Vendors lock down PCs
Radio frequency technology, biometrics protect PCs from internal breaches
- By Michelle Speir
- Jun 23, 2003
No matter how well networks and computers are secured with firewalls, encryption tools, biometrics and passwords, an often-overlooked threat still lurks: internal security breaches.
Once a user logs into a network, all of that protection is useless if the user steps away, even for a few minutes. Password-protected screen savers can help, but they typically don't activate until the machine has been idle for several minutes.
Several years ago, Ensure Technologies Inc. introduced the XyLoc security solution, a product designed to lock down PCs the instant a user steps away. The latest version of the product, introduced this year, incorporates fingerprint recognition for even more protection.
In this review, we compare the XyLoc system to a competitor with the same architecture, the Bio Proximity Security System from Access Denied Systems.
Both products combine wireless radio frequency technology with biometrics to create a solution that secures a computer every time it's left unattended.
To accomplish this, users wear a credit card-sized badge that communicates with a wireless transceiver attached to the PC. When the user moves out of the transceiver's range, the software locks the desktop, but programs and processes will continue to run. Upon the user's return, the desktop unlocks when it recognizes the badge and verifies a fingerprint.
Many badges can be used to unlock the same computer, so these products work well at installations such as health care clinics or kiosks where multiple users may need access to the same machine. Likewise, one badge can be configured to unlock many machines.
We were surprised, however, when these two similar products turned out to be quite different in the details.
Ensure Technologies' XyLoc came out on top with robust features that allow high levels of customization, as well as a fingerprint scanner that is simple to use.
We tested the XyLoc Solo, designed for small workgroups and stand-alone PCs. For larger installations, the company offers XyLoc Enterprise, which runs on a centralized, Web-based server that administrators can access through any browser.
Another package, XyLoc Enterprise Application Integration, incorporates single sign-on capability. This means a user's XyLoc credentials will automatically unlock different applications that require separate passwords.
XyLoc is compatible with any fingerprint scanner that contains an AuthenTec Inc. chip. We tested the unit with a PC Card scanner loaded on a notebook. Our receiver used a USB connection, although a serial version is available.
Agencies can fine-tune the authentication settings to fit their security needs because XyLoc offers five settings each for the log-in authentication (logging onto the computer) and the unlock authentication (accessing a secured desktop after a user has walked away and returned). The settings range from requiring only the presence of the badge (Ensure calls it a "key" and receivers are "locks") for hands-free authentication to requiring the key, a fingerprint and selection of the user's name from a list.
For example, you could configure the system to require the key and a fingerprint for log-in, but only the key and user name selection when unlocking the machine upon returning. For all of the nonbiometric authentication methods, you can allow a password to override the system in the event a user loses or forgets a key.
Additionally, you can adjust the key's physical range. Short, medium and long settings are available, and you can further calibrate the distance within each range by using slider buttons on a scale. You can even view a real-time graph showing the key's range over time in order to determine the optimal settings for your environment.
Several advanced options offer even more customization. For example, the system can automatically log off a user after a certain period of inactivity. And to discourage users from removing their keys and leaving them within the lock's range, administrators can set XyLoc to sense whether the key is moving and if not, lock the desktop after a specified amount of time. The system also records a noncompliance message in an audit log.
We were impressed with the fingerprint scanner's accuracy, ease of use and accompanying software applet. The scanner is not "picky" about finger placement or pressure, and we got good reads every single time — even when we were intentionally careless with placement. In addition, enrolling and verifying processes were lightning fast. Users can enroll up to all 10 fingers and subsequently use any one of them to log in.
Bio Proximity Security System
With the Bio Proximity Security System from Access Denied Systems, you'll get the same core functionality as XyLoc but fewer configuration options and a known compatibility issue with Hewlett-Packard Co. Compaq PCs.
This product is currently available only as a stand-alone system and is compatible with two operating systems (XyLoc is compatible with six). The receiver is available only in a serial port version.
Bio Proximity comes bundled with a SecuGen Corp. USB fingerprint scanner. We found this scanner frustrating to use because it often took many tries before it verified our fingerprints. Apparently, it requires very specific finger placement and pressure. The enrollment process was also less streamlined than anything we've seen recently, requiring a mouse click after each finger placement.
Finally, Bio Proximity is the first system we've seen that allows users to enroll only one fingerprint. If the enrolled finger becomes injured, an administrator must log in and help the user enroll another finger.
Access Denied representatives said the product is prone to problems when used with Compaq PCs, which might explain the mysterious behavior of our installation on a Compaq Evo. It sporadically failed to recognize our badge after the computer had locked, and by our deadline, the issue had not been resolved.
Bio Proximity does not offer customizable settings for log-in authentication or unlock authentication. Initial log-in requires the badge, a password and the fingerprint; unlocking requires the badge and fingerprint.
When a Bio Proximity badge goes beyond its range, it takes eight seconds for the computer to lock. By comparison, XyLoc locks the machine instantly. Access Denied's president said this is intentional because the constant polling required for instant locking slows down a PC's processor. When we asked Ensure Technologies officials about this issue, they said they had not experienced this problem with XyLoc. We did not notice any performance difference, although we were not using large, data-intensive programs.
Several other functions correlate with XyLoc's functions but represent different approaches. For example, to encourage user compliance, you can set the Bio Proximity system to randomly ask for fingerprint verification during certain time intervals (instead, XyLoc detects a stationary badge). Bio Proximity also has a log file function similary to XyLoc's.
XyLoc is clearly the winner of this round with its robust set of customization options and easy-to-use biometric fingerprint model. n