BioMetric Computer Network Security

A company which specializes in remote network access and security needed to upgrade their prototype application. Their application provided user management and handled voice authentication to provide the user base with single-use, time-sensitive volatile random passcodes which can be used to grant access to network resources for remote users. The existing application is on the forefront of technology and offers corporations highly secure authentication. The authentication engine is unbreakable and has a proven track-record over the past 15+ years. The application replaces and/or integrates with existing SECURE-ID card technology and can simplify the administration of security for large-scale user bases. Since the authentication method is tied to the user's voice it does not suffer from conventional problems of a "Key" being lost, stolen or forgotten.

The interface to the application is an administrative console, which allows user group management and control over individual access parameters such as connected session duration and password expiration times. The user community interacts with the application via a telephone interface. The telephone interface will guide the user through the necessary telephone digit and voice respones. Once verified and authenticated, the user has the ability to generate a volatile passcode or in the case of administrator level users to perform administrative functions. It is clear that the application provides a minimum investment in remote hardware and facilitates domain and user management.

The big challenge for this company was to make the functional prototype a distributed and scalable application. The tasks performed to accomodate this were

  • Changing the database interface to standard ODBC to provide database independence.
  • Performance tune the database interface to allow large-scale operations to be optimized.
  • Extend the database design to accomodate a distributed architecture where applications would use information maintained within the database to control/configure their operation.
  • Distribute the functionality contained within the single all encompassing application to multiple smaller single purpose applications which each handle tasks independently and asynchronously.
  • Develop a method to allow the distributed applications to communicate in a secure manner.
  • Develop fault-tolerance and redundancy plans to allow one or more nodes of the infrastructure to be taken offline. The added benefit here was the ability to switch critical processing to other nodes during a failover event. These features allow operation to continue with little to no disruption of service.

    The initial prototype system was suitable for several hundred users. The distributed system is highly scalable and can support tens of thousands of users. The key to this change in scalability was distributing the applications across multiple computers in separate locations. The applications can communicate over the internet which makes location of the hardware virtually arbitrary. When more processing power is required either the database server, authentication engines or telephone call processing units can be increased. Given this type of scalability advantage, the company is now positioned to tackle security problems for major corporations.

    The original application was developed using C/C++, Visual Basic and an ACCESS/97 database. The new distributed platform consists of Visual Basic and C/C++ applications connected to ODBC compliant databases (Access, SQL/Server, Oracle, etc.). The distributed applications can be run on remote Windows NT Workstation/Server platforms. The database server can run on any platform as long as there is an ODBC compliant interface provided.