Halt: Who Goes There?
Biometric devices offer more security
than standalone passwords. Here are three products that go beyond
the basics for authentication and verification.
Passwords are so passé
. Their effectiveness as a security standard
continues to decline. People write them down on sticky notes and
stick them to the side of their monitors or use simple, easy-to-crack
passwords. Even with longer, complex passwords, tools like Rainbow
Crack can quickly generate a clear-text version of any hashed password.
It's no wonder people are looking for better, more secure alternatives.
Smart cards are popular and fairly economical, but they're still
limited by the fact that the cards themselves can be stolen or
lost. Just holding a card doesn't truly identify someone as its
Only biometric authentication—an identification scheme based
on examining unique biological factors like fingerprints—promises
to offer true individualized proof of your identity. For this roundup,
we've put three biometric scanning and authentication devices under
the microscope to see how the technology performs and what it has
to offer businesses needing to lock down corporate systems.
It's important to have an understanding of what these and most
other biometric solutions can provide. Few biometric solutions
today offer Active Directory integration, which means you're essentially
limited to using them at the desktop. While some of the devices' software
provides biometric-enabled AD authentication, they do so by remembering
your domain password and using biometrics to unlock that password
and pass it through to the domain. In other words, you're still
authenticating to AD via password; you just don't have to have
|(Click image to view larger version.)
Ideally, your biometric profile—fingerprint scan, iris data or
whatever—would be stored in AD and the biometric software would
pass this information to AD for authentication, instead of just
remembering your password. That level of integration will take
more work from both Microsoft and the biometric device manufacturers.
Some biometric vendors (including those described later in this
article) have developed software to integrate their biometric solutions
with AD. They typically use a proprietary server to store biometric
information and integrate with AD to complete the authentication
In the meantime, why bother with biometrics? I've already mentioned
the Rainbow Crack tool, which bad guys can use to get their hands
on a clear-text version of a password. This tool works by generating
a database of all possible character combinations and their associated
hashes. Then it simply looks up a hash in the database to discover
the text version of that password. It's time-consuming to pre-compute,
although you can purchase entire, multi-gigabyte databases that
will cover passwords of up to eight characters.
The key to defeating tools like Rainbow Crack is to have impossibly
long passwords—passphrases, in fact—that are so long it would be
computationally impractical to generate a large enough hash database.
Microsoft recommends using passphrases as a way to more effectively
secure your network.
Here's a reality check, though—users hate long passwords. Many
users think something like "Fluffy" with a capital F is a long
password. That's where biometrics can help out. By remembering
passwords, they help users create and actually use complex passwords
without having to remember them, or worse yet, resorting to writing
Better still, users can create different passwords that apply
to different applications and Web sites. That means the accidental
disclosure of one Web site password won't compromise your entire
network. Naturally, convincing your users to do this will be difficult,
but providing them with a cool biometric authentication toy will
go a long way toward winning their enthusiasm and cooperation.
Microsoft Optical Desktop with Fingerprint Reader
There's no cooler
toy than a well-designed keyboard with a built-in fingerprint
scanner. While Microsoft also offers standalone fingerprint
readers, its new fingerprint keyboard is a wonderful convenience.
It's bundled with DigitalPersona software, which was custom-built
for this hardware. DigitalPersona acts as a fingerprint-secured
password vault. When prompted for a password, you simply lay your
finger on the keyboard's fingerprint scanner and once the software
verifies your identity, it passes along your login credentials.
The software works with Windows XP's local logon, as well as many
other applications and Web sites (although it only functions with
Internet Explorer and not popular alternatives like Mozilla and
Firefox). Installing the software is easy. A number of stickers
on the keyboard itself warn you to install the keyboard's driver
software prior to actually plugging in the USB keyboard. I ran
into one problem when the keyboard was plugged into a powered USB
hub. The fingerprint scanner's red light blinked and refused to
scan my fingers. Plugging directly into a motherboard-mounted USB
port solved the problem, leading me to suspect the quality of the
USB hub I'm using.
|Microsoft Optical Desktop
with Fingerprint Reader
Using the software is easy. You start by touching the fingerprint
scanner, and training it to recognize one or more of your fingers.
Because the scanner is on the left side of the keyboard, you'll
probably want to have it memorize a couple of fingers on your left
hand, but you can pick whichever fingers you like.
Once you've "trained" the software, you touch the scanner again
whenever you come to a Web site or application that requires authentication.
DigitalPersona will prompt you for your credentials, and from then
on, it will insert them whenever required. To unlock and apply
your credentials, you just touch the fingerprint scanner.
I was impressed by how easily and accurately the fingerprint reader
worked. It recognized my fingerprint on the first try almost every
time. It easily rejected my other fingers, as well as other people's
However, my major complaint about DigitalPersona is its lack of
support for non-IE browsers. I don't use IE as my regular browser,
which renders the fingerprint scanner useless for Web sites that
There's a curious and confusing message in the "readme" file that
comes with the keyboard: "The biometric (fingerprint reader) feature
in this device is not a security feature and is intended to be
used for convenience only. It should not be used to access corporate
networks or protect sensitive data, such as financial information.
Instead, you should protect your sensitive data with another method,
such as a strong password that you either memorize or store in
a physically secure place." What the heck?
Basically, Microsoft is acknowledging that the DigitalPersona
software stores your passwords, but not in a fashion that's guaranteed
to be unbreakable. After all, it has to store clear-text passwords
so the software can insert them into logon prompts for you. The
very presence of these passwords—no matter how well-encrypted—is
a potential security liability.
