FRAMINGHAM (03/27/2000) - When you need better protection than a password system can give you, it may be time to consider using a biometric authentication device. In our tests, these devices proved affordable, reliable, easy to use and light-years ahead of passwords in boosting desktop, laptop and network access protection.
Not only are passwords easily compromised, they don't authenticate people - they merely authenticate passwords. Conversely, each fingerprint is unique.
With biometrics, you'll never have to remember multiple, sometimes counterintuitive alphanumeric sequences. All you need to remember is to bring your finger or face, or how to sign your name.
Biometric devices measure one or more physical attributes. The most commonly used attribute is your fingerprint, but it can also be the shape of your face, the pattern of your eye's iris, your signature or the sound of your voice.
Devices exist to meet any degree of security and paranoia. For example, if you want ultrasecure access to the ICBM missile silo or an anthrax lab, retinal-scan devices that read the pattern of blood vessels inside eyes are available. We confined our tests to noninvasive devices suited for use with computers and networks in a normal business environment.
"Biometrics have been around a long time while the vendors tried to get the technology and price right. Finally, fingerprint scanners are a here-and-now technology," says Chris Christensen, a security analyst at International Data Corp. in Framingham, Massachusetts. Starting this summer, manufacturers like Compaq Computer Corp. will ship laptops equipped with biometric devices.
With prices dropping and accuracy increasing, the future looks promising for vendors. According to New York-based consulting firm International Biometric Group LLC, the market for biometric devices totaled $260 million last year. The company predicts a 30 percent to 40 percent annual growth rate.
All the products we tested are ready for use and were designed for existing machines. The devices cost between $60 and $395 and offer vastly increased security. All products were installed effortlessly, required no maintenance and delivered consistent accuracy.
Digital Persona Inc.'s U.are.U Pro offers a major advantage over the other products - a single cable connection to the Universal Serial Bus (USB) port in machines running Windows 95/98, NT and 2000. The other devices require a connection to the parallel port, a power source (usually the keyboard connector cable) and a printer pass-through when a printer is connected to the same machine.
Aside from the convenience of a USB connector, hardware from the other vendors performed equally well. When used on a Windows NT network and integrated into NT's Security Access Manager, all the devices provided security far superior to a mere password.
Biometric vendors tend to sell either just the software engine, such as Identix Inc.'s BioLogon and Cyber-SIGN Inc.'s Cyber-SIGN, or the hardware, such as products from SCM Microsystems Inc. and Interlink Electronics Inc. Others vendors, such as Keyware Technologies and Digital Persona, offer both.
Other than Digital's Persona's custom-developed USB driver for Windows NT, we found no major differences in the ease of use, reliability or feature set in any of the software. All the vendors mentioned plan to release USB versions of their products for Windows 2000.
For information technology use, the device chosen should be based as much on price as on desktop space. Most fingerprint scanners and signature readers are stand-alone devices, but Key Tronic Corp.'s Key Tronic Secure Keyboard integrates a scanner into a keyboard. The bundling saves space, and help desks may prefer built-in devices to those added on.
Since pressing a finger is slightly easier than writing your signature or mugging it up for a camera, fingerprint scanners have a slight edge in usability. All devices also allow password entry in the event that the biometric recognition fails, perhaps as the result of an accident or illness.
To help prevent erroneous access denials, authorized users should register multiple fingers.
Millman operates Data System Services LLC, a consultancy in Croton, N.Y.
Contact him at email@example.com.
Hardware and software; fingerprint
Digital Persona Inc.
Redwood City, Calif.
$199 with client software
Server software: $29 per user
The all-around winner. Highly accurate with inexpensive, single-cable USB connectivity. The software shows its heritage as a onetime consumer product - it's entertaining and simple to understand. Users enroll and set up security via an overlay to Windows NT's Management Console. Utilities include a one-touch Internet log-in, which eliminates the need for passwords, and private space, a virtual drive that stores encrypted data.
SCM Microsystems Inc.
Los Gatos, Calif.
Server: $900 for 25 users
A welcome and convenient innovation, the BioTouch delivers affordable and reliable access security for laptop users. The BioTouch slips into a PC card slot and incorporates a fingerprint-scan sensor on a slide-out tray. Powered by the laptop, it requires no external cables or connections. Simple, reliable and consistently accurate, it's an ideal way to retrofit existing laptops running Windows 95/98, NT or 2000.
Unlike passwords, the BioTouch can't be defeated by simply removing the CMOS battery or by amateurish hacking. When connected to a BioLogon-enabled network, the laptop will use the security profiles set up for the network server.
The software engine for the BioTouch (and a variety of other fingerprint-scanning hardware), BioLogon offers centralized network management plus remote user enrollment and access. BioLogon's user profiles can enroll multiple users, each with different rights. Users can access the network from other computers.
Identix offers a version of BioLogon that runs on Novell NetWare 5 and supports NetWare's LDAP server.ePadHardwareInterlink Electronics Inc. Camarillo, Calif.www.interlinkelec.com(800) 340-1331$70Cyber-SIGNSoftware; signature dynamicsCyber-SIGN Inc.
$50 per user
Server: $1,250, unlimited users
A compact signature pad that's easy to install and use. Cyber-SIGN's software analyzes the shape, speed, stroke, pen pressure and timing information as you sign your name. Even my daughter, who forged my signature to her report cards for 10 years, couldn't defeat the system. Stunningly accurate, it allows enough leeway so that casually signing your name with an extra flourish enables access, but any major variation will deny access.
Key Tronic Secure Keyboard
Hardware, fingerprint; Uses BioLogon softwareKey Tronic Corp.
We give high marks to the Key Tronic keyboard for its consistent accuracy and high reliability. And as an integrated keyboard and fingerprint scanner, it doesn't increase desktop clutter. The 104-key keyboard offers good tactile feedback and looks like any other, except for the addition of a small fingerprint scanner off to the side.
Datawise MT Digit
Hardware, fingerprint;Uses BioLogon softwareSCM MicrosystemsLos Gatos, Calif.www.scmmicro.com(408) 370-4888$130An accurate, mouse-size stand-alone fingerprint reader.
Hardware and software; Multiple authenticationKeyware TechnologiesWoburn, Mass.
With three authentication procedures (voice, facial recognition and fingerprint), The package offered the highest degree of noninvasive security of all the products we tested. In our trials, we couldn't gain access using all three methods, but we did consistently achieve access with any two. You have the option of using all three at once, two at a time or any one of the three.
You can also create a weighted security system that values one or two devices over the others.
It requires a separate product to control log-on (not tested), and the screen saver secures systems that users want to leave running while unattended.
The package includes a small video camera that perches atop the monitor, a microphone and a fingerprint scanner. Less costly packages are available for users who already own one or more of the devices. We tested parallel port versions of the camera and scanner. Keyware says USB versions are now available.
Hardware and software; fingerprint
NEC Technologies Inc.
Server: $1,000, unlimited users
Client: $200, includes hardware
Exclusively designed for use in an enterprise, TouchPass requires a Windows NT domain server. It won't operate in a stand-alone mode like the other devices.
The NEC software integrates into Windows NT's Security Access Manager and User Manager. It offers good centralized management and replicates authentication communication protocols to other domain controllers.