In-Depth

Halt: Who Goes There?

Biometric devices offer more security than standalone passwords. Here are three products that go beyond the basics for authentication and verification.

Passwords are so passé. Their effectiveness as a security standard continues to decline. People write them down on sticky notes and stick them to the side of their monitors or use simple, easy-to-crack passwords. Even with longer, complex passwords, tools like Rainbow Crack can quickly generate a clear-text version of any hashed password.

It's no wonder people are looking for better, more secure alternatives. Smart cards are popular and fairly economical, but they're still limited by the fact that the cards themselves can be stolen or lost. Just holding a card doesn't truly identify someone as its intended owner.

Only biometric authentication—an identification scheme based on examining unique biological factors like fingerprints—promises to offer true individualized proof of your identity. For this roundup, we've put three biometric scanning and authentication devices under the microscope to see how the technology performs and what it has to offer businesses needing to lock down corporate systems.

It's important to have an understanding of what these and most other biometric solutions can provide. Few biometric solutions today offer Active Directory integration, which means you're essentially limited to using them at the desktop. While some of the devices' software provides biometric-enabled AD authentication, they do so by remembering your domain password and using biometrics to unlock that password and pass it through to the domain. In other words, you're still authenticating to AD via password; you just don't have to have it memorized.

In This Roundup/Redmond Rating Box
(Click image to view larger version.)

Ideally, your biometric profile—fingerprint scan, iris data or whatever—would be stored in AD and the biometric software would pass this information to AD for authentication, instead of just remembering your password. That level of integration will take more work from both Microsoft and the biometric device manufacturers. Some biometric vendors (including those described later in this article) have developed software to integrate their biometric solutions with AD. They typically use a proprietary server to store biometric information and integrate with AD to complete the authentication process.

In the meantime, why bother with biometrics? I've already mentioned the Rainbow Crack tool, which bad guys can use to get their hands on a clear-text version of a password. This tool works by generating a database of all possible character combinations and their associated hashes. Then it simply looks up a hash in the database to discover the text version of that password. It's time-consuming to pre-compute, although you can purchase entire, multi-gigabyte databases that will cover passwords of up to eight characters.

The key to defeating tools like Rainbow Crack is to have impossibly long passwords—passphrases, in fact—that are so long it would be computationally impractical to generate a large enough hash database. Microsoft recommends using passphrases as a way to more effectively secure your network.

Here's a reality check, though—users hate long passwords. Many users think something like "Fluffy" with a capital F is a long password. That's where biometrics can help out. By remembering passwords, they help users create and actually use complex passwords without having to remember them, or worse yet, resorting to writing them down.

Better still, users can create different passwords that apply to different applications and Web sites. That means the accidental disclosure of one Web site password won't compromise your entire network. Naturally, convincing your users to do this will be difficult, but providing them with a cool biometric authentication toy will go a long way toward winning their enthusiasm and cooperation.

Microsoft Optical Desktop with Fingerprint Reader
There's no cooler toy than a well-designed keyboard with a built-in fingerprint scanner. While Microsoft also offers standalone fingerprint readers, its new fingerprint keyboard is a wonderful convenience.

It's bundled with DigitalPersona software, which was custom-built for this hardware. DigitalPersona acts as a fingerprint-secured password vault. When prompted for a password, you simply lay your finger on the keyboard's fingerprint scanner and once the software verifies your identity, it passes along your login credentials.

The software works with Windows XP's local logon, as well as many other applications and Web sites (although it only functions with Internet Explorer and not popular alternatives like Mozilla and Firefox). Installing the software is easy. A number of stickers on the keyboard itself warn you to install the keyboard's driver software prior to actually plugging in the USB keyboard. I ran into one problem when the keyboard was plugged into a powered USB hub. The fingerprint scanner's red light blinked and refused to scan my fingers. Plugging directly into a motherboard-mounted USB port solved the problem, leading me to suspect the quality of the USB hub I'm using.

Microsoft Optical Desktop with Fingerprint Reader
Microsoft Optical Desktop
with Fingerprint Reader

Using the software is easy. You start by touching the fingerprint scanner, and training it to recognize one or more of your fingers. Because the scanner is on the left side of the keyboard, you'll probably want to have it memorize a couple of fingers on your left hand, but you can pick whichever fingers you like.

Once you've "trained" the software, you touch the scanner again whenever you come to a Web site or application that requires authentication. DigitalPersona will prompt you for your credentials, and from then on, it will insert them whenever required. To unlock and apply your credentials, you just touch the fingerprint scanner.

I was impressed by how easily and accurately the fingerprint reader worked. It recognized my fingerprint on the first try almost every time. It easily rejected my other fingers, as well as other people's fingers.

However, my major complaint about DigitalPersona is its lack of support for non-IE browsers. I don't use IE as my regular browser, which renders the fingerprint scanner useless for Web sites that require authentication.

There's a curious and confusing message in the "readme" file that comes with the keyboard: "The biometric (fingerprint reader) feature in this device is not a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or protect sensitive data, such as financial information. Instead, you should protect your sensitive data with another method, such as a strong password that you either memorize or store in a physically secure place." What the heck?

