Body Language - The New Security

What barrier does your company have between a resourceful hacker with malicious intentions and the company's systems, applications, and databases? A password? A password that can be forgotten, guessed, or stolen? Good luck. Rather than putting your trust in something so potentially unpredictable, you can beef up your security using biometrics technology and rely instead on your users' fingers, faces, eyes, and voices.

What barrier does your company have between a resourceful hacker with malicious intentions and the company's systems, applications, and databases? A password? A password that can be forgotten, guessed, or stolen? Good luck.

You can make your users change their passwords regularly and delete access privileges when an employee leaves the company, but password protection will never be fail-safe. Passwords are only as reliable as the people who have to remember and safeguard them. Rather than putting your trust in something so potentially unpredictable, you can beef up your security using biometrics technology and rely instead on your users' fingers, faces, eyes, and voices.

Joel Deitch has 15 years of experience marketing and writing about technology. Currently a senior marketing manager at an information security management organization, he lives (securely) in Atlanta, Georgia, and contributes to CNET Enterprise. Biometrics by the numbers

Biometrics picks up where passwords leave off, identifying users by unique individual physical characteristics: fingerprints, voiceprints, facial patterns, or even the motion of signing a name. Biometrics converts a physical characteristic into a number and generates a digitally encoded identifier based on this number. Because it is almost impossible for any two individuals to have identical traits, these numbers and algorithms essentially guarantee that each profile works for only one user.

These identifiers are numbers, not the actual fingerprints, voice prints, image scans, or motion scans. This is important for employees to understand, because they may object to being "catalogued"--having their fingerprint or retinal information stored on the client or the network. In the end, the only information stored is the unique digital imprint created during enrollment.

The biometrics advantage

Biometrics provides several potential security improvements over passwords alone. First, physical characteristics can't be forgotten or left behind. Second, it's almost impossible to fake a fingerprint, a voiceprint, or a signature motion. With both biometric verification and a password required for login, it's very unlikely that someone can use a stolen password for unauthorized access, as long as the servers containing the digital profiles are properly protected.

For the most part, administrators determine the level of security for each user and device. For example, fingerprint scanners can be set to test the print of a single finger or require all ten digits before allowing access. Putting a lot of data in a user profile, however, means that login takes longer. On the other hand, the more complex a profile is, the harder it is to replicate or fake.

Current biometric products are less expensive, simpler to deploy, and easier to manage than their predecessors. Some manufacturers concentrate on providing the hardware and back-end software for biometrics. Other companies concentrate on integrating multiple biometric technologies with existing Windows security and general network management infrastructure. There is, of course, much overlap in these offerings. What's important is that biometrics now integrates cleanly and easily within an overall network security management practice, including turnkey server kits and professional services that greatly simplify deployment.

How much does it cost?

Biometric devices start at under $100 for a basic microphone or digital camera. Fingerprint scanners cost about the same. More specialized iris or retina scanners provide greater security but cost several hundred dollars per unit. Handwriting motion scanners require a digital drawing tablet (starting at around $150 per unit), plus client software (approximately $100 per seat) to work their magic.

Smaller organizations should look for devices that cleanly integrate with the security management already built into their operating system and allow for remote enrollment for offsite users. Larger organizations should expect to spend anywhere from $2,000 and up for each copy of server software plus client software and per-seat charges. Back-end administration and maintenance costs are comparable to any enterprisewide security management solution. Fingerprint, iris, and voice
We evaluated three products that are representative of the primary biometric technologies. All of the products performed as advertised, but their significant differences may determine which technology is right for your company.

Digital Persona U.R.U fingerprint reader

Fingerprint reader
The Digital Persona U.Are.U reads your fingerprint through a clear oval window on its top. Windows 2000 immediately identified the small, gray USB device. The necessary drivers and software loaded seamlessly. Drag-and-drop utilities make it easy to set up fingertip logins to individual Web sites. While its red glow makes it look suitable for any technogeek, it may be a little off-putting for just plain folks.

