While departments of corrections at the state level deal with the same budget issues that plague the rest of the public sector, a unique use case has risen in importance at America's correctional facilities.
More and more, prisoners are being given access to IT resources so that they can best prepare for entering society and becoming a contributing member of the community. And whether they are looking for a job, applying for a job, or receiving training from a could-based application, it is imperative that the identity of prison inmates can be validated. Said one CIO at a department of corrections, "If you give something to an offender, he will find a way to exploit it to his advantage. Period. They have nothing but time, and they'll find a bad use for whatever it is you have just given them."
Kiosks are popular at correctional facilities throughout America. They allow inmates to send monitored emails, check their commissary account balance, and occasionally take online classes. And as one CTO told me, they were recently a target of a very innovative and industrious group of prisoners. "They figured out that if you entered the commissary application and then pounded on the keyboard with your fist, you could actually send an instant message to another kiosk in the prison. Inmates were communicating with other inmates with whom they were forbidden to communicate. This was a "feature" that even the kiosk the manufacturer didn't know existed."
And now, as offenders are spending more time on PCs in the computer lab than ever before, making sure that they are who they say they are is becoming critical. "We can't have inmate #123 logging on to the PC as inmate #456 and gaining access to resources that are not supposed to be available to him. And we can't make it possible for inmate #789 to steal inmate #246's username and password under the threat of violence. Because this will happen. It's already happening," said a CIO of one of America's largest DOCs.
So what to do? The DOCs are hesitant to give inmates a physical token, like a smart card or an OTP token, because any object might be used as a weapon. And with the unreliability of biometric solutions making "tokenless" authentication difficult, this new issue is one that may require a creative approach.