Basically, Microsoft is acknowledging that the DigitalPersona software stores your passwords, but not in a fashion that's guaranteed to be unbreakable. After all, it has to store clear-text passwords so the software can insert them into logon prompts for you. The very presence of these passwords—no matter how well-encrypted—is a potential security liability.

This is actually fairly common among many biometric solutions, although only Microsoft was this forthcoming about those limitations. For the record, the DigitalPersona Pro software (available separately) functions more securely, because it centrally stores biometric authentication and integrates with AD.

Panasonic BMT-100US Authenticam
Visions of Edna Mole from "The Incredibles"—and her method of peering into a security camera to enter a secure area of her superhero costume design lab—floated through my head as I installed the Panasonic Authenticam. The unit is physically similar to a Web cam in that it's designed to sit atop your monitor or on your desk. In fact, the camera can do double-duty as a videoconferencing camera.

Panasonic BMT-100US Authenticam
Panasonic BMT-100US Authenticam

The Authenticam is not a retina scanner (sorry, "Star Trek" and James Bond fans). Instead, it uses snazzy software and firmware to locate your eyes and memorize your iris patterns (the colored portion of your eye) in much the same way that a fingerprint scanner scans your fingers.

The guts of the camera's iris recognition capabilities come from Iridian Technologies, which also provides a variety of SDKs and APIs that work with the camera. You can actually sit up to 20 inches away from the camera lens and still be recognized, unlike retinal scanners that need to shoot a laser right into your eyeball to scan the back wall (the retina). To train the camera to recognize your iris, you stare at a light to get your eyeball in the right position. Once you're in position, you're set.

I had no problem training the camera to recognize my iris. One farsighted colleague, however, needed a couple of tries to get it right because he couldn't focus on the light. A second colleague tried to watch the screen and focus on the camera at the same time, which didn't work so well. When you're training the camera, focus on the light.

The Private ID software (also from Iridian) controls the camera. SecureSuite, another bundled application, performs many of the same functions as the DigitalPersona software that comes with the Microsoft keyboard—storing passwords for Web sites and other applications.

SecureSuite was easy to install and configure. I was up and running with no hitches. The software lets you specify allowable logon methods for each account on your machine. For example, you could disable passwords entirely in favor of iris scanning. I wouldn't recommend doing that, however, because you won't be able to use certain utilities that don't integrate with the camera. The Authenticam also works with Iridian's KnoWho server, which provides server-based authentication for corporate environments.

The Authenticam seemed hard to deceive. It properly rejected every eye other than my own. I couldn't even get it to accept a properly sized photo of my eye, which I thought would be a sure-fire way to fool the system.

As cool as it is, I'm not sure I see a lot of companies investing in iris-recognition (besides government agencies and superhero costume designers). Fingerprint scanners are cheaper and more convenient, especially when they're built into a keyboard. A fingerprint scanner also seems easier for users to accept.

Silex COMBO-Mini
Silex COMBO-Mini

Silex COMBO-Mini
The Silex COMBO-Mini fingerprint scanner is slightly larger than a USB flash media drive. It comes bundled with the SX-Biometrics Suite, which remembers passwords and inserts credentials for you. The Silex unit has a sliding plastic cover that protects the actual fingerprint scanner. The scanner itself felt more fragile than the Microsoft keyboard, although it never gave me any trouble.

One unique aspect of the Silex unit is that it features a User Identity Module (UIM), a tiny smart card similar to the Subscriber Identity Module (SIM) used in GSM cell phones. The UIM stores your actual fingerprint data. The theory is that you can pull the UIM out and move it from device to device, but it's a bit tricky to get the UIM out of the scanner. You'd be more likely to just take the whole unit with you. Silex must have anticipated people doing this, as it even has a little hole for a key ring.

The Silex unit and software worked about as well as the Microsoft keyboard. However, the Silex unit is indeed more secure, because you can remove the UIM or carry the whole unit with you.

The software that comes with the Microsoft keyboard stores passwords on your computer, which means it's more difficult to carry them around and protect them. The fact that the Silex unit lets you physically separate your passwords from your computer is a big plus.

Authentication Complete
Each of these biometric solutions was accurate, relatively easy to install and easy to use. In fact, I was genuinely surprised by their accuracy. While none of the products tested ship with robust, centralized AD integration, some of the manufacturers offer additional products that fill the void.

Microsoft's keyboard and the DigitalPersona software was my favorite solution, simply because it's such a well-integrated device that makes logical use of a piece of hardware that's already on everyone's desktop. Coupled with DigitalPersona Pro for AD integration, I can easily see every desktop in an organization equipped with a Microsoft fingerprint-scanning keyboard.

Naturally, it's less suitable for use with laptops, but laptops always present their own unique security challenges. In fact, some laptop manufacturers (most notably IBM) are building fingerprint readers right into the laptop itself.

The Silex COMBO-Mini has the advantage of being easily portable, so you can bring your "library" of passwords with you by simply removing the UIM or the entire unit. This adds both a degree of security for your passwords, and an element of risk should you ever lose the unit.

