Guarding the Data Gates With Biometrics
- By Patrick Marshall
- Jan 31, 1998
"Secrecy is the first essential in affairs of the state," wrote Cardinal de Richelieu in 1641. While the American practice of open government challenges the breadth with which Richelieu applied his dictum, every department manager knows there are circumstances in which sensitive data must be kept confidential.
The first step in controlling data is to control who has access to it. You can bury it underground, store it in a vault or send it to Mars, but sooner or later, if the data is to be of any use at all, the right people must be able to access it, and then it becomes important to ensure that the wrong people cannot.
For the most part, computer technologies have not helped keep a lid on things. Now, instead of breaking into safes and locked rooms, the bad guys can sit at keyboards, anonymously searching for users' passwords, prying into files and even planting viruses. And with the explosion of remote access, posting guards at the entrance to a building is not much of a deterrent.
Fortunately, there is a flock of emerging "biometric" products that can help you make sure people are who they claim to be. There are actually two major types of biometric products: those that measure behaviors, such as handwriting and voice characteristics, and those that measure one aspect or another of an individual's physiology. Among the physiological biometric tools are retinal and iris scanners, thermal scanners, voice prints and face-recognition systems.
Many of these technologies have been in use for years in high-security government and industrial installations, but new versions have become easier to implement. What's more, falling prices have made such technologies appropriate for a broader set of uses.
Each technology has its positives and negatives. Retinal and iris scanners, for example, are generally considered to be more accurate than the other technologies, but they also are more expensive and more intrusive, and some users have voiced concerns that the repeated eye exposure to the bright lights employed by scanners might cause eye damage.
Relatively inexpensive and nonintrusive technologies such as face-recognition and thermal scanners show promise for the future but don't yet have the combination of price point and accuracy that many users require.
For now, the strongest candidate for low-cost access control is the tried-and-true fingerprint, which has been a mainstay of law-enforcement sleuthing and record keeping for decades. The accuracy of fingerprint identification is well-established, and recent technological advances have made such systems easier to deploy and use. Thanks to new, small scanner units, fingerprints can be captured digitally without the fuss and muss of inks. And because the scanned fingerprint is already in digital format, comparing it with other fingerprints is a lot faster than it used to be.
Indeed, throughout the country, police departments that have adopted electronic fingerprint ID systems report that ID times have dropped from an average of six weeks down to a range of several minutes to a few hours. And that's for identifying unknown fingerprints found at crime scenes. In access-control situations, where the scanned fingerprint is matched against a set of pre-approved images, the response time is usually only a second or two.
Of course, tracking down criminals and protecting data are not the only potential uses for biometric ID systems. California, Illinois, New York and Texas, for example, are among the states leading the way in implementing fingerprint ID systems to prevent welfare fraud. And some hospitals are looking at using fingerprints to track patients. Picture this scenario: A patient is wheeled unconscious into the emergency room; a nurse places the patient's finger on a scanner and two seconds later the patient's entire medical history is available.
While it's worth noting that all the devices we tested have software that suits them for other purposes-as well as kits to help software developers create new applications for employing the devices-for our initial look at biometrics, we decided to focus on relatively low-cost methods of controlling access to computer workstations.
The units all work in basically the same way. Each includes a small, single-digit scanner that takes an image of the fingerprint, analyzes the image to determine its unique characteristics and stores the profile in a database for later comparison when the user attempts to log onto the computer. In our testing, the units all demonstrated comparable accuracy, although at least one unit allowed the administrator to select what level of match is required for access.
The units offered a range of options, from serial port connections to parallel port connections as well as differing types of protection. One unit, for example, protected access to Microsoft Corp.'s Windows NT domains, while another protected access only to local workstations. It is a sign of a not yet mature field that there currently is no product that protects computer access from initial bootup, to local access and to net-work access. However, if you're considering implementing fingerprint security for workstations, you'll want to take a close look at the products we tested.
BioMouse Desktop Fingerprint Scanner
American Biometric Co.
