In-Depth

Halt: Who Goes There?

Biometric devices offer more security than standalone passwords. Here are three products that go beyond the basics for authentication and verification.

• By Don Jones
• 07/01/2005

Passwords are so passé. Their effectiveness as a security standard continues to decline. People write them down on sticky notes and stick them to the side of their monitors or use simple, easy-to-crack passwords. Even with longer, complex passwords, tools like Rainbow Crack can quickly generate a clear-text version of any hashed password.

It's no wonder people are looking for better, more secure alternatives. Smart cards are popular and fairly economical, but they're still limited by the fact that the cards themselves can be stolen or lost. Just holding a card doesn't truly identify someone as its intended owner.

Only biometric authentication—an identification scheme based on examining unique biological factors like fingerprints—promises to offer true individualized proof of your identity. For this roundup, we've put three biometric scanning and authentication devices under the microscope to see how the technology performs and what it has to offer businesses needing to lock down corporate systems.

It's important to have an understanding of what these and most other biometric solutions can provide. Few biometric solutions today offer Active Directory integration, which means you're essentially limited to using them at the desktop. While some of the devices' software provides biometric-enabled AD authentication, they do so by remembering your domain password and using biometrics to unlock that password and pass it through to the domain. In other words, you're still authenticating to AD via password; you just don't have to have it memorized.

(Click image to view larger version.)

Ideally, your biometric profile—fingerprint scan, iris data or whatever—would be stored in AD and the biometric software would pass this information to AD for authentication, instead of just remembering your password. That level of integration will take more work from both Microsoft and the biometric device manufacturers. Some biometric vendors (including those described later in this article) have developed software to integrate their biometric solutions with AD. They typically use a proprietary server to store biometric information and integrate with AD to complete the authentication process.

In the meantime, why bother with biometrics? I've already mentioned the Rainbow Crack tool, which bad guys can use to get their hands on a clear-text version of a password. This tool works by generating a database of all possible character combinations and their associated hashes. Then it simply looks up a hash in the database to discover the text version of that password. It's time-consuming to pre-compute, although you can purchase entire, multi-gigabyte databases that will cover passwords of up to eight characters.

The key to defeating tools like Rainbow Crack is to have impossibly long passwords—passphrases, in fact—that are so long it would be computationally impractical to generate a large enough hash database. Microsoft recommends using passphrases as a way to more effectively secure your network.

Here's a reality check, though—users hate long passwords. Many users think something like "Fluffy" with a capital F is a long password. That's where biometrics can help out. By remembering passwords, they help users create and actually use complex passwords without having to remember them, or worse yet, resorting to writing them down.

Better still, users can create different passwords that apply to different applications and Web sites. That means the accidental disclosure of one Web site password won't compromise your entire network. Naturally, convincing your users to do this will be difficult, but providing them with a cool biometric authentication toy will go a long way toward winning their enthusiasm and cooperation.

Microsoft Optical Desktop with Fingerprint Reader
There's no cooler toy than a well-designed keyboard with a built-in fingerprint scanner. While Microsoft also offers standalone fingerprint readers, its new fingerprint keyboard is a wonderful convenience.

It's bundled with DigitalPersona software, which was custom-built for this hardware. DigitalPersona acts as a fingerprint-secured password vault. When prompted for a password, you simply lay your finger on the keyboard's fingerprint scanner and once the software verifies your identity, it passes along your login credentials.

The software works with Windows XP's local logon, as well as many other applications and Web sites (although it only functions with Internet Explorer and not popular alternatives like Mozilla and Firefox). Installing the software is easy. A number of stickers on the keyboard itself warn you to install the keyboard's driver software prior to actually plugging in the USB keyboard. I ran into one problem when the keyboard was plugged into a powered USB hub. The fingerprint scanner's red light blinked and refused to scan my fingers. Plugging directly into a motherboard-mounted USB port solved the problem, leading me to suspect the quality of the USB hub I'm using.

Microsoft Optical Desktop with Fingerprint Reader

Using the software is easy. You start by touching the fingerprint scanner, and training it to recognize one or more of your fingers. Because the scanner is on the left side of the keyboard, you'll probably want to have it memorize a couple of fingers on your left hand, but you can pick whichever fingers you like.

Once you've "trained" the software, you touch the scanner again whenever you come to a Web site or application that requires authentication. DigitalPersona will prompt you for your credentials, and from then on, it will insert them whenever required. To unlock and apply your credentials, you just touch the fingerprint scanner.

I was impressed by how easily and accurately the fingerprint reader worked. It recognized my fingerprint on the first try almost every time. It easily rejected my other fingers, as well as other people's fingers.

However, my major complaint about DigitalPersona is its lack of support for non-IE browsers. I don't use IE as my regular browser, which renders the fingerprint scanner useless for Web sites that require authentication.

There's a curious and confusing message in the "readme" file that comes with the keyboard: "The biometric (fingerprint reader) feature in this device is not a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or protect sensitive data, such as financial information. Instead, you should protect your sensitive data with another method, such as a strong password that you either memorize or store in a physically secure place." What the heck?

Basically, Microsoft is acknowledging that the DigitalPersona software stores your passwords, but not in a fashion that's guaranteed to be unbreakable. After all, it has to store clear-text passwords so the software can insert them into logon prompts for you. The very presence of these passwords—no matter how well-encrypted—is a potential security liability.

