There is no doubt that fingerprint scanners are a very convenient form of identification. The technology is relatively non-invasive and quick, with the added benefit that placing one's finger on a painless sensor is a technology that doesn't scare users. In addition, fingerprints cannot be read involuntarily from a distance--contrast this with the iris scanners in the film Minority Report that track a hapless Tom Cruise. Another bonus is that the technology is now relatively inexpensive and for a few hundred dollars you can augment your PC or notebook with a fingerprint scanner.
Other types of biometric technologies are still fraught with problems, and iris scanners especially are all not they are hyped up to be. Unlike your fingerprints, your iris is a dynamic item, various light levels lead to stretching and contraction of the features, this requires more sophisticated software to carry out transforms to make a match. Also some features of your iris do change. For example, if you've been on a bender the night before and you're tired, your blood pressure will be elevated and you may have bloodshot eyes. All this is going to subtly, or not so subtly, change the topography of your iris. As a result of this the more inexpensive solutions have a higher false positive and false negative rate than is acceptable for many security purposes.
How secure are fingerprint scanners?
We are led to believe by many vendors that their fingerprint scanners are very secure with such marketing lines as "you can't give a friend a finger" or "you can't leave your finger lying around on a scrap of paper for anyone to read". As far as these statements go they are true, you do not have to remember your fingerprint as you do a password and, baring grisly scenarios, you and your fingerprint must be present to access a scanner.
At first it appears that if someone really wants the information locked away by your fingerprint the only way they are going to get at it is by coercion or removal of body parts. It has been discussed freely around the biometrics industry for some time that scanners should include additional sensors to ensure the finger that makes the print is alive, ergo still attached to your breathing body; ways to do this include say detection and measurement of your pulse for example.
To date, these additional safeguards have not been widely implemented, and the inexpensive technology we looked at here has certainly not inherited these features.
Unfortunately this is not the full story, there are ways of getting around fingerprint scanners that do not involve such drastic measures as abduction or the use of cleavers.
We have all witnessed spy shows like Mission Impossible and Charlie's Angels where the biometric security systems are tricked by fancy contact lenses with another person's iris print, or stick-on fingerprints duplicated by lifting the pattern of the fingerprints from the unsuspecting victim.
Most of us probably think, "yeah right, about as believable as the rest of the movie's complete suspension of reality".
However, there is more than a grain of truth this time. To be blunt, you can trick most fingerprint scanners and there are various ways of doing so. But before you get all up in arms and ask well why are we even entertaining using these things if they are not truly secure let's look at what "security" really means.
For a start, security is a relative thing. For example you might leave $10 lying around in a drawer because if you lose it you will be annoyed but not destitute. On the other hand, you would not leave your life savings just sitting in a drawer. Another more obvious example is your door locks at home: they will quite effectively block 99 percent of the population and grant you a comfortable degree of security, but up against a determined expert, the average home security is a joke.
We were surprised with how easy it was to get around some of the fingerprint scanners. According to some security experts, the oily fingerprint residue left on a capacitive scanner can be "reactivated" simply by re-humidifying the latent print either by a hot breath from your lungs or gently placing a plastic bag of hot water on top of the latent print. Unfortunately, we did not have a capacitive fingerprint scanner to test this out but you can obviously take steps to ensure this does not happen by simply sliding your finger off the scanner plate in order to smear the latent print.
We found a great research paper on how to fool fingerprint scanners entitled Impact of Artificial "Gummy" Fingers on ngerprint Systems.
In essence the researchers at Yokohama National University in Japan found you could take in imprint of your fingerprint using moulding putty and then fill the mould with a very thick gelatine mixture, about the consistency of a "gummy bear" when set. The resultant fake finger could be used quite consistently to fool various optical and capacitive fingerprint scanners they had at their disposal. And, like the movie scenarios, you could adhere a slice of the fake finger over your own prints and walk up to a scanner under the watchful eye of a security guard, gain access, then once inside you can peel off the fake fingerprint and eat the evidence.
Obviously the above scenario requires the cooperation of the fingerprint donor but this does not have to be the case. Apparently, on average, we deposit 20 or so full or usable partial fingerprints in our travels each day, it would be a simple matter to hand the unsuspecting donor a glass wine and then steal away with the glass and the prints. The print can then be "lifted" using common super glue--the above research paper outlines all the steps involved.
Of course if security is really an issue, most organisations do not rely on a single form of authentication so you may use a finger print scanner in conjunction with a password or smart card to correctly authenticate an individual.
SecuGen EyeD BioHamster
When we were told the name of the product prior to delivery our imagination got the better of us as we tried to picture what the "BioHamster" would look like. As it turns out the unit is not particularly exotic, the name appears to be there to distinguish the unit from ThumbAccess's other unit, the BioMouse, that as the name suggests is an optical mouse with integrated fingerprint sensor.