Installation & configuration: ****
Ease of management: ****
Protecting workstations: *****
Protecting network access: **
If you're looking for a low-cost, easy-to-install and flexible fingerprint unit to protect individual workstations, you can't beat American Biometric Co.'s BioMouse.
The unit is called the BioMouse because it looks rather like a mouse. Apart from its cute appearance, however, the BioMouse is all business. The unit comes with software for controlling access to Windows 3.x, Windows 95 and Windows NT workstations. It allows you to register all 10 fingers of users and to control the stringency of matches required for access. Uniquely, the BioMouse lets you optionally register multiple images for each finger. If you do so, the software will look at the aggregate of stored prints in an attempt to make a match when you log in. This feature makes for easier log-ins for the user without sacrificing much, if any, accuracy. We also liked the fact that you can have the BioMouse require a fingerprint to clear the computer's screen saver.
The BioMouse plugs into the workstation's parallel port and provides a pass-through, so you still can have your printer or other parallel device attached. There are no frame grabbers or cards to install. As a result, we found the BioMouse to be easier to install and configure than any of the other units.
Indeed, the only thing that tripped us up for a short time was the fact that we couldn't find the fingerprint-enrollment utility. The Enroll utility pops up automatically the first time you boot Windows 3.1 or Windows 95 after installing the BioMouse, but this is not the case with Windows NT. What's more, there is no icon on the Start Menu, and the manual doesn't tell Windows NT users where to find the Enroll utility. We finally found it in the American Biometric directory by using Windows Explorer.
The BioMouse is the one product we tested that approximates offering protection to both local and network users. While the BioMouse database of fingerprints is stored locally, after access is granted to the workstation, it proceeds to log the user onto the NT network. The drawback to this arrangement, of course, is that users will have to be separately enrolled on each workstation from which they might access the network. Also, if any workstation on the network is left unprotected by a BioMouse, anyone would be able to access the network with the correct user name and password.
Best of all, the BioMouse has a list price of only $299.
NRIdentity Personal Identification Scanner
National Registry Inc.
Installation & configuration: **
Ease of management: ****
Protecting workstations: N/A
Protecting network access: ****
National Registry Inc. has long experience in high-end fingerprint ID systems. Now the company has moved strongly into providing low-cost access-control systems as well.
NRIdentity Personal Identification Scanner is the one system we tested that controls access to Windows NT network domains. Users are free to log onto the local workstation, so if your sensitive data is stored locally, NRI's solution is not the ideal one. But if you want to control network access, NRI's system is one of the few options available.
The administrator enrolls users through the Windows NT User Manager by adding captured fingerprints to a Microsoft Corp. SQL database stored on the server. We liked the fact that the system provides a real-time display of fingerprint images on screen, which helps the user line up his finger properly, thereby reducing the number of mismatches.
There is room for improvement in the NRI system, however. One minor drawback to the NRI system is that it adds so much hardware to the clutter of a desktop, including not only a scanner but a frame grabber as well. On the plus side, you can choose between a slim, stand-alone scanner unit, the Secure Desktop Scanner, or a keyboard with a built-in scanner, the Secure Keyboard Scanner.
Also, we found the system to be a little tricky to install, in part because you're required to perform separate installation procedures for the frame grabber and for client/server software. What's more, while the installation routine warns that certain drivers must be present for installation, it does not actually check whether they are present.
More significantly, there is no feature requiring a valid fingerprint to clear a screen saver on the workstation. And the NRI unit will not work on systems that use Novell Inc.'s IntranetWare Client for Windows NT. Nor does the NRI system support account lockout for consecutive log-on failures.
However, if the NRI system fits your security requirements, you'll find it a very affordable option. The Secure Desktop Scanner, combined with a Secure Frame Grabber, has a single-unit price of $390, and the Secure Keyboard Scanner, also combined with the frame grabber, costs $420.
Puppy Secure Logon System
I/O Software Inc.
