Biometric Security Products: Secugen EyeD Hamster and EyeD OptiMouse
My hamster doesn't have a creaky wheel
- By Roberta Bragg
My hamster doesn't have a creaky wheel to run on. Instead, he uses
optical components to scan my proffered finger and provide input to prove
my identity to server-side software. Fingerprint scanning for authentication
provides little comparison with the fingerprint matching done to identify
criminals. Instead of performing visual comparisons of the unique topography
of your digital extremities, the scanner maps a large number of data points
at distinctive markings and the distances between them. This information
is compared to previously stored sets recorded in the Active Directory
during your registration.
Unlike keystroke analysis or voice recognition, fingerprint-scanning
biometrics depends on hardware to collect the data. An assortment of mice,
keyboards, and other things you placed your fingers on or in are available.
SecuGen provided me with two: an optical mouse with a scanning window
where most thumbs are placed during mouse control, and a "hamster," a
black device roughly the size of two Zippo lighter that fit comfortably
in the palm of my hand. You can change your grip to place any of your
logon pods (otherwise known as fingertips) over the hamster's scanning
window. Once authenticated, you return it to your desktop until it's needed
again. Protocom SecureLogin V2 Windows 2000 domain authentication software
accompanied the mouse.
EyeD Hamster, $119 EyeD OptiMouse, $139
(408) 942-3400 www.secugen.com
Installations, Configuration and Registration
Installation can be a little more difficult here. It's made more
so by the existence of a single executable on the installation CD-ROM
and a requirement for manual modification of the Active Directory Schema.
Much against my better judgment, but with no other choice, I started installation
before reading any documentation. Happily, I was then given the choice
to just install documentation. Documentation is copious, but a shortened
list of steps provided a simpler road path through it.
Step one requires modification of the AD schema. While the instructions
were excellent, this approach leaves much room for user error. A misstep
here could leave one with hours of troubleshooting only to find that the
new user attribute was incorrectly entered or never added to the user
object. I know I'm whining here; real nerds insist on doing their own
schema changes, shun Group and Local policies in favor of scripting their
own registry modifications and never ever use a GUI when a command prompt
will do. Still, I can't be the only one who feels I've paid these kind
of dues in the past. Just let the install program do something I can easily
mess up, ok?
Next, the instructions include modifications at the BIOS level to support
parallel port usage by earlier devices. Since my new little buddies had
USB connectors at the other ends of their tails, I skipped this part.
Instead, I installed the software. Like most biometrics, you can't use
them until users register, and you can't register until you install the
hardware. SecuGen avoids the possible nightmare (install the hardware
and you may find yourself unable to logon because you haven't registered)
by allowing unregistered users to continue using their normal login procedures.
Hardware installation merely requires connecting the creature to the
system. Windows 2000 notices the hardware change and loads the driver.
Finally, I was ready to register my fingers. SecureLogin provides a registration
utility. To run it you must be a member of the SecureLogin Adminstrators
group, a group created when the product is installed. Select a user account,
click the radio button corresponding to the digit to be registered, have
the user place that finger on the device, and click the register button.
An image of the finger print appears on the screen (see figure). If the
image is acceptable, you're allowed to continue registering other fingers.
Incidentally, SecuGen advises you to have users register several fingers.
There's no guarantee that a finger roughened by gardening or other physical
work on the weekend will be a useful authentication tool come Monday morning.
|Feeding fingerprints to SecureLogin. (Click image to
view larger version.)
Once registered, the user can use any registered finger to start the
authentication process, if it's acceptable, the first time authentication
also requires password entry. You can remove the password requirement.
Mouse or Hamster?
Unlike keystroke analysis, fingerprint scanning biometrics allows
you to choose the auxiliary device to use for entry. The EyeD Optimouse
looks almost exactly like any other mouse you may have. However, along
the left side of its ergonomic blue and white body is a window into its
soul, er, a plastic window on which to place a registered finger. It's
conveniently placed right where your thumb normally rests. Obviously,
if you have to use another finger, it's a little more awkward. Well, a
lot more awkward but can be done. Remember, this is only necessary for
authentication—you don't need to be able to continually point, click,
and present usable body parts at the same time. Incidentally, this thumb
position placement is perfectly aligned to solve one of the issues common
to most readers; when a fingerprint scanner is first used, it's difficult
to get the finger lined up to get a good print.
The EyeD Hamster sits upright on your desktop. Its slanted top provides
the plastic window. However, after some awkward but successful uses of
it in this position, I found it much easier to use when it I cradled the
device in the palm of my hand. Smokers from pre-BIC lighter times can
empathize here: I discovered this convenience when I realized I was absentmindedly
playing with the hamster as if it was a worry stone, or favorite lighter.
Once I noticed that it only took a few minutes to find comfortable, natural
ways to make the window accessible to any digit. I think it may just become
my favorite, biometrics and soul soothing in one small package—who
would have figured?
My SecuGen contact made sure he was available to answer any questions
and actually provided an answer to a question I hadn't asked yet. (Are
these guys psychic or what?) The big selling point of biometrics is that
it can replace or strengthen the typical user ID and password combination
by insisting on an authentication process which requires the presentation
of some biological evidence—perhaps a fingerprint, voice, retina
or iris scan, or keystroke pattern. Any implementation of biometrics therefore,
can have a fatal weakness. If a user can somehow go around the biometric
and use only my user ID and password, then adding the biometric layer
is useless. Can a user, for example, logon from a client machine that
does not have the software loaded and forego biometric authentication?
Can she use biometrics to logon to one account, but then use RunAs to
logon to another, sans biometrics? Before I had a chance to test it, SecuGen
provided the answer: Yes, well maybe, and here's what to do.
In normal operation, a workstation that does not have the client software
loaded will not allow a user to enter their normal user ID and password.
In normal operation, an authenticated user can use RunAs to run applications
as another user without the need for biometric authentication. That is,
if the user knows a valid account name and password, he can use that information
and the RunAs service to run applications. He will not be required to
present any biometric information (fingerprints) and there is no way to
force this to be required.
However, a simple adjustment can be made to close this hole and require
biometric authentication in order to successfully logon. A simple registry
key modification allows the product to change the user password to a unique
value each time the user logs on. This means that no registered user can
ever again logon using a password, because they don't know what the password
is. They cannot move to a workstation which does not have the client loaded.
While nothing prevents anyone from using the RunAs service, they will
be unsuccessful for the same reason: They do not know the password. While
a password-cracking program could potentially be used to obtain the password
offline, if the user is a frequent user of the system, the cracked password
is most likely useless as it has already changed
Remember, however, that there is nothing that will automatically require
all users to be registered. An unregistered user can still use a password.
Some of you may consider this a boon, as there are processes that require
the use of a password, so some administrative accounts may need to remain
unregistered. Others may see this as where all biometric products break
down—the biocontainment/ user registration issue. Indeed, if any
account is not registered, and I know that password, I can use it to logon.
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.