The Hamster is relatively small and unobtrusive standing around 8cm high with a footprint 5.5cm by 7.5cm. It utilises optical fingerprint scanning technology and plugs into the computer's USB port.
Setup and configuration of the Hamster is a quick process involving a handful of steps through the Enrolment Wizard. Enrolling fingerprints is a surprisingly quick process, certainly faster than the Targus.
The software provided with the scanner, SecuÃ‚ÂDesktop2000, included several applets. A database backup applet to ensure a copy of the fingerprint database can be saved and stored offsite; a device diagnostic utility that allows the user to test the unit and confirm it is operating correctly; a log event viewer; and finally SecuÃ‚ÂManager, which allows the administrator to manage users, their fingerprints and also alter the system configuration settings. You can also nominate folders to encrypt. SecuManager is a relatively basic application and is certainly easy to navigate. The supplied software does not support a central fingerprint database but from mid-January 2004 this functionality will be provided with the new version of the software.
The encryption software is useful--the facility is also provided with the Targus--so even if someone steals your drive they cannot extract your encrypted data.
The unit was quite reliable in operation, provided your fingerprint was "clean". We drew some simple black marker pen lines on our fingerprint and found the unit then had trouble reading the print and reliability dropped. We found reliability also dropped for other forms of "unclean" prints. In an office environment, this would not prove too much of an obstacle, for a start users would register more than one finger, however in a workshop or factory environment this may prove a problem.
|Product||SecuGen EyeD Hamster|
|Phone||02 9657 1360|
|Supports Windows 98 or later.|
|Vendor says centralised fingerprint database will be shipped with this unit as standard by the time you read this.|
|Significantly more expensive than the Targus but will include centralised database functionality out of the box.|
The DefCon is a very small unit, less than 5cm wide, around 2cm thick and 7cm deep which in addition to the RF fingerprint scanner includes a two-port USB hub so rather than losing a USB port when you plug the unit in you actually have one extra port.
The setup and configuration while simple was slightly lengthier than the Hamster and included much the same procedures. The fingerprint enrolment process is slower than the Hamster as the DefCon unit appears to take slightly longer to grab each print and also catalogues more images of the one finger to build up its database. A cute feature is the voice prompts during the configuration such as "Select the finger you wish to enrol", these are perfectly understandable and tend to be of more assistance to a novice.
The software provided with the unit, OmniPass, is not readily accessible to the novice as it resides in the Windows Control Panel, a place many novices fear to tread.
We found the software supplied with the unit was a little buggy. If, for example, the fingerprint enrolment fails, say because you do not place your finger on the sensor correctly, the voice prompt correctly states that the enrolment failed but the Windows dialog box displays a misleading message. The message is to the effect that the sensor is in use, close any apps before trying to use the sensor again.
New users can be added using OmniPass, users can also be removed and the user profiles imported or exported. Like the Hamster, DefCon also supports file encryption although in this case it could not be easier, simply right click on the relevant folder or drive and amongst the options are OmniPass Encrypt and Decrypt files.
The supplied software does not include a centralised fingerprint database capability for your network, but there are a few third-party providers that Targus recommend with SafLink at the top of their list, which apparently supports Active Directory and SQL.
We found the DefCon to be extremely reliable in operation and "unclean" fingerprints with marker pen or oil on them for example were read without a problem; often these would pose a problem with the Hamster and its optical sensor.
|Product||Targus Defcon Authenticator|
|Phone||1800 641 645|
|Supports Windows 98 or later.|
|Does not include centralised database functionality, however there are several third party options available.|
|Inexpensive, particularly with a two-port USB hub. Third party software required for a centralised database. More immune to “unclean” prints and more accurate than the EyeD Hamster.|
How we tested
Does the scanner support a good variety of operating systems?
Can you maintain a centralised database of users' fingerprints for your whole network?
The age-old comparison of price, performance, and features.
What warranties and service contracts are available? Can you get prompt service at a reasonable price?
Company: ATSA Call Centres. This company wants to improve the security of its desktop PCs and notebooks, and wants to install fingerprint scanners on each to ensure that only the appropriate staff have access to company data and resources.
Approximate budget: $300 per scanner.
Requires: Fingerprint scanners and software for 80 PCs and notebooks.
Concerns: The accuracy of the scanners is very important, as is the difficulty in circumventing the security measures. The ability to tie into the company's existing directory systems and to support hot-desking is also a consideration.
Best solution: The Targus seems the more accurate of the two with its RF technology, costs $120 less and although it doesn't ship with centratlised database functionality, there's a wide range of third-party software you could use instead.
Targus DefCon 1 Authenticator
The SecGen EyeD Hamster is more expensive, but will include centralised fingerprint database functionality out of the box by the time you read this. However the functionality and features of the software are an unknown quantity. The Targus DefCon 1 Authenticator has quite wide support from third-party vendors and features Radio Frequency (RF) fingerprint scanning technology that should prove to be less susceptible to trickery than the optical unit in the EyeD Hamster.
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own--only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.