Like most authentication technologies there are several flavours of biometric technology: from the advanced handwriting and facial character recognition systems to the more common fingerprint scanners and quite a few technologies in between (iris, retina, and palm scanners).
There are almost as many uses for biometrics as there are types. While all five of the devices that we were sent from vendors for this review were fingerprint scanners, most of them had very differing uses. From simple desktop management of passwords, through to three-factor authentication purposes. I will briefly run through the products submitted.
APC sent us a Biopod Biometric password manager which is pretty much exactly that. Designed for use with a desktop machine connected via USB the administrator can enroll up to 20 separate users or 20 fingers (if one is lucky enough to have four arms, that is).
The software that is bundled with the device is very straightforward and easy to use. Whenever an application or Web site is visited that requires a user to login, a small system tray resident applet pops up and indicates that it has detected a username/password field and invites the user to register that password to be used with the fingerprint scanner. Two options exist, one which automatically submits the stored login credentials every time the application is opened or the site browsed to, and the second which prompts the user for their fingerprint upon detection of a previously registered application or site.
The BQT Solutions mib-BT913U device clearly provides for very strong authentication in one device, combining up to three factor authenticatio -- something one knows, something one has and something one is. The hardware component of this solution is a robust contactless card reader/writer with a biometric fingerprint scanner built into it.
The BioEncode 3.1 software runs on Windows NT, 2000, and XP. The card reader is setup as a USB serial device.
Once registered the fingerprint is stored on the card, which is a worry if the card is lost as someone potentially has your fingerprint, however it is preferable to someone cracking a server and getting a database of all employees fingerprints. It also helps in remote or distributed locations where individual authentication terminals may not be hooked into the central authentication information database system or the authentication data may need to travel across potentially hostile or compromised networks.
ComSec Enterprises shipped us a 128MB USB v1.1 flash memory key with an embedded fingerprint scanner. Enrolment took quite some time. But once we were registered the device worked well. Larger capacity and USB 2.0 would be nice, but it is still a step ahead, in the security stakes, of the normal (easy to lose) memory keys.
The Digital Persona U.are.U 4000 Sensor is quite a neat compact optical USB fingerprint scanner. The distributor Automa shipped us both the workstation and server versions of the application software. The workstation Pro 3.1 for Active Directory software runs on Windows XP, 2003, 2000, ME and even Windows 98. This solution provides for Windows machine login replacing the usual Windows username/password authentication system.
Microsoft submitted a device called the Fingerprint Reader which is manufactured by Digital Persona and internally appears to be the same as the Digital Persona device but has a trendy pearlescent paint job. The device drivers/application however is limited to use with the Microsoft Windows XP operating system only.
Recently the lab has also seen embedded biometric fingerprint scanners in portable devices such as Fujitsu and IBM notebooks and HP PDAs.
The Fujitsu sported a traditional fingerprint-sized pad while the IBM notebook and the HP PDA had a small strip scanner that the user runs his or her finger over.
For more information on the notebooks, click here.
An important tip when using fingerprint scanners is once authentication is complete, the finger must be slid off the scanning window to smudge the print. It has been known that some scanners return false positive IDs when a breath of air is blown onto the device or bag of water applied to a scanner with a residual imprint.
There are various other ways of "tricking" a fingerprint scanner and Steve Turvey sums these up in his biometric review in the February 2004 edition of T&B. Another problem is remembering which finger was used during the registration process.
When considering the biometric route look at a vendor's crossover error rate. This is the point where the rejection of legitimate users intersects with the false acceptance of unauthorised users. If a system is configured too tighty then legitimate user frustration can result in too many rejections/re-authentication requests coming through.