Each user must commit to using U.Are.U to log on to the client PC, but traditional passwords are always available as an alternative. By assigning users' U.Are.U profiles to privilege sets, administrators can require biometric login for certain network resources. Users can add individual U.Are.U logins, including no-typing access to individual Web sites.

Iridian Authenticam iris recognition camera

Iris scan
The Iridian Authenticam iris recognition camera we checked out was a prototype model with preproduction software. The Authenticam looks like a normal Web camera (and can double as one) but has two additional apertures. The first contains a hologram that helps position the eye properly for registration or verification and performs the actual recognition. The second helps illuminate the eye to create an accurate image map of your eye. As with the U.Are.U system, enrollment is simple and straightforward. People wearing glasses need to take them off during enrollment, but they don't have to remove them later to be identified for login, according to the company.

Whereas fingerprint technology seems best suited for PC and network access, iris recognition can serve as the foundation for a much broader solution. In fact, Iridian makes more sophisticated cameras for controlling physical access to buildings or instantly identifying users at ATMs. Iridian works with hardware vendors to integrate iris recognition technology into comprehensive access-control solutions.

Iridian is in the process of updating its basic camera with a smaller, more capable unit. Our preproduction unit and pre-beta software used a parallel port interface rather than USB to make its basic connection. Given the vagaries of using parallel ports for such an important function, we would recommend that these biometrics be used only with Windows 98, Windows Me, or Windows 2000 clients with USB capability.

Voiceprint recognition
We also examined two Web-based authentication systems that use voiceprint recognition for access control. The first is JotterSAF, from SAFLink, which we downloaded and installed. To use this test version of JotterSAF, you must first generate a reliable print of your voice and register it with the sample Web portal. During that process, we ran into both the strength and weakness of voiceprint recognition.

JotterSAF enrollment screen

Most PCs use simple microphones or Web cameras for sound input. It's practically a universal technology, making almost any PC biometrics ready. Unfortunately, these units home in on any sound in the room rather than a specific source in a specific location. The ambient noise in our office was enough to require dozens of attempts to register the three separate required voiceprints. Recognition worked well enough thereafter, but it was a frustrating experience.

Similarly, we couldn't get a single usable voiceprint with the VoiceCheck demo from Veritel and, therefore, couldn't try out the software. A better microphone would have helped significantly, but this situation illustrates a problem with voiceprint technology in general. If you can't control what microphones are installed on client PCs or how they are configured, voiceprint recognition may not be efficient.

For remote users, Veritel uses telephony to verify voiceprints for offsite long distance telephony, voicemail, and similar applications. This reduces the risk of lost calling cards or stolen calling card numbers. The combination of voice recognition and telephony looks to be a very effective use for voiceprint technology.

SAFLink uses its voice recognition technology on its demo precisely because the technology is included on most computers. However, the company also provides back-end services for a wide range of biometric input devices. It suggests, however, that you supplement voice recognition with other technologies in a production environment. From our experience, it's good advice.

Liabilities may delay acceptance
Biometrics offers several distinct advantages over password-protected access control. This mature, cost-effective technology could improve and simplify access control. That said, biometrics carries a couple of liabilities that may delay its rapid acceptance.

Because laptops usually come with a microphone, voiceprint recognition is a strong option for mobile users. But in addition to the limitations that ambient noise poses, users may resist the technology because they feel awkward talking to a PC in public. The alternative--a camera or a fingerprint scanner--may not pose a problem for desktop users, but most of these devices are external. While you can't expect laptop users to be excited about having to carry yet another piece of equipment, some laptop vendors--including Acer and Compaq--now offer laptops with a built-in fingerprint scanner.