Installation & configuration: ****
Ease of management: ***
Protecting workstations: *****
Protecting network access: N/A
The Puppy Secure Logon System will warm the hearts of system administrators who put a premium on low overhead and ease of use. The first thing you'll notice is that there's hardly any hardware. No frame grabbers or add-in cards. Just the Sony Fingerprint Identification Unit, which plugs into a serial port and an AC adapter.
Also, there are no drivers to install and no problems with configuring interrupt requests or memory addresses.
The Puppy allows administrators to specify whether users will log on with a password, a fingerprint or both. If the administrator has set you up to log in with only a fingerprint, when the Windows NT log-on screen comes up, you only have to put your finger on the Puppy, and assuming you're who you are supposed to be, the boot process will continue. You also can configure a workstation to require an approved fingerprint to clear a screen saver.
Unlike the other units, because the Puppy has its own processor and memory, it does all its fingerprint matching in the device itself instead of on the attached computer. The 4M of flash RAM in the unit can store up to 1,000 fingerprints for matching, and verification takes place in less than a second. The Puppy also is unusual in that it allows the administrator to specify any of five levels of match stringency. We didn't have any problems logging on with the normal level of 2, but we found that if we boosted the match level to the top, finger placement had to be virtually identical with the registered image.
The only notable limitation to the Puppy is that it doesn't do anything to control network access. I/O Software Inc.-the distributor of the Puppy system in the United States-said that a version that will support Windows NT domain log-ons should be available about the end of the first quarter. In the meantime, only log-ons to the local workstation can be controlled.
At $650 per unit, the Puppy is not exactly cheap, but the system is very easy to install and use. At this point, only the unit's price and its inability to accommodate network log-ons keep it from being our standout choice of the bunch.
Two New Products
Two fingerprint ID units--one a longtime player in the market and the other a new entrant--didn't make it into our comparison because they currently do not have shipping software for control access to computers.
Identix Inc. has long provided quality biometric tools for higher-end, industrial-strength applications. Its TouchLock units, which are about the size of a large external modem, are used widely to control access to sensitive rooms or other resources. And Identix's TouchLan II product, which employs TouchLock units, is a powerful and flexible system for managing fingerprint access to enterprise networks. The system is really geared for large installations, however, because it requires Oracle Corp.'s Oracle 7.3.3 or Oracle 8 as well as the Oracle Advanced Networking Option to serve as the repository for fingerprint records and to manage interactions with the network.
We had a look at Indentix's TouchSafe, running an Alpha version of a Microsoft Corp. Windows NT log-on program. The system worked well, with the TouchSafe unit producing clear scans of fingerprints and the software being fast and accurate at matching the current prints to previously enrolled prints. And the software makes it easy to enroll any or all of users' 10 digits.
The system adds a fingerprint requirement to the Windows NT password log-on. Once you've entered your user name and password, the Biometric Log-on System retrieves the appropriate fingerprint template from the user database and prompts you to place your finger on the scanner for verification. The administrator can adjust the stringency of the matching requirement.
The hardware/software combination we examined does have some notable limitations. First, the TouchSafe unit occupies a fair piece of real estate, measuring 5.25-by-3.39-by-2.77 inches. Also, this is the only solution we tested that requires an add-in card to be installed in each workstation. Finally, the first version of the Biometric Log-on System will support only local workstation log-ons. A version for logging onto Windows NT domains will follow.
The new UareU fingerprint scanner from Digital Persona is easily the most attractive and ergonomically designed unit to have on your desktop. The unit's gentle curve comfortably fits a hand; the cord can be turned to extend in either direction so you can align the unit to suit your tastes, and the matte finish looks classy.
The UareU also is distinguished by the fact that it's the only system we've seen that is designed for the new Universal Serial Bus. Not only does this allow for faster data transfer, it means you won't have the added clutter of an AC power adapter to deal with. Just plug the UareU into the USB port and, from a hardware point of view, that's all there is to it.
No software was available for our examination other than a demo file. But Digital Persona said it is going to deliver a log-in program for Windows 95/98 that also will apply to screen savers. The company also is delivering a software developer's kit to developers.