This is actually fairly common among many biometric solutions,
although only Microsoft was this forthcoming about those limitations.
For the record, the DigitalPersona Pro software (available separately)
functions more securely, because it centrally stores biometric
authentication and integrates with AD.
Panasonic BMT-100US Authenticam
Visions of Edna Mole from "The Incredibles"—and her method of
peering into a security camera to enter a secure area of her superhero
costume design lab—floated through my head as I installed the Panasonic
Authenticam. The unit is physically similar to a Web cam in that
it's designed to sit atop your monitor or on your desk. In fact,
the camera can do double-duty as a videoconferencing camera.
|Panasonic BMT-100US Authenticam
The Authenticam is not a retina scanner (sorry, "Star Trek" and
James Bond fans). Instead, it uses snazzy software and firmware
to locate your eyes and memorize your iris patterns (the colored
portion of your eye) in much the same way that a fingerprint scanner
scans your fingers.
The guts of the camera's iris recognition capabilities come from
Iridian Technologies, which also provides a variety of SDKs and
APIs that work with the camera. You can actually sit up to 20 inches
away from the camera lens and still be recognized, unlike retinal
scanners that need to shoot a laser right into your eyeball to
scan the back wall (the retina). To train the camera to recognize
your iris, you stare at a light to get your eyeball in the right
position. Once you're in position, you're set.
I had no problem training the camera to recognize my iris. One
farsighted colleague, however, needed a couple of tries to get
it right because he couldn't focus on the light. A second colleague
tried to watch the screen and focus on the camera at the same time,
which didn't work so well. When you're training the camera, focus
on the light.
The Private ID software (also from Iridian) controls the camera.
SecureSuite, another bundled application, performs many of the
same functions as the DigitalPersona software that comes with the
Microsoft keyboard—storing passwords for Web sites and other applications.
SecureSuite was easy to install and configure. I was up and running
with no hitches. The software lets you specify allowable logon
methods for each account on your machine. For example, you could
disable passwords entirely in favor of iris scanning. I wouldn't
recommend doing that, however, because you won't be able to use
certain utilities that don't integrate with the camera. The Authenticam
also works with Iridian's KnoWho server, which provides server-based
authentication for corporate environments.
The Authenticam seemed hard to deceive. It properly rejected every
eye other than my own. I couldn't even get it to accept a properly
sized photo of my eye, which I thought would be a sure-fire way
to fool the system.
As cool as it is, I'm not sure I see a lot of companies investing
in iris-recognition (besides government agencies and superhero
costume designers). Fingerprint scanners are cheaper and more convenient,
especially when they're built into a keyboard. A fingerprint scanner
also seems easier for users to accept.
The Silex COMBO-Mini fingerprint scanner is slightly
larger than a USB flash media drive. It comes bundled with
the SX-Biometrics Suite, which remembers passwords and inserts
credentials for you. The Silex unit has a sliding plastic cover
that protects the actual fingerprint scanner. The scanner itself
felt more fragile than the Microsoft keyboard, although it never
gave me any trouble.
One unique aspect of the Silex unit is that it features a User
Identity Module (UIM), a tiny smart card similar to the Subscriber
Identity Module (SIM) used in GSM cell phones. The UIM stores your
actual fingerprint data. The theory is that you can pull the UIM
out and move it from device to device, but it's a bit tricky to
get the UIM out of the scanner. You'd be more likely to just take
the whole unit with you. Silex must have anticipated people doing
this, as it even has a little hole for a key ring.
The Silex unit and software worked about as well as the Microsoft
keyboard. However, the Silex unit is indeed more secure, because
you can remove the UIM or carry the whole unit with you.
The software that comes with the Microsoft keyboard stores passwords
on your computer, which means it's more difficult to carry them
around and protect them. The fact that the Silex unit lets you
physically separate your passwords from your computer is a big
Each of these biometric solutions was accurate,
relatively easy to install and easy to use. In fact, I was genuinely
surprised by their accuracy. While none of the products tested
ship with robust, centralized AD integration, some of the manufacturers
offer additional products that fill the void.
Microsoft's keyboard and the DigitalPersona software was my favorite
solution, simply because it's such a well-integrated device that
makes logical use of a piece of hardware that's already on everyone's
desktop. Coupled with DigitalPersona Pro for AD integration, I
can easily see every desktop in an organization equipped with a
Microsoft fingerprint-scanning keyboard.
Naturally, it's less suitable for use with laptops, but laptops
always present their own unique security challenges. In fact, some
laptop manufacturers (most notably IBM) are building fingerprint
readers right into the laptop itself.
The Silex COMBO-Mini has the advantage of being easily portable,
so you can bring your "library" of passwords with you by simply
removing the UIM or the entire unit. This adds both a degree of
security for your passwords, and an element of risk should you
ever lose the unit.
While it worked well, I would anticipate particular support challenges
with the Authenticam system. I can just imagine the help desk calls
from people using an iris camera for the first time: "Are you sure
the camera is pointed at your face? No, your face. The camera.
The one on your computer. Look behind your desk. Maybe it fell
off the monitor."
Even if an organization only implements a biometric device for
local use, its value as a password vault—letting users store a
variety of complex passphrases rather than a single, simple password—is
significant in this era of increased security awareness.
Find out more about these products and related technologies
with these links:
- To read more about using passphrase authentication, go here.
- To read more about the Panasonic Authneticam (first reviewed
in Redmond April 2002 by Roberta Bragg), go here.
- To read more about DigitalPersona and its DigitalPersona Pro
server application that integrates with AD, go here.
- To read more about the Silex Combo and Silex's other fingerprint
scanners, go here.