In-Depth

Biometric Security Products

Wouldn't it be nice if your computer just knew you! Security Advisor's Roberta Bragg evaluates several solutions.


In a recent movie, a terrorist cut off the finger of a federal agent and used it to access restricted airport facilities. In another, a dead bad gal's severed digit is used repeatedly to access restricted areas of the evil empire's headquarters. When she returns to life and attempts to enter an area where the system already thinks she's present, the alarm is raised.

Good Hollywood stuff; but highly unlikely. Biometric scientists tell me that once you take away the blood supply, within minutes the unique whorls and dips of a fingerprint are no longer in any condition to function as acceptable input for scanners. So put your fears away; securing your network with biometrics won't give new meaning to the word "hackers." There will be no chopping of fingers or hands; no poking out of eyeballs; no surgical voice box implants. Instead, biometrics will challenge you in other ways.

I'd like to introduce you to some examples of biometric products currently on the market. I've installed, configured and briefly tested these toys and found a surprise or two that makes me question the use of biometrics on a Windows network. As they say in the salesroom: Your mileage may vary.

All Body Parts are Not Created Equal
Biometrics is based on the premise that many body parts are unique. That is, no two of something exist in the world. While I don't think that we have proven that beyond a reasonable doubt, I do find the use of biometrics for authentication a compelling development. While I could not give you broad coverage of every vendor (several hundred exist), nor even an introduction to every biometric technique, I hope I can whet your interest and hope that you will seek out these techniques.

There are several important items to consider when choosing which one will become your champion. First, you must decide which type of biometric is right for your situation. The Biometric Consortium, www.biometrics.org, describes 10 classifications: face, fingerprint, hand and finger geometry, handwriting, iris, multimodal (using more than one technique), retinal, vein, voice/speech and various/others. Each must be judged on accuracy (how likely are false positives? False negatives?), acceptance (many people resist the use of retinal scanning, as the requirement for placing your eye against a plastic cup is considered too intrusive and perhaps a health risk), cost (less than $100 for some fingerprint scanners to thousands of dollars for some access control systems), and intended use (network or computer authentication? access control such as building entry?). In addition, you must determine whether you want "verification," the ability to find and compare the offered template with that of the named user, or "identification," the finding of an unknown user by comparing the offered template with an entire database. Finally, to make sure that spiffy biometric gewgaw is not just another panacea you should allow adequate time to thoroughly test it in your environment.

Product Information

BioPassword 4.5 (4.6 is currently in beta)
$100 per seat for 50 seats Technology: Keystroke Dynamics
Net Nanny Software International, Inc.
Bellevue, Washington
(425) 688-3008 www.biopassword.com

VeriVoice Security Lock (SL) beta
VeriVoice, Inc.
Princeton, New Jersey
(609) 452-9220 www.verivoice.com

EyeD Hamster, $119 EyeD OptiMouse, $139
SecuGen
Milpitas, Calif.
(408) 942-3400 www.secugen.com

Panasonic Authenticam Camera, $199.99
Iridian PrivateID and SecureSuite software
Provided by
StrikeforceTechnologies
West Orange, New Jersey
(866) 787-4542 www.strikeforcetech.com

Magic Fingers at Work:
BioPassword 4.5

Mrs. Johnas, my ninth grade typing teacher, said she could always recognize her students by looking at the paper they typed or listening to the sounds they made while working. The strength of each finger produced a different imprint on the page, and the tympanic rhythm that resulted from the combinations of their keystrokes was as unique as the faces frowning over the errors we made. One day we blindfolded her and switched desks, then asked her to walk up and down and identify us. She got every one right.

Research now confirms what Mrs. Johnas knew all along—how we type is unique. There's a pattern to the ways we strike the keys, the timing, strength and force. BioPassword is a biometric product based on these facts. BioPassword does not replace the simple user ID and password model. Instead it adds a layer of protection. Once the product is installed, each user must register by typing her Windows user ID and password a number of times. This creates a template which can later be compared with one made when she logs on. If there is a match between the sample made during logon and the template on file, the user is logged onto the network. If someone else tries to enter the same information, that template will be different and a brief error message tells that person that access has been denied. This means even a sophisticated password-cracking product is useless. You may know my user ID and my password, but you'll never type the same way that I do.

