Company Info Products Client / Server PKI Technology Support Contact Us
 

The WhoIsIt Biometric Security System  

WhoIsIt PKI Biometric Server for    E-Commerce

The WhoIsIt Standard Biometric Client / Server System

Sampling of WhoIsIt Biometric Client/Server Customers

 

The WhoIsIt certified biometric client/server system

Introduction
The modern work environment accentuates the need for fast, user friendly authentication methods. Most of the current methods are based on passwords. Biometrics have the obvious advantage that the user does not have to remember long passwords. However, it is very difficult to implement a biometric solution which is secure enough. This can mainly be attributed to the fact that biometric data can not be used as keys for the encryption algorithms that are used to secure communication over insecure communication channels like the Internet. The Qvoice biometric server solves this problem by acting as an authentication server that converts biometrics into passwords or other secrets. Since it can be reached from anywhere on the network (or from the internet if the server is placed in front of the firewall), the biometric server engine offers the ability to use biometrics safely for eliminating passwords in the entire organization. Users will enroll their biometric signature and register secrets like PIN codes, passwords with the biometric server. Once users have been enrolled, client software on their machine will use biometrics to authenticate the user and free the user from typing passwords. The client will interact with the user to obtain a fingerprint from a fingerprint sensor which is then matched to authorized templates on the server. If there is a match, the server will give out stored secrets (typically passwords) to the client. The client will then use these passwords as if the client had typed them manually, thus eliminating the need for the user at the client to type anything to logon. Note that passwords are still very much in use. However, they are used "under the hood" so that the user does not have to type them. This makes it easy to modify existing applications to use biometrics instead of passwords. QVoice offers its  Cryptographic Service Provider, BIOCSP, A biometric CSP which  can be used to authenticate applications to use biometrics instead of passwords and PIN numbers. Thus the move to biometrics becomes evolutionary, not revolutionary.

Features

The standard Qvoice biometric server extends password based systems by acting as a centralized biometric-to-password converter. This basic functionality can be customized in many different ways. Each option is independent of the others, so the system can be highly customized to customer needs.

The Standard WhoIsIt biometric server differs from the WhoIsIt PKI server in that the standard biometric server's database does not enroll PKI key, digital certificates and does not contain a PKI key store. Therefore the standard server can not perform the mathematical functions required for a PKI infrastructure.

Biometric matching at client or server

The biometric matching can be performed either by the server or by the client depending on the level of security required. Matching on the server is the only safe alternative (since the server guards access to the secrets in the biometric database). However, the system can be configured to view clients as trusted components of the system. In these cases the clients should be allowed to do the matching since this distributes the load of the biometric matching from the server to the clients.

The communication between the WhoIsIt client and the WhoIsIt server is encrypted using asymmetric crypto algorithms, just like the widely adapted SSH system (Secure SHell). This ensures that a biometric template extracted from the sensor at the client can not be "sniffed" on the net by hackers and used for fraud.
 

The WhoIsIt biometric server is unique in that the biometric matching is performed on the server, and that it can be used as a biometric-to-password converter. If the matching is not performed at the server, it means that the server is only used as a template store, and clients download authorized templates from the server in order to do the matching themselves on the client. The server can not safely act as a biometric-to-password converter in this scenario because the server must trust the client's claim that there is a biometric match. When the matching is performed at the server, the server does not have to trust the client anymore, and the system is safe for use even when the server and the client are interconnected by the Internet.

Supports any biometric vendor

Any biometric can be used with the system. The system currently supports the following fingerprint providers (Atura swipe sensor, Fidelica pressure sensitive sensor, Ethentica, SecuGen, authentic 4000, one face recognition provider (Visionics) and one Voice recognition provider (QVoice). The server implementation has no dependencies on the various providers, so new biometric providers can be developed and added to the system without requiring any changes to the server or client. Sensors from different manafactures can be mixed and matched on the WhoISIt Client/Server system..