Fingerprint readers enhance notebook security
Ethentica, Identix bring biometrics to the laptop
During the past two years, biometric technology, which confirms a person's identity by scanning a physical characteristic such as a fingerprint, has become increasingly popular among government agencies. The technology, which can be used to permit access to a network or a building, has become an increasingly reliable, convenient and cost-effective means of security. Now a new generation of low-cost yet accurate fingerprint readers is available for notebook computer users.
We tested two of these readers: Ethenticator MS 3000 from Ethentica Inc. and BioTouch from Identix Inc. Both are compact PC Cards that fit into any standard PCMCIA Type II or III slot on a notebook. The actual mechanism that reads fingerprints is tucked away inside the card. After you insert the card, all you need to do is press lightly on the outside part of it to bring out the fingerprint reader.
Both Ethenticator and BioTouch can help systems administrators solve the problem of forgotten, expired or stolen passwords that can compromise security and increase overall network administration costs. Fingerprint log-ons provide a reliable means of user identification and can take the place of all other system passwords, including screen-saver passwords, both local and networked.
For even greater security, you can configure Ethenticator and BioTouch to use fingerprint verification along with password verification. In fact, the Identix laptop unit we tested added a third level of security with the smart card reader it contained in its other PCMCIA slot. You could, for example, require a staff member to insert his or her smart card in addition to providing a registered fingerprint and a password.
Systems administrators can employ additional security features with the software that installs with Ethenticator and BioTouch. Although this software is not reviewed here, Ethentica's SecureSession and the Identix, security Pack (containing BioSafe and Bio-Shield applications) enable administrators to, for example, set up files and directories to be read only by certain users, who must authenticate with a password and/or fingerprint to be allowed to view their files or directories. These features would be especially useful for those who share a notebook but still wish to retain the confidentiality of their own files.
Ethenticator MS 3000
We tested the Ethenticator MS 3000 on a WinBook Corp. notebook with 32M of RAM running Microsoft Corp. Windows 95. Currently, Ethen-ticator only supports the Windows 95 and 98 operating systems. The Ethenticator ran smoothly during our testing, and fingerprint enrollment and identification generally occurred quickly.
Ethenticator uses TactileSense, Ethen-tica's proprietary light-emitting polymer fingerprint verification tech-nology, to gather a fingerprint image. Tactile-Sense generates an image of the fingerprint patterns and identifies their unique characteristics, then transforms the ridges, loops and whorls of the fingerprint into an optical image pattern. This pattern is captured as an image by a sensor and then is transformed into digital code.
SecureSuite is the brains behind Ethenticator's brawn. Administrators use the SecureSuite User Manager to set up accounts for those who will use the Ethenticator-enabled computer. It's easy to set up user accounts and passwords, control user access levels to the system, and enroll and catalog fingerprints. And you can assign any of four levels of access privileges to users: guest, minimum, full and administrator.
A handy Fingerprint Enrollment Wizard helps guide you through enrollment the first time a user is added to the system. The enrollment process is easy to understand, even for the most technically inept user. This is important if a system administrator elects to have users enroll themselves during an Ethenticator deployment. In fact, a big plus of the Ethenticator is that administrators do not have to be present to enroll each user.
We were, however, a bit alarmed when we found that a user granted full privileges could modify the log-in methods necessary to authenticate him or her to the computer. Even if the administrator set up the user so that a password and fingerprint verification were required to log in, a user with full privileges can log in and remove the fingerprint requirement with only a few clicks. That security hole may not appeal to department IT managers.
On the plus side, Ethenticator nearly always read fingerprints in one second or less, the only exception being when the wrong finger was deliberately used to attempt to gain access. In this case, as many as nine seconds passed before we were informed that the fingerprint failed.
Unfortunately, the sensitivity of Ethenticator's fingerprint capture area is not adjustable. Ethenticator requires fingers to be placed on the scanner in almost the identical position in which they were originally read to pass verification tests, and there is no option for administrators to loosen the standard.
We tested the Identix BioTouch on a Dell Computer Corp. Latitude notebook with 128M of RAM running Windows 2000. Conveniently, Bio-Touch supports many operating systems, including Windows 95, 98, Millennium Edition, 2000 and NT. BioLogon, the software that comes with the BioTouch card, is integrated with security and log-on features native to Windows 2000. This means that passwords and biometric information are controlled from a central location.
BioTouch uses an optical scanner, which means light is refracted through a prism to capture the image of a fingerprint placed on the lens. The image is then converted into a mathematical template of the fingerprint's minutiae points, which are the points at which fingerprint ridges split or end. This data is then encrypted and used as an identifying template, and the image of the fingerprint is discarded.
Like Ethenticator, the BioTouch software allows administrators to set up units so that users can enroll their own fingerprints when they first log on to the BioTouch-enabled computer.
Unlike Ethenticator, however, Bio-Touch allows administrators to customize the sensitivity level of the fingerprint reader. This came in especially handy when we were frustrated with BioTouch for not obtaining a successful read of fingerprints during user enrollment. We discovered that the reader sensitivity had been set inordinately high. When it was lowered slightly with a few clicks, the enrollment frustrations vanished.
Also, we were impressed by the fact that BioTouch easily read the same finger when it was placed at different angles on the reader.
The only notable drawback to Bio-Touch is that it's a tad slow in authenticating fingerprints. Although read times were generally under two seconds, they were consistently slower than those of Ethenticator.
Ed Gray is a freelance writer based in Washington, D.C.