Installation, Setup and Testing
NetNanny, the producers of BioPassword, provided me with a 10-user license, brief documentation and a warning to install the server before the client. Loading the server software on a Windows 2000 domain controller was quick and easy. Because there's no specialized hardware, there were no drivers, cables or connection issues. Once installed, a small BioPassword utility (see Figure 1) is the only visible part of the product. Here you configure things such as how many times the ID and password must be typed for registration, and also identify workstations and user accounts.

BioPassword
Figure 1. The set-up utility for BioPassword.

Loading the client on Windows 2000 professional was also a snap. As I logged on for the first time from the new client, I had to register by typing in my user ID and password 15 times. This is the default and recommended number. You can set the product to accept fewer repetitions, but this may make the system less accurate. Later, when I changed my password, the registration process was repeated.

I had hired two guys and a chain saw to clean up the ice storm that produced wood piles in my yard, so I invited them in for cookies and to register as users in my domain. Then we took turns trying to logon as each other. It didn't work. That is, BioPassword, like Mrs. Johnas, could not be fooled. The limb guys were soon bored and left to do "real" work.

So what happens if I cut off my finger?
Having often broken bones, sliced fingers and otherwise corrupted potential logon keys, I wondered what would happen to a BioPassword protected system then. Well, I'll go a long way to bring authenticity to these authentication tests, but I draw the line at bodily damage. Instead, I twisted my hands akimbo and for good measure typed using three fingers instead of ten. Sure enough, like the BioPassword documentation warning says, I could not get in. However, as the docs note, an administrator could remove my account registration, thus allowing me to register again. My new typing style would be recorded as the correct one, and allow me to continue working.

Best Practices, Problems and Things to Think about
Whenever considering any biometric or other change to your authentication system, you need to keep in mind things beyond ease of use and user acceptance. First, you need to develop a policy for how the product will be used. Second, you need to assure yourself that the product's idea of security and yours mesh. BioPassword can work to protect your network because even in the case where a user ID and password are compromised, an intruder still cannot gain entry. He can't reproduce your user's unique typing style, and BioPassword has mechanisms in place they believe will repel attempts to play back any recorded exchange between client and server. But as the implementer of biometric products on your network, you have a part in this process too. If you do not insist on every user in your organization using the biometric, then you have left a hole that any attacker can potentially find and use. If you do not audit and monitor logon activity, you will never know if someone is attempting to break in, or perhaps has found a way to compromise the product. No vendor can produce a product that will never, over time, become the victim of a successful attack.

Caveat: If you do insist on 100-percent compliance with this biometric, what happens when the administrator gets locked out, or leaves before his replacement arrives? In most networks more than one administrator exists, so the other one can allow the first to register again. In the smaller network, with one administrator it is always advisable to assign an "emergency" administrative level account to some other employee—not for general use, but for just such an emergency. Make sure that employee registers that account as well as a normal user account for BioPassword authentication. NetNanny tells me that in the future, they may introduce a challenge and response series of questions that can be used should an administrator be locked out.

Uses of Biometrics

Lest you think that biometrics is of no use in the real world, here are some places that these technologies are already being used:

Identification Facial recognition technology is used in casinos to spot known troublemakers.

Physical access Voice services over the telephone by Home Shopping Network and Charles Schwab

Hand geometry US Immigration and Naturalization Service's Passenger Accelerated Service System to identify and process pre-enrolled low risk frequent travelers (citizen-verification) readers.

Fingerprint scanning DisneyWorld season pass holders; Chicago airport employees

Iris scan EyeTicket, a test program at Charlotte /Douglas International Airport in North Carolina and a few others.

Facial recognition East London borough of Newton's 200+ facial recognition surveillance cameras.

Biocontainment
Biocontainment is defined as the process of preventing the spread of disease. In the NetNanny BioPassword world, it's seen as the process of making sure that all systems must use the biometric processes, thus protecting contamination from an "unprotected" system. In testing this product I came across a couple of inconsistencies that I believed might cause some problems. I discussed these with the BioPassword folks and received some interesting replies.

