(courtesy of Hongkong Post)

(Courtesy of 信報)

5. Further step for other CA recognition is being implemented by the newly formed CARO as reported below.

(Courtesy of ComputerWorld Mar 2000)

6. This still cannot solve the basic security problem of authentication. Why? 

* This ONLY authenticates the private key, not the user!
* A Private Key MUST only be known to the user or system using it.

A compromised private key is like giving away a blank signed cheque!

"Certificates . . . do not address a fundamental problem: authentication.
Because access to the certificate is generally based on user ID and pass
phrase, an interloper with access to a user's workstation and with knowledge
of the person's user ID and pass phrase could masquerade as that user.
Accordingly, applications that require higher levels of safety need tokens
and biometrics." - Gartner Group (Courtesy of Gartner Group)

7. Here, "tokens" refer to a Real Time Password Tokens for example the SecurID Card by RSA (formerly called Security Dynamics). Please see Security Product Vendor Links

8. "Biometrics" means devices to identify people by personality eg. the fingerprint scanner by Mytec. Please see Security Product Vendor Links

"Maximum Security" - Computer Reseller News, January 31, 2000 
http://www.techweb.com/se/directlink.cgi?CRN20000131S0061

Biometric devices identify people by physical traits such as fingerprints, irises, faces or voices. It is a small but growing market, as businesses search for ways to increase security, particularly with the e-commerce explosion.

The market for biometrics totaled approximately $260 million in 1999, according to International Biometric Group LLC (IBG). The New York-based integrator and consulting firm expects the market will grow 30 percent to 40 percent per year over the next few years, said Raj Nanavati, a partner at IBG. "Biometrics will become ubiquitous."

So far, biometrics vendors-and there are dozens-have focused on developing the technology, he said. Now they are building distribution channels and educating users, which is where VARs play a key role, Nanavati said.

IBG's clients include financial service organizations, government agencies, hospitals and airlines. The growth of the Internet and anonymous transactions has more businesses looking at security based on human traits, Nanavati said.

Financial institutions, especially ones implementing business-to-consumer and business-to-business e-commerce infrastructure, are moving to biometric solutions as a way to reduce fraud, said Dan Ratchford, technical architect at EDS Systemhouse Inc., a Toronto-based integrator. "Customers that are already security conscious are becoming biometric-aware," he said.

The technology provides the highest level of security and is easier to use and administer than a system that uses passwords, said biometrics proponents. "How do you authenticate that person sitting in front of the computer?" Nanavati said. "Biometrics is the only secure way of doing that."

However, the technology is not a cure-all, said Andrew Bartels, senior research analyst at Giga Information Group Inc., Cambridge, Mass. Something as simple as a greasy finger could throw off a fingerprint-recognition device, and a stuffed-up nose could lock out a user from a system secured by voice recognition, he said.

An industry group called The BioAPI Consortium, formed in 1997, aims to promote the market by developing a specification for a standard API. The interface would be compatible with a wide range of biometric applications and technologies and is due this quarter, according to the group's Web site.

"Biometrics only makes sense today in situations where there is a critical need to identify very precisely who is initiating a transaction," Bartels said.

A situation where the technology might work in its current state would be a commercial bank where multimillion-dollar deals are executed online and where a closed-loop solution works because there is a defined set of users, Bartels said.

Financial services promise the greatest potential for biometrics, said Kimberly Harris, an analyst at Gartner Group Inc., Stamford, Conn. But the adoption rate has been slow due to high cost and consumer resistance to having the devices at ATMs. But many are testing biometrics internally.

"Within the next five years, biometrics use in the financial industry will increase and will be primarily for employee applications and limited consumer applications," Harris said.

The cost of biometric devices has dropped over the years, though it varies by technology type, IBG's Nanavati said. Fingerprint scanners are available for less than $100, but a face-recognition system can cost $2,000 per unit.

Biometric systems require some installation and configuration support, giving VARs a service opportunity, and IT departments may choose to outsource administration of the system, he said.

"Almost anybody in the POS industry sees that it's going to have a significant impact in the near future," he said. "It's creeping into everybody's life."

In the Internet age, there is "tremendous opportunity" to improve on security, and biometrics is an avenue to do that, Goodfellow said.

Five Facts For VARs re: Biometrics

1. Biometric devices include fingerprint scanners, voice verification, hand geometry and iris scanners.

2. The market totaled $260 million last year and is expected to grow 30 percent to 40 percent each year, according to International Biometric Group.

3. Market potential is greatest in the financial industry, but the technology is not yet widely used.

4. Devices are coming down in price, but some biometric technologies still command high prices.

5. Biometrics requires installation and support, offering service opportunities to VARs.

(Courtesy of CMP Media Inc.)

August 2000

As of July 2000, the certification service is still not popular. Only around 3,000 applications received (said by the Officer from the Hongkong Post Office) since Jan 31, 2000. There are 30,000 internet users doing internet on-line shopping in the past 6 months as reported by the recent survey of Internet shopping activities in Hong Kong on July 2000. While considering the percentage of using this certificate in Internet shopping on-line, the number of certificate applications are very small. That is less than 10% users have a digital certificate for  secured internet transaction! This is very hard to let citizen with higher confidence to do on-line shopping.

The Government IT policy parties should aware of this and must promote the importance of using digital certificate in secured e-commerce activities.