While it worked well, I would anticipate particular support challenges with the Authenticam system. I can just imagine the help desk calls from people using an iris camera for the first time: "Are you sure the camera is pointed at your face? No, your face. The camera. The one on your computer. Look behind your desk. Maybe it fell off the monitor."

Even if an organization only implements a biometric device for local use, its value as a password vault—letting users store a variety of complex passphrases rather than a single, simple password—is significant in this era of increased security awareness.

More Information

Find out more about these products and related technologies with these links:

  • To read more about using passphrase authentication, go here.
  • To read more about the Panasonic Authneticam (first reviewed in Redmond April 2002 by Roberta Bragg), go here.
  • To read more about DigitalPersona and its DigitalPersona Pro server application that integrates with AD, go here.
  • To read more about the Silex Combo and Silex's other fingerprint scanners, go here.
comments powered by Disqus

Reader Comments:

Thu, Jun 30, 2005 Keith Anonymous

Yeah I agree that securid cards are the way to go except one looming thing; users tend to forget them at home then need to call the help desk for a temporary card - real convenient and real secure especially when other users just leave the card in their unlocked desk! As for passphrases; Christopher, what's your domain and I will tell you your Administrator password in less than a week. Passphrases only slow down the rate at which passwords are revealed but they definitely don't stop it where securid and biometrics do. Biometrics may not be the best technology around but since it provides the same method as securid cards and the benefit that you won't forget it at home or lose it (unless you meet up with Lee) I believe it is the best method for second authentication around.

Thu, Jun 30, 2005 A Lee

Spot on, Christopher.

Thu, Jun 30, 2005 A Lee

Wow. Never realized I was a ciminal. Thanks for pointing that out to me. I don't believe I mentioned anything about being afraid of new technology. And I don't believe I said anything about not securing equipment or data. The sky is not falling either. It is actually kind of sunny out. However, Biometrics does put the RISK in the WRONG place. Not only that, but the ONLY advantage Biometrics offers is convenience to the user. That is it. There is no other advantage to Biometrics. None. Biometrics comes down to 1's and 0's, just like a securid card. It just happens that your body becomes the card. Again, if security is convenient, it is most likely not good security. There is NOTHING you can do with Biometrics which you cannot do with a securid card. You seem to gloss right over that notion. For an individual Biometrics is not good. But I will grant you, in the presence of real security (building security), Biometrics is a convenient and handy second form of authorization. Most thieves inside buildings sit in executive offices (Enron, etc.) where chopping off fingers would be a little too blantant. However, I guess all those folks who get mugged in Central Park or on the subways are not inlcuded in your 99.9% of all thefts. I am pretty sure those folks knew they were being robbed. Did you get your percentage from Police Chief Wiggum? Blockbuster movie, bah. Talk to the Malaysian Mercedes owner who gave up his finger along with his car. That is real. But wait, the thieves must have gotten the correct finger, because they didn't need his whole hand. Wow, a hand. That is like having FIVE securid cards in ONE convenient package. I'm sure a thief would never figure that out. And most thieves who would take a finger are compassionate enough to stop there if they happened to cut off the wrong one (I know this, I am a criminal, remember?) But I guess a Mercedes is worth a finger or hand now and then. Continue to follow blindly. There are never two sides to any story. Buy, buy, buy. Technology for the sake of technology is always RIGHT. Just ask Dr. Oppenheimer.

Thu, Jun 30, 2005 Christopher Bell Manchester, UK

Keith, spoken like a true salesman. Thinking about this for a minute gives me this: anyone who is too stupid or too lazy to memorize a simple pass-phrase will not be working for me. Biometrics is an unnecessary, expensive replacement for intellect.

Wed, Jun 29, 2005 Keith Anonymous

Spoken like a true criminal; let's make everyone afraid of new technology so they won't use it. Now let's think about this for a minute; if I use my finger for authentication which finger do you suppose they will cut off - surely not all of them. Secondly ALL (99.9%) of thefts are done without the owners knowledge so now you are going to say someone is going to walk right up to you so you can identify them then take your laptop and all of your fingers for good measure - wow sounds like a blockbuster movie to me! Get real and watch out 'THE SKY IS FALLING!!!'

Wed, Jun 29, 2005 A Lee

Biometrics is the absolute worst security measure ever conceived. Biometrics endangers everyone's limbs. If thieves get the idea that a device they are stealing requires biometrics to crack it, then they will want the key. Your thumb has now become a target for theft as well. Even if the device they are stealing does not have biometrics, hey, better safe than sorry, right? Chop - off goes your (insert easily removed digit or other body part here).

I would much rather say, "Here is my laptop, Mr. Thief, and securid card too. Thank you for not carving me up."

Anytime anybody equates security with convenience is fooling themselves. The whole point of security is defeated with that line of thinking. It is a terrible disservice the IT industry and communities are doing to the personal safety of the individual. But hey, nobody has any other hot products to catch the consumer's eye, so let's just blindly push garbage in a shiny, cool package. Personal safety has nothing to do with security anyway, right?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.