First, in the documentation I ran into a discussion of secondary logon and a potential need to disable the RunAs service. Though it didn't come out and say that using RunAs would cause a problem, this certainly raised a red flag. Immediately I logged on as myself and attempted to run Notepad using one of the "chain saw" accounts and the appropriate password through the RunAs service. I was successful. Logging off, I tried to log on using the same account, and could not. Logging on as myself I then used RunAs to attempt multiple tasks as one or the other of my chain saw buddies. It worked every time. Whoops. The NetNanny folks didn't shirk my inquiry. They admitted that it was an issue they are working on but in the meantime recommend that administrators disable the RunAs service.

Second, I have multiple client machines in my test network. Since I only loaded the client on one of them, I wanted to see what would happen when I attempted to logon from one of the other, non-BioPassword protected systems. Since no client was installed, and therefore the workstation wouldn't be able to produce a template for comparison with the stored one, I expected a simple denial of access even when using a legitimate account. This was not the case. Logging on from an unprotected client allowed access with just a user ID and password. I could—once I knew the password—log on to any account. No biocontainment here. NetNanny was quick to agree, and note that biocontainment will be possible in the next release (4.6).

Assessment
This is a great product for a network, if you can survive with RunAs disabled. It'll be even better when NetNanny resolves this issue. Biocontainment on the non-client workstation issue will resolve that loophole. Until then, only strict adherence to a manually implemented policy that demands client installation on all workstations in the domain will help you sleep at night.

The availability of a Windows XP client and Windows .NET Server product are forthcoming. I'm looking forward to using BioPassword to protect remote assistance access. (I could use it now to protect terminal services access to my network from anywhere I might be.)

A standalone product is due for release shortly and this should be a boon for those who wish to provide better security to workgroup desktops, traveling laptops, and user owned machines that are used for work at home. It should also receive strong acceptance in this group, as there is no additional hardware to understand, damage, maintain, misuse or abuse.

In short, be aware of the issues. They can be showstoppers if not managed, but then, so can widespread access to your network made possible by easy to determine passwords and no additional protection.

An Interesting Curiosity:
VeriVoice Saves Keystrokes but Doesn't Enhance Security
I work at lot at a keyboard and have the stiff neck, sore fingers and painful joints to prove it. I'm hoping someday to be able to do most of my work by just talking to my computer. The makers of voice recognition biometric software, however, are not trying to improve my physical health. Instead, they hope to improve the health of your network by preventing unauthorized access. They do so by identifying your unique voice. Some of these systems require elaborate training and expensive hardware. Others can exist on common desktop systems. Instead of entering a user ID and password via the keyboard, you speak a predetermined catchphrase, or repeat randomly selected phrases. If it's really you (or at least if the software can determine that it's you) then you're in. Otherwise you're not.

VeriVoice is one such product but it's not meant as a foolproof network or computer access system. Instead, it protects your password-protected screensaver. Sort of. As you know, many Windows screenssavers can be turned into password protected system lockouts with the check of a box. Idle systems start the screensavers and only the possessor of the currently logged on user account password can banish the screen saver and access the desktop. After VeriVoice is installed, an attempt to access the screensaver protected system asks for authentication via repetition of a VeriVoice generated number.

Installation, Configuration and Testing
You can install VeriVoice on any Windows 2000 system. You do not have to be in a domain, nor is your usage domain-dependent or restricted. Running the installation (make sure your microphone is working!) sets up the system and provides you the opportunity to "register" your voice. You do so by repeating numerical phrases that are spoken to you and repeated in a dialog box (see Figure 2). I found myself repeating the rhythms of the voice, instead of my own natural ones. This turns out to be not a good idea. When VeriVoice is through with you, you're thanked for registering.

VeriVoice
Figure 2. VeriVoice registers your voice by having you repeat numeric phrases.

Next, select a screensaver and check the Password required box. When the screensaver is activated, the system is locked. When you attempt to access the system, VeriVoice requires you to repeat several numerical phrases. From these, VeriVoice creates a template and attempts to match it with the one saved during registration. A match lets you back on the system.

