Biometric Security Products: Panasonic Authenticam, Iridian PrivateID and SecureSuite
The eyes have it—affordable iris scanning from Panasonic and Iridian
- By Roberta Bragg
Most biometrics surveys agree: Iris scanning is the most accurate
biometric process. The iris, of course, is the colored circle around the
dark pupil of your eye. Each eye has a unique set of irises. To use iris
scanning a specialized camera is required. In the past that meant iris
scanning was too expensive for most networks and was, it was thought,
more suited to access control than for authentication on the network.
Like most other devices, iris-scanning cameras are no longer just for
high security situations. Still, the cost is twice that of other biometric
devices. A good iris-scanning camera costs about $300, while fingerprint
scanning devices are available for less than $100.
StrikeforceTechnologies Inc., www.strikeforcetech.com,
a Panasonic iris scanning camera dealer and integrator provided the camera
and software for this review. The camera is small (about the size of a
pack of cigarettes) and comes with its own stand. Setting the camera on
top of the monitor and tilting it helps to line it up with your eyes and
obtain the best capture.
Panasonic Authenticam Camera, $199.99
Iridian PrivateID and SecureSuite software
West Orange, New Jersey
(866) 787-4542 www.strikeforcetech.com
Installation and Registration
Unlike some of the other products tested, this one comes with a
small insert that provides all of the information necessary to get up
and running. I was reminded of the instructions I got with my two-line,
fancy-smantz answering machine/telephone combo last week. (Funny, the
iris-scanning camera works, and the phone doesn't, but that may say more
about which technology I have more interest in.) It is however, extraordinarily
easy to lock yourself out of your computer if you're not the kind to follow
instructions. If you install all the software before the camera, the game
The proper process requires that you install the camera between the installation
of the two software products. So first I loaded the Private ID software.
This controls the camera. After I rebooted and plugged in the camera,
I tested its functioning using the provided utilities. This is not a bad
idea; because installing the authentication control software (SecureSuite)
on a system with a malfunctioning camera would be another way to lock
yourself out. To test system operation, you run a utility that tests the
video functions, illumination system, alignment, and that can perform
an iris capture. You can also use these utilities for user practice.
Next, during the install of the SecureSuite software (this configures
authentication) I was prompted to create a user account to administer
the suite. Interestingly I could not pick the built-in Administrator account,
nor could I later make that account a SecureSuite administrator. What's
more, after product installation I couldn't use the built-in administrator
account to login. Fortunately the new account identified as the SecureSuite
administrator was given membership in the local Administrators group.
After logging on as the SecureSuite Administrator, I opened the SecureSuite
user manager. This utility allowed me to add Windows 2000 users and select
an authentication method for them. In my case, only password and iris
were available. If I had also installed a smart card reader, that would
also have been a choice. Each choice must be configured. Password entry
is, well, password entry—you type it and then type it again for confirmation.
A wizard is provided to help the recording of iris information. It turns
on the camera and waits for the user to line up his eye with the lens.
Once this is accomplished, a small orange circle of light just inside
the lens turns green and a sound like a camera click can be heard. The
user does not need to touch the camera. Four good shots are needed in
order to create a template (see figure). Once both methods are complete
you can either require password and iris scanning, one or the other, or
insist on a single method. When only iris scanning is used, the user password
is changed every time the user authenticates. Knowing a password will
not allow access to the system.
|Capturing iris scans to authenticate a user. (Click
image to view larger version.)
My enrollment process was, I understand, typical for a new user. At first
I had trouble lining up my eye with the camera—it won't snap the
picture until you're properly aligned. Next, I managed to get four shots,
but SecureSuite thought they were a little bit borderline and wouldn't
record them. Finally, I managed to obtain a good set. After logging off,
I used the three finger salute and was given the SecureSuite logon window.
Again, it took some false steps to manage logon as well. A short practice
time made my attempts more polished and more successful.
Best Practices and Issues
This product moves iris-scanning into a viable product for many businesses.
However, to enforce policy, and provide better security for the network,
you should either remove the use of a password or ensure that users must
use both iris scanning and a password to access any station. In the former
case you'll lose the use of RunAs, in the later you may find more problems
with user acceptance.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.