Some laptops and monitors now have built-in cameras, and desktop keyboards and pointing devices are now available with fingerprint scanners. The built-in biometric devices should increase the likelihood of acceptance among users and security administrators. If biometrics isn't quite ready for prime time, it's certainly waiting in the wings. It just needs improved hardware integration so that it's much easier and less expensive to deploy.

Don't throw away your passwords just yet; biometric systems aren't a cure-all. Hardware fails. Users upgrade to new systems. Either scenario may require you to rebuild each logon profile on the client one system at a time, unless that information has been backed up elsewhere.

Biometrics may provide a strong alternative to password authentication, but the client isn't the only way into your network. Back-end systems that host biometric security systems are just as susceptible to online sabotage as other technologies. If your servers go down or your registrations are damaged, your employees and customers can't log on. In a worst-case scenario, you will need to painstakingly rebuild all of your user profiles before full functionality can be restored.

The fingerprint scanner is the device we'd be most likely to carry on a business trip. It offers the best balance of convenience and usability and is compact enough that manufacturers are starting to build scanners into their laptops. But for more comprehensive solutions that require a high degree of integration--including PCs, ATMs, and building access--iris, retina, and face recognition make more sense. This option may be a more appropriate general-purpose solution when monitors and laptops with built-in cameras become commonplace. For now, voice recognition seems the best suited of the three for mobile use, even if it is a bit problematic. (Compare other biometrics products.)

In an ideal world, visual recognition systems would automatically register our identities when we enter our office buildings. This information would then be used to turn on our office lights and our PCs and download our e-mail and calendars. Laptops would have built-in fingerprint scanners for secure access to the computer and remote back-end services. Our cell phones and PDAs would be integrated into a single device with voice recognition, allowing us to log in to corporate telephony and mobile network services.

The technology to make this science fiction a reality is here today, although the integration is not yet truly transparent. Nonetheless, today's biometric security products work very well, are improving rapidly, and deserve a careful look.

Biometric Products
Product &
Type Connection Key features* Cost (list)
Fingerprint USB; other (OEM) Ease of enrollment, use, and administration; fully encrypted communications $149 (workstation); $1,499 (server software) for 25 users ($50 per additional user)
Fingerprint PC Card; USB; other (OEM) Multiple formats; integrates with PC products $229 (PC Card); $129 (USB)
ID Mouse; ID Center
Fingerprint (via mouse) USB; other (OEM) Biometrics with a mouse; integrates with other PC hardware $129 (workstation); Varies (ID Center integration services)
BioNetrix Authentication Suite
Integrated solutions N/A Scalable to large installations Varies
LBV Framework
Integrated solutions N/A Scalable to large installations Varies
JotterSAF; SaftyLatch; SAFLink/Voice
Integrated solutions Standard PC microphone Consumer products use voice for security Free (JotterSAF); $59.95 (SaftyLatch); varies (integration services)
Signature Interlink ePad or Wacom Graphire graphics tablet Ensures authenticity of documents; secure screensaver $99 (Acrobat plug-in); $1,750 (server software)
Visual Web or videoconferencing camera, microphone Building access $99.95 for five users; $2,750 (server); $75 (client); $10 per user (scalable version)
Visual USB, parallel port Specialized camera is highly accurate; building access; camera is videoconference capable Available from resellers; prices vary
Visual Web camera Database access verification; surveillance software Available from resellers; prices vary
TrueFace; Biometric Internet Service (ASP)
Visual; integrated solutions Web camera (TrueFace); Internet connection (ASP) Outsourced authentication; software engine for face recognition Available from resellers; prices vary; ASP service from eTrue or partners
VoiceCheck; Talk Direct
Voice; password reset Microphone or telephone Telephony, Web, and network app security; VoiceCheck is scalable Price varies (VoiceCheck); $100 per user (Talk Direct), 100 user minimum
* All products offer centralized administration, except the Ethenticator, for which a server version is under development. All products offer remote enrollment, except the Ethenticator and BioID; their respective manufacturers are developing this feature.