Best Practices, Thoughts
Unfortunately, after three attempts at duplicating your voice print, instead of denying access, VeriVoice gives you the opportunity to key in your password and return to your desktop. In my mind, this invalidates the reason for using VeriVoice in the first place and turns what could be a valuable use of biometrics into little more than a curiosity. Remember, I said that was my opinion. VeriVoice states that this is the way their customers want the service to act. No one wants to potentially lose data by having to reboot to regain access to a system. Besides, allowing only the user back into a "locked" system goes against the normal administrative access policy—if the Windows Lock Computer facility is used instead of a password-protected screensaver, an administrator can unlock the system. If VeriVoice denied this access, they would not be supporting the Windows model.

Assessment
I'd say VeriVoice is useful for the end user who is forced to use a locking screensaver, but annoyed at having to type in a password when they return from lunch. It did make interesting conversation as my idle system kept starting the screensaver while I spoke on the phone. Soon, I found myself explaining to the caller that I was alone—even though some woman and I were speaking in code. It may just be me, but I'd soon be annoyed by the computer voice asking me to repeat the phrases and soon be mumbling something, anything, three times so finally I could type in my password and get on with it.

My Hamster Doesn't Have a Creaky Wheel:
Secugen EyeD Hamster and EyeD OptiMouse
My hamster doesn't have a creaky wheel to run on. Instead, he uses optical components to scan my proffered finger and provide input to prove my identity to server-side software. Fingerprint scanning for authentication provides little comparison with the fingerprint matching done to identify criminals. Instead of performing visual comparisons of the unique topography of your digital extremities, the scanner maps a large number of data points at distinctive markings and the distances between them. This information is compared to previously stored sets recorded in the Active Directory during your registration.

Unlike keystroke analysis or voice recognition, fingerprint-scanning biometrics depends on hardware to collect the data. An assortment of mice, keyboards, and other things you placed your fingers on or in are available. SecuGen provided me with two: an optical mouse with a scanning window where most thumbs are placed during mouse control, and a "hamster," a black device roughly the size of two Zippo lighter that fit comfortably in the palm of my hand. You can change your grip to place any of your logon pods (otherwise known as fingertips) over the hamster's scanning window. Once authenticated, you return it to your desktop until it's needed again. Protocom SecureLogin V2 Windows 2000 domain authentication software accompanied the mouse.

Installations, Configuration and Registration
Installation can be a little more difficult here. It's made more so by the existence of a single executable on the installation CD-ROM and a requirement for manual modification of the Active Directory Schema. Much against my better judgment, but with no other choice, I started installation before reading any documentation. Happily, I was then given the choice to just install documentation. Documentation is copious, but a shortened list of steps provided a simpler road path through it.

Step one requires modification of the AD schema. While the instructions were excellent, this approach leaves much room for user error. A misstep here could leave one with hours of troubleshooting only to find that the new user attribute was incorrectly entered or never added to the user object. I know I'm whining here; real nerds insist on doing their own schema changes, shun Group and Local policies in favor of scripting their own registry modifications and never ever use a GUI when a command prompt will do. Still, I can't be the only one who feels I've paid these kind of dues in the past. Just let the install program do something I can easily mess up, ok?

Next, the instructions include modifications at the BIOS level to support parallel port usage by earlier devices. Since my new little buddies had USB connectors at the other ends of their tails, I skipped this part. Instead, I installed the software. Like most biometrics, you can't use them until users register, and you can't register until you install the hardware. SecuGen avoids the possible nightmare (install the hardware and you may find yourself unable to logon because you haven't registered) by allowing unregistered users to continue using their normal login procedures.

Hardware installation merely requires connecting the creature to the system. Windows 2000 notices the hardware change and loads the driver. Finally, I was ready to register my fingers. SecureLogin provides a registration utility. To run it you must be a member of the SecureLogin Adminstrators group, a group created when the product is installed. Select a user account, click the radio button corresponding to the digit to be registered, have the user place that finger on the device, and click the register button. An image of the finger print appears on the screen (see Figure 3). If the image is acceptable, you're allowed to continue registering other fingers. Incidentally, SecuGen advises you to have users register several fingers. There's no guarantee that a finger roughened by gardening or other physical work on the weekend will be a useful authentication tool come Monday morning.

