Product Reviews

Biometric Security Products: BioPassword 4.5

Magic fingers at work

Mrs. Johnas, my ninth grade typing teacher, said she could always recognize her students by looking at the paper they typed or listening to the sounds they made while working. The strength of each finger produced a different imprint on the page, and the tympanic rhythm that resulted from the combinations of their keystrokes was as unique as the faces frowning over the errors we made. One day we blindfolded her and switched desks, then asked her to walk up and down and identify us. She got every one right.

Research now confirms what Mrs. Johnas knew all along—how we type is unique. There's a pattern to the ways we strike the keys, the timing, strength and force. BioPassword is a biometric product based on these facts. BioPassword does not replace the simple user ID and password model. Instead it adds a layer of protection. Once the product is installed, each user must register by typing her Windows user ID and password a number of times. This creates a template which can later be compared with one made when she logs on. If there is a match between the sample made during logon and the template on file, the user is logged onto the network. If someone else tries to enter the same information, that template will be different and a brief error message tells that person that access has been denied. This means even a sophisticated password-cracking product is useless. You may know my user ID and my password, but you'll never type the same way that I do.

Product Information

BioPassword 4.5 (4.6 is currently in beta)
$100 per seat for 50 seats Technology: Keystroke Dynamics
Net Nanny Software International, Inc.
Bellevue, Washington
(425) 688-3008


Installation, Setup and Testing
NetNanny, the producers of BioPassword, provided me with a 10-user license, brief documentation and a warning to install the server before the client. Loading the server software on a Windows 2000 domain controller was quick and easy. Because there's no specialized hardware, there were no drivers, cables or connection issues. Once installed, a small BioPassword utility (see figure) is the only visible part of the product. Here you configure things such as how many times the ID and password must be typed for registration, and also identify workstations and user accounts.

Loading the client on Windows 2000 professional was also a snap. As I logged on for the first time from the new client, I had to register by typing in my user ID and password 15 times. This is the default and recommended number. You can set the product to accept fewer repetitions, but this may make the system less accurate. Later, when I changed my password, the registration process was repeated.

I had hired two guys and a chain saw to clean up the ice storm that produced wood piles in my yard, so I invited them in for cookies and to register as users in my domain. Then we took turns trying to logon as each other. It didn't work. That is, BioPassword, like Mrs. Johnas, could not be fooled. The limb guys were soon bored and left to do "real" work.

The set-up utility for BioPassword.

So what happens if I cut off my finger?
Having often broken bones, sliced fingers and otherwise corrupted potential logon keys, I wondered what would happen to a BioPassword protected system then. Well, I'll go a long way to bring authenticity to these authentication tests, but I draw the line at bodily damage. Instead, I twisted my hands akimbo and for good measure typed using three fingers instead of ten. Sure enough, like the BioPassword documentation warning says, I could not get in. However, as the docs note, an administrator could remove my account registration, thus allowing me to register again. My new typing style would be recorded as the correct one, and allow me to continue working.

Best Practices, Problems and Things to Think about
Whenever considering any biometric or other change to your authentication system, you need to keep in mind things beyond ease of use and user acceptance. First, you need to develop a policy for how the product will be used. Second, you need to assure yourself that the product's idea of security and yours mesh. BioPassword can work to protect your network because even in the case where a user ID and password are compromised, an intruder still cannot gain entry. He can't reproduce your user's unique typing style, and BioPassword has mechanisms in place they believe will repel attempts to play back any recorded exchange between client and server. But as the implementer of biometric products on your network, you have a part in this process too. If you do not insist on every user in your organization using the biometric, then you have left a hole that any attacker can potentially find and use. If you do not audit and monitor logon activity, you will never know if someone is attempting to break in, or perhaps has found a way to compromise the product. No vendor can produce a product that will never, over time, become the victim of a successful attack.

Caveat: If you do insist on 100-percent compliance with this biometric, what happens when the administrator gets locked out, or leaves before his replacement arrives? In most networks more than one administrator exists, so the other one can allow the first to register again. In the smaller network, with one administrator it is always advisable to assign an "emergency" administrative level account to some other employee—not for general use, but for just such an emergency. Make sure that employee registers that account as well as a normal user account for BioPassword authentication. NetNanny tells me that in the future, they may introduce a challenge and response series of questions that can be used should an administrator be locked out.

Biocontainment is defined as the process of preventing the spread of disease. In the NetNanny BioPassword world, it's seen as the process of making sure that all systems must use the biometric processes, thus protecting contamination from an "unprotected" system. In testing this product I came across a couple of inconsistencies that I believed might cause some problems. I discussed these with the BioPassword folks and received some interesting replies.

First, in the documentation I ran into a discussion of secondary logon and a potential need to disable the RunAs service. Though it didn't come out and say that using RunAs would cause a problem, this certainly raised a red flag. Immediately I logged on as myself and attempted to run Notepad using one of the "chain saw" accounts and the appropriate password through the RunAs service. I was successful. Logging off, I tried to log on using the same account, and could not. Logging on as myself I then used RunAs to attempt multiple tasks as one or the other of my chain saw buddies. It worked every time. Whoops. The NetNanny folks didn't shirk my inquiry. They admitted that it was an issue they are working on but in the meantime recommend that administrators disable the RunAs service.

Second, I have multiple client machines in my test network. Since I only loaded the client on one of them, I wanted to see what would happen when I attempted to logon from one of the other, non-BioPassword protected systems. Since no client was installed, and therefore the workstation wouldn't be able to produce a template for comparison with the stored one, I expected a simple denial of access even when using a legitimate account. This was not the case. Logging on from an unprotected client allowed access with just a user ID and password. I could—once I knew the password—log on to any account. No biocontainment here. NetNanny was quick to agree, and note that biocontainment will be possible in the next release (4.6).

This is a great product for a network, if you can survive with RunAs disabled. It'll be even better when NetNanny resolves this issue. Biocontainment on the non-client workstation issue will resolve that loophole. Until then, only strict adherence to a manually implemented policy that demands client installation on all workstations in the domain will help you sleep at night.

The availability of a Windows XP client and Windows .NET Server product are forthcoming. I'm looking forward to using BioPassword to protect remote assistance access. (I could use it now to protect terminal services access to my network from anywhere I might be.)

A standalone product is due for release shortly and this should be a boon for those who wish to provide better security to workgroup desktops, traveling laptops, and user owned machines that are used for work at home. It should also receive strong acceptance in this group, as there is no additional hardware to understand, damage, maintain, misuse or abuse.

In short, be aware of the issues. They can be showstoppers if not managed, but then, so can widespread access to your network made possible by easy to determine passwords and no additional protection.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.


comments powered by Disqus

Subscribe on YouTube