Biometric Security Products: BioPassword 4.5
Magic fingers at work
- By Roberta Bragg
Mrs. Johnas, my ninth grade typing teacher, said she could always recognize
her students by looking at the paper they typed or listening to the sounds
they made while working. The strength of each finger produced a different
imprint on the page, and the tympanic rhythm that resulted from the combinations
of their keystrokes was as unique as the faces frowning over the errors
we made. One day we blindfolded her and switched desks, then asked her
to walk up and down and identify us. She got every one right.
Research now confirms what Mrs. Johnas knew all along—how we type
is unique. There's a pattern to the ways we strike the keys, the timing,
strength and force. BioPassword is a biometric product based on these
facts. BioPassword does not replace the simple user ID and password model.
Instead it adds a layer of protection. Once the product is installed,
each user must register by typing her Windows user ID and password a number
of times. This creates a template which can later be compared with one
made when she logs on. If there is a match between the sample made during
logon and the template on file, the user is logged onto the network. If
someone else tries to enter the same information, that template will be
different and a brief error message tells that person that access has
been denied. This means even a sophisticated password-cracking product
is useless. You may know my user ID and my password, but you'll never
type the same way that I do.
BioPassword 4.5 (4.6 is currently in beta)
$100 per seat for 50 seats Technology: Keystroke Dynamics
Net Nanny Software International, Inc.
(425) 688-3008 www.biopassword.com
Installation, Setup and Testing
NetNanny, the producers of BioPassword, provided me with a 10-user
license, brief documentation and a warning to install the server before
the client. Loading the server software on a Windows 2000 domain controller
was quick and easy. Because there's no specialized hardware, there were
no drivers, cables or connection issues. Once installed, a small BioPassword
utility (see figure) is the only visible part of the product. Here you
configure things such as how many times the ID and password must be typed
for registration, and also identify workstations and user accounts.
Loading the client on Windows 2000 professional was also a snap. As I
logged on for the first time from the new client, I had to register by
typing in my user ID and password 15 times. This is the default and recommended
number. You can set the product to accept fewer repetitions, but this
may make the system less accurate. Later, when I changed my password,
the registration process was repeated.
I had hired two guys and a chain saw to clean up the ice storm that produced
wood piles in my yard, so I invited them in for cookies and to register
as users in my domain. Then we took turns trying to logon as each other.
It didn't work. That is, BioPassword, like Mrs. Johnas, could not be fooled.
The limb guys were soon bored and left to do "real" work.
|The set-up utility for BioPassword.
So what happens if I cut off my finger?
Having often broken bones, sliced fingers and otherwise corrupted
potential logon keys, I wondered what would happen to a BioPassword protected
system then. Well, I'll go a long way to bring authenticity to these authentication
tests, but I draw the line at bodily damage. Instead, I twisted my hands
akimbo and for good measure typed using three fingers instead of ten.
Sure enough, like the BioPassword documentation warning says, I could
not get in. However, as the docs note, an administrator could remove my
account registration, thus allowing me to register again. My new typing
style would be recorded as the correct one, and allow me to continue working.
Best Practices, Problems and Things to Think about
Whenever considering any biometric or other change to your authentication
system, you need to keep in mind things beyond ease of use and user acceptance.
First, you need to develop a policy for how the product will be used.
Second, you need to assure yourself that the product's idea of security
and yours mesh. BioPassword can work to protect your network because even
in the case where a user ID and password are compromised, an intruder
still cannot gain entry. He can't reproduce your user's unique typing
style, and BioPassword has mechanisms in place they believe will repel
attempts to play back any recorded exchange between client and server.
But as the implementer of biometric products on your network, you have
a part in this process too. If you do not insist on every user in your
organization using the biometric, then you have left a hole that any attacker
can potentially find and use. If you do not audit and monitor logon activity,
you will never know if someone is attempting to break in, or perhaps has
found a way to compromise the product. No vendor can produce a product
that will never, over time, become the victim of a successful attack.
Caveat: If you do insist on 100-percent compliance with this biometric,
what happens when the administrator gets locked out, or leaves before
his replacement arrives? In most networks more than one administrator
exists, so the other one can allow the first to register again. In the
smaller network, with one administrator it is always advisable to assign
an "emergency" administrative level account to some other employee—not
for general use, but for just such an emergency. Make sure that employee
registers that account as well as a normal user account for BioPassword
authentication. NetNanny tells me that in the future, they may introduce
a challenge and response series of questions that can be used should an
administrator be locked out.
Biocontainment is defined as the process of preventing the spread of disease.
In the NetNanny BioPassword world, it's seen as the process of making
sure that all systems must use the biometric processes, thus protecting
contamination from an "unprotected" system. In testing this product I
came across a couple of inconsistencies that I believed might cause some
problems. I discussed these with the BioPassword folks and received some
First, in the documentation I ran into a discussion of secondary logon
and a potential need to disable the RunAs service. Though it didn't come
out and say that using RunAs would cause a problem, this certainly raised
a red flag. Immediately I logged on as myself and attempted to run Notepad
using one of the "chain saw" accounts and the appropriate password through
the RunAs service. I was successful. Logging off, I tried to log on using
the same account, and could not. Logging on as myself I then used RunAs
to attempt multiple tasks as one or the other of my chain saw buddies.
It worked every time. Whoops. The NetNanny folks didn't shirk my inquiry.
They admitted that it was an issue they are working on but in the meantime
recommend that administrators disable the RunAs service.
Second, I have multiple client machines in my test network. Since I only
loaded the client on one of them, I wanted to see what would happen when
I attempted to logon from one of the other, non-BioPassword protected
systems. Since no client was installed, and therefore the workstation
wouldn't be able to produce a template for comparison with the stored
one, I expected a simple denial of access even when using a legitimate
account. This was not the case. Logging on from an unprotected client
allowed access with just a user ID and password. I could—once I knew
the password—log on to any account. No biocontainment here. NetNanny
was quick to agree, and note that biocontainment will be possible in the
next release (4.6).
This is a great product for a network, if you can survive with
RunAs disabled. It'll be even better when NetNanny resolves this issue.
Biocontainment on the non-client workstation issue will resolve that loophole.
Until then, only strict adherence to a manually implemented policy that
demands client installation on all workstations in the domain will help
you sleep at night.
The availability of a Windows XP client and Windows .NET Server product
are forthcoming. I'm looking forward to using BioPassword to protect remote
assistance access. (I could use it now to protect terminal services access
to my network from anywhere I might be.)
A standalone product is due for release shortly and this should be a
boon for those who wish to provide better security to workgroup desktops,
traveling laptops, and user owned machines that are used for work at home.
It should also receive strong acceptance in this group, as there is no
additional hardware to understand, damage, maintain, misuse or abuse.
In short, be aware of the issues. They can be showstoppers if not managed,
but then, so can widespread access to your network made possible by easy
to determine passwords and no additional protection.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.