/chip and pin” were never designed to provide this. The use in this case for two step biometric authentication to work requires the change out/add of proprietary infrastructure readers and lot’s of expensive technology to put into place, like finger print readers, and other scanners/cameras that are extremely cumbersome to implement and use. (As a side, do you really want YOUR biometrics stored on someone else's server that they are supposed to be in control of?) Yes, while we are now finally getting “chip and pin” cards here in the United States we are way behind...a patch to the magnetic stripe. It is what Europe has been using for thirty years.
2. The proliferation of mobile phones, the adoption of Low Power Bluetooth, NFC, has become the way we live today. Trying to adapt legacy “chip and pin” technology to the now accepted modern technology is a challenge. How will this impact or not impact work flow for any type of biometric authentication to really work?
3. See the latest article on why the Federal Government has not adopted multi-factor authentication.
It is felt that changing the game is the only way for “multi-factor biometric authentication with the highest degree of security to work. Put your biometrics close to you and secure. Don't put your passwords in the cloud which be be broken into because you cannot remember them; or put your finger print on a non-secure smart phone that somebody can steal.
What is an available option to finally allow for secure multi-factor biometric authentication in our new mobile world?
Use the existing technology like fingerprint readers on mobile devices, camera/voice capabilities on mobile devices and then provide match on match multi-factor biometric identification. Your biometrics will then be stored on a multi-layered highly secure enterprise grade "computer on a card" that you have and are in control of. This will allow a new level of security to finally take off. www.blustor.co
Why has not somebody gone down this direction before....read the book. "The Innovators Dilemma"
http://www.businessweek.com/chapter/christensen.htm