SecureLogin
Figure 3. Feeding fingerprints to SecureLogin. (Click image to view larger version.)

Once registered, the user can use any registered finger to start the authentication process, if it's acceptable, the first time authentication also requires password entry. You can remove the password requirement.

Mouse or Hamster?
Unlike keystroke analysis, fingerprint scanning biometrics allows you to choose the auxiliary device to use for entry. The EyeD Optimouse looks almost exactly like any other mouse you may have. However, along the left side of its ergonomic blue and white body is a window into its soul, er, a plastic window on which to place a registered finger. It's conveniently placed right where your thumb normally rests. Obviously, if you have to use another finger, it's a little more awkward. Well, a lot more awkward but can be done. Remember, this is only necessary for authentication—you don't need to be able to continually point, click, and present usable body parts at the same time. Incidentally, this thumb position placement is perfectly aligned to solve one of the issues common to most readers; when a fingerprint scanner is first used, it's difficult to get the finger lined up to get a good print.

The EyeD Hamster sits upright on your desktop. Its slanted top provides the plastic window. However, after some awkward but successful uses of it in this position, I found it much easier to use when it I cradled the device in the palm of my hand. Smokers from pre-BIC lighter times can empathize here: I discovered this convenience when I realized I was absentmindedly playing with the hamster as if it was a worry stone, or favorite lighter. Once I noticed that it only took a few minutes to find comfortable, natural ways to make the window accessible to any digit. I think it may just become my favorite, biometrics and soul soothing in one small package—who would have figured?

Issues
My SecuGen contact made sure he was available to answer any questions and actually provided an answer to a question I hadn't asked yet. (Are these guys psychic or what?) The big selling point of biometrics is that it can replace or strengthen the typical user ID and password combination by insisting on an authentication process which requires the presentation of some biological evidence—perhaps a fingerprint, voice, retina or iris scan, or keystroke pattern. Any implementation of biometrics therefore, can have a fatal weakness. If a user can somehow go around the biometric and use only my user ID and password, then adding the biometric layer is useless. Can a user, for example, logon from a client machine that does not have the software loaded and forego biometric authentication? Can she use biometrics to logon to one account, but then use RunAs to logon to another, sans biometrics? Before I had a chance to test it, SecuGen provided the answer: Yes, well maybe, and here's what to do.

In normal operation, a workstation that does not have the client software loaded will not allow a user to enter their normal user ID and password. In normal operation, an authenticated user can use RunAs to run applications as another user without the need for biometric authentication. That is, if the user knows a valid account name and password, he can use that information and the RunAs service to run applications. He will not be required to present any biometric information (fingerprints) and there is no way to force this to be required.

However, a simple adjustment can be made to close this hole and require biometric authentication in order to successfully logon. A simple registry key modification allows the product to change the user password to a unique value each time the user logs on. This means that no registered user can ever again logon using a password, because they don't know what the password is. They cannot move to a workstation which does not have the client loaded. While nothing prevents anyone from using the RunAs service, they will be unsuccessful for the same reason: They do not know the password. While a password-cracking program could potentially be used to obtain the password offline, if the user is a frequent user of the system, the cracked password is most likely useless as it has already changed

Remember, however, that there is nothing that will automatically require all users to be registered. An unregistered user can still use a password. Some of you may consider this a boon, as there are processes that require the use of a password, so some administrative accounts may need to remain unregistered. Others may see this as where all biometric products break down—the biocontainment/ user registration issue. Indeed, if any account is not registered, and I know that password, I can use it to logon.

The Eyes Have It:
Affordable iris scanning from Panasonic and Iridian
Most biometrics surveys agree: Iris scanning is the most accurate biometric process. The iris, of course, is the colored circle around the dark pupil of your eye. Each eye has a unique set of irises. To use iris scanning a specialized camera is required. In the past that meant iris scanning was too expensive for most networks and was, it was thought, more suited to access control than for authentication on the network. Like most other devices, iris-scanning cameras are no longer just for high security situations. Still, the cost is twice that of other biometric devices. A good iris-scanning camera costs about $300, while fingerprint scanning devices are available for less than $100.

