SAFLink: Perfect for Windows
- By Michelle Speir
- Nov 02, 2003
SAFLink invented the technology that allows policy-based biometric authentication to replace passwords in a network environment, and the company's product was one of the first of its kind on the market. In fact, the company was awarded a patent for the technology in September.
SAFsolution Enterprise Edition targets midsize to large organizations using Microsoft Corp.'s Windows 2000 servers and Windows 2000, NT 4.0 or XP Professional clients. It is also certified for health care installations based on the Health Insurance Portability and Accountability Act (HIPAA), which is a national standard for electronic health care transactions.
The heart of the software is its seamless integration with Active Directory, a key component of the Windows 2000 architecture. Active Directory acts as a central authority for network security, allowing organizations to centrally manage and share
SAFsolution adds to Active Directory instead of creating a separate database for biometric data storage, integrating with the Microsoft Management Console by adding tabs and objects to the existing interface. Administrators continue to use the same interface but with added biometric functionality.
Specifically, SAFsolution adds two attributes to each Microsoft user object that store the encrypted biometric template information. Additionally, SAFsolution policy objects are added beneath the Microsoft group policy objects.
SAFsolution bridges the gap between the Windows log-in process and the biometric authentication process carried out by a device's accompanying software module.
When a user logs in to Windows with a user ID, the SAFLink software communicates with the biometric device's software and activates it so that the user is prompted for a biometric. The biometric information is then processed through the device's software module. When the user is authenticated, SAFsolution translates this information back to Windows and access is granted.
Passwords don't have to completely disappear, however. Both SAFsolution and Trusted Space contain options for allowing a password for a backup log-in method in case a biometric device fails or a physical injury occurs.
SAFsolution is compatible with any BioAPI-compliant device, and different combinations of devices can be used on different workstations within the same installation. For example, laboratory users who wear gloves would not be able to use fingerprint authentication, so those workstations could be set up with iris scanners instead.
SAFsolution contains several patent-pending features, including a self-paced tutorial to help users become familiar with the biometric enrollment and log-in process. User authority delegation allows several authorized users
to share a common identity for auditing and administrative
Another feature called disconnected log-in allows mobile users to log in with their previously enrolled biometric even if they are not connected to a network. Users can continue to log in as they're used to without having to use or remember a password, and the mobile device is protected locally with the biometric.
For log-in convenience, SAFLink's Fast Logon feature replaces the Windows log-in dialog box with a biometric verification dialog. With this feature, users do not have to enter a user ID or domain name; they can simply present the biometric. The only requirement for this feature to work is that the user must have previously logged into that computer with a biometric.
Administrators of large deployments will especially appreciate the self-enroll feature, which allows users to complete the biometric enrollment process
with no administrative assistance. Without this feature, an administrator would have to individually enroll each user.
SAFLink integrates its auditing and reporting with Microsoft's Event Viewer. An integrated audit console logs biometric events, including the time and date, whether the attempted log-in was successful or failed, and the name of the user. Reports can be created using this information.
In addition, SAFsolution complies with standard Event Viewer harvesting tools that notify administrators of certain auditing events, such as a user's enrollment status.
For biometric screen saver capability, SAFsolution integrates with the Windows XP Pro/2000/NT screen saver. When users enable the password protection feature, SAFsolution replaces the password with biometric authentication. Password-only users who are not registered with a biometric can use their passwords to unlock the screen saver.
If a user logs into a workstation with a biometric and then manually locks it, the biometric must be presented again to unlock it.
Although single sign-on capability is not integrated into SAFsolution, the software fully integrates with leading single sign-on solutions. When single sign-on is enabled, users need to present only one biometric or password to log in to multiple applications that require separate passwords.
Trusted Space: Layered security
Back to Intro