This is actually fairly common among many biometric solutions, although only Microsoft was this forthcoming about those limitations. For the record, the DigitalPersona Pro software (available separately) functions more securely, because it centrally stores biometric authentication and integrates with AD.

Panasonic BMT-100US Authenticam
Visions of Edna Mole from "The Incredibles"—and her method of peering into a security camera to enter a secure area of her superhero costume design lab—floated through my head as I installed the Panasonic Authenticam. The unit is physically similar to a Web cam in that it's designed to sit atop your monitor or on your desk. In fact, the camera can do double-duty as a videoconferencing camera.

Panasonic BMT-100US Authenticam

The Authenticam is not a retina scanner (sorry, "Star Trek" and James Bond fans). Instead, it uses snazzy software and firmware to locate your eyes and memorize your iris patterns (the colored portion of your eye) in much the same way that a fingerprint scanner scans your fingers.

The guts of the camera's iris recognition capabilities come from Iridian Technologies, which also provides a variety of SDKs and APIs that work with the camera. You can actually sit up to 20 inches away from the camera lens and still be recognized, unlike retinal scanners that need to shoot a laser right into your eyeball to scan the back wall (the retina). To train the camera to recognize your iris, you stare at a light to get your eyeball in the right position. Once you're in position, you're set.

I had no problem training the camera to recognize my iris. One farsighted colleague, however, needed a couple of tries to get it right because he couldn't focus on the light. A second colleague tried to watch the screen and focus on the camera at the same time, which didn't work so well. When you're training the camera, focus on the light.

The Private ID software (also from Iridian) controls the camera. SecureSuite, another bundled application, performs many of the same functions as the DigitalPersona software that comes with the Microsoft keyboard—storing passwords for Web sites and other applications.

SecureSuite was easy to install and configure. I was up and running with no hitches. The software lets you specify allowable logon methods for each account on your machine. For example, you could disable passwords entirely in favor of iris scanning. I wouldn't recommend doing that, however, because you won't be able to use certain utilities that don't integrate with the camera. The Authenticam also works with Iridian's KnoWho server, which provides server-based authentication for corporate environments.

The Authenticam seemed hard to deceive. It properly rejected every eye other than my own. I couldn't even get it to accept a properly sized photo of my eye, which I thought would be a sure-fire way to fool the system.

As cool as it is, I'm not sure I see a lot of companies investing in iris-recognition (besides government agencies and superhero costume designers). Fingerprint scanners are cheaper and more convenient, especially when they're built into a keyboard. A fingerprint scanner also seems easier for users to accept.

Silex COMBO-Mini

Silex COMBO-Mini
The Silex COMBO-Mini fingerprint scanner is slightly larger than a USB flash media drive. It comes bundled with the SX-Biometrics Suite, which remembers passwords and inserts credentials for you. The Silex unit has a sliding plastic cover that protects the actual fingerprint scanner. The scanner itself felt more fragile than the Microsoft keyboard, although it never gave me any trouble.

One unique aspect of the Silex unit is that it features a User Identity Module (UIM), a tiny smart card similar to the Subscriber Identity Module (SIM) used in GSM cell phones. The UIM stores your actual fingerprint data. The theory is that you can pull the UIM out and move it from device to device, but it's a bit tricky to get the UIM out of the scanner. You'd be more likely to just take the whole unit with you. Silex must have anticipated people doing this, as it even has a little hole for a key ring.

The Silex unit and software worked about as well as the Microsoft keyboard. However, the Silex unit is indeed more secure, because you can remove the UIM or carry the whole unit with you.

The software that comes with the Microsoft keyboard stores passwords on your computer, which means it's more difficult to carry them around and protect them. The fact that the Silex unit lets you physically separate your passwords from your computer is a big plus.

Authentication Complete
Each of these biometric solutions was accurate, relatively easy to install and easy to use. In fact, I was genuinely surprised by their accuracy. While none of the products tested ship with robust, centralized AD integration, some of the manufacturers offer additional products that fill the void.

Microsoft's keyboard and the DigitalPersona software was my favorite solution, simply because it's such a well-integrated device that makes logical use of a piece of hardware that's already on everyone's desktop. Coupled with DigitalPersona Pro for AD integration, I can easily see every desktop in an organization equipped with a Microsoft fingerprint-scanning keyboard.

Naturally, it's less suitable for use with laptops, but laptops always present their own unique security challenges. In fact, some laptop manufacturers (most notably IBM) are building fingerprint readers right into the laptop itself.

The Silex COMBO-Mini has the advantage of being easily portable, so you can bring your "library" of passwords with you by simply removing the UIM or the entire unit. This adds both a degree of security for your passwords, and an element of risk should you ever lose the unit.

While it worked well, I would anticipate particular support challenges with the Authenticam system. I can just imagine the help desk calls from people using an iris camera for the first time: "Are you sure the camera is pointed at your face? No, your face. The camera. The one on your computer. Look behind your desk. Maybe it fell off the monitor."

Even if an organization only implements a biometric device for local use, its value as a password vault—letting users store a variety of complex passphrases rather than a single, simple password—is significant in this era of increased security awareness.