StrikeforceTechnologies Inc., www.strikeforcetech.com, a Panasonic iris scanning camera dealer and integrator provided the camera and software for this review. The camera is small (about the size of a pack of cigarettes) and comes with its own stand. Setting the camera on top of the monitor and tilting it helps to line it up with your eyes and obtain the best capture.

Installation and Registration
Unlike some of the other products tested, this one comes with a small insert that provides all of the information necessary to get up and running. I was reminded of the instructions I got with my two-line, fancy-smantz answering machine/telephone combo last week. (Funny, the iris-scanning camera works, and the phone doesn't, but that may say more about which technology I have more interest in.) It is however, extraordinarily easy to lock yourself out of your computer if you're not the kind to follow instructions. If you install all the software before the camera, the game is over.

The proper process requires that you install the camera between the installation of the two software products. So first I loaded the Private ID software. This controls the camera. After I rebooted and plugged in the camera, I tested its functioning using the provided utilities. This is not a bad idea; because installing the authentication control software (SecureSuite) on a system with a malfunctioning camera would be another way to lock yourself out. To test system operation, you run a utility that tests the video functions, illumination system, alignment, and that can perform an iris capture. You can also use these utilities for user practice.

Next, during the install of the SecureSuite software (this configures authentication) I was prompted to create a user account to administer the suite. Interestingly I could not pick the built-in Administrator account, nor could I later make that account a SecureSuite administrator. What's more, after product installation I couldn't use the built-in administrator account to login. Fortunately the new account identified as the SecureSuite administrator was given membership in the local Administrators group.

After logging on as the SecureSuite Administrator, I opened the SecureSuite user manager. This utility allowed me to add Windows 2000 users and select an authentication method for them. In my case, only password and iris were available. If I had also installed a smart card reader, that would also have been a choice. Each choice must be configured. Password entry is, well, password entry—you type it and then type it again for confirmation. A wizard is provided to help the recording of iris information. It turns on the camera and waits for the user to line up his eye with the lens. Once this is accomplished, a small orange circle of light just inside the lens turns green and a sound like a camera click can be heard. The user does not need to touch the camera. Four good shots are needed in order to create a template (see Figure 4). Once both methods are complete you can either require password and iris scanning, one or the other, or insist on a single method. When only iris scanning is used, the user password is changed every time the user authenticates. Knowing a password will not allow access to the system.

Iridian PrivateID, SecureSuite
Figure 4. Capturing iris scans to authenticate a user. (Click image to view larger version.)

My enrollment process was, I understand, typical for a new user. At first I had trouble lining up my eye with the camera—it won't snap the picture until you're properly aligned. Next, I managed to get four shots, but SecureSuite thought they were a little bit borderline and wouldn't record them. Finally, I managed to obtain a good set. After logging off, I used the three finger salute and was given the SecureSuite logon window. Again, it took some false steps to manage logon as well. A short practice time made my attempts more polished and more successful.

Additional Information
www.biometrics.org—Information as well as multiple links to research, government requirements, standards progress, vendors and general information.

http://www.computer.org/itpro/homepage/Jan_Feb/security3.htm—IEEE Computer Society, "A Practical Guide to Biometric Security Technology" includes a useful comparison of biometrics product types over ease of use, error incidence, accuracy, cost, user acceptance, required security level and long term stability.

http://www.cesg.gov.uk/technology/biometrics/media/Biometrics
%20Advice.pdf
—"Advice on the Selection of Biometric Products"

http://www.sciam.com/1999/1299issue/1299techbus5.html—"Seen Before—To guard against terrorism the Pentagon looks to image recognition technology," an interesting article on the use of biometrics for covert activity.

http://www.biometricgroup.com/—Site of International Biometric Group, a consulting and integration firm with much practical information and reports.

Best Practices and Issues
This product moves iris-scanning into a viable product for many businesses. However, to enforce policy, and provide better security for the network, you should either remove the use of a password or ensure that users must use both iris scanning and a password to access any station. In the former case you'll lose the use of RunAs, in the later you may find more problems with user acceptance.

Featured