Put Your Finger on Proper Security
A roundup of five biometric products that go the extra security mile—for when passwords alone aren't enough.
- By Roberta Bragg
- August 01, 2004
Many defensive security technologies are linked to two simple factors: physical access and the ability to authenticate. If you can keep a potential intruder from doing both of these, assuming anonymous access is also locked down, your systems will be reasonably secure. Even if a hacker has physical possession of your computer, if he can't authenticate, his job becomes that much more difficult.
But what if the hacker learns your account password? Game over, right? Not quite: Biometric devices such as fingerprint readers can protect you, but it's not as simple as plugging them in. To integrate biometrics with Active Directory takes planning, testing and a managed deployment, and not all products are ready. On the other hand, many manufacturers provide fingerprint scanners and basic software for the single user. The following reviews provide an introduction to both.
BioNet Systems Biopassword
BioNet Systems' Biopassword is an elegant software-only biometric solution that can help harden authentication on Windows systems. Once installed, users register their personal typing style by repeatedly entering a user ID and an administrator-selected password. A template records the specific rhythm and touch, which is used to verify the user's identity at next logon. Research on keystroke dynamics—the study of individual typing patterns—shows that an individual's typing style is unique. That means that even if someone knows your password, they won't be able to authenticate as you, BioNet claims.
I installed Biopassword 4.07 on a Windows Server 2003 domain controller. Registration is time-consuming but not difficult. By default, Biopassword requires 15 logons. You can change this number, but the fewer logons collected, the easier it is to obtain a false acceptance, meaning someone is able to log on as you. The opposite is also true: The more examples of a user's typing style you collect, the harder it is for an attacker to duplicate that style. Collecting more samples also reduces the chances of a false rejection—where the biometrics program claims you're not you. Whatever your decision, be sure to provide ample warning and training for users, and have help available for the more sensitive end-users.
Along with the number of typing samples required for registration, you can adjust the following settings:
- Classification: Rejects weak typing sample captures. This makes the template better, but may require the user to enter more logons during registration.
- List of users enrolled: A user can be deleted and allowed to re-enroll. This is useful should users have some physical injury that causes them to modify their typing style.
- Use of authentication can be enabled or disabled.
- A list of workstations can be displayed, allowing you to change whether authentication is required. Domain members will be displayed by default.
- Domain access protection can be enabled as shown in Figure 1. When enabled, only domain computers with Biopassword installed can access domain resources—useful for preventing rogue computers from connecting to domain resources.
|Figure 1. Biopassword enables administrators to fine-tune access methods, such as excluding certain computers from biometric authentication requirements.
(Click image to view larger version.)
In my tests, logon worked as documented. I could keep that post-it note with my password on the monitor, but as long as I logged off, no one could log on as me. Similarly, I couldn't logon if I purposefully changed my typing style.
This software looks too good to be true—an answer to crackable passwords and the age-old issue of users keeping written passwords in plain view. It has a number of compelling capabilities, but like any security mechanism, it has its share of concerns:
- Suitability: In a large environment, Biopassword may be cumbersome to implement and maintain. My tests were in a single domain, Windows Server 2003, AD environment with only a few clients and users. The software felt like a Windows NT 4.0 application operating in an AD environment. Plus, you must install Biopassword on all DCs and on all servers. Focus your tests on working with multiple domains before rolling the tool out in a larger environment.
- Extendibility: Although I didn't test it, an SDK is available. If you require a customizable environment for improving security, Biopassword may fit. The technology has been licensed by some online services to provide Web-based biometric authentication without requiring users to obtain special biometric devices.
- Hardening the client share: The installation provides a shared folder from which the client software can be installed. By default the share permissions are Everyone Full Control, which of course is too broad. Folder permissions do restrict this access, but you may want to set better controls at the share level. Don't forget to remove the share if you'll be deploying the client via scripts, AD or other means.
- Hardening Runas: The Runas interface isn't modified. A valid domain user who hasn't registered can access resources using the Runas command and his password, so it's still not wise to weaken password controls. Requiring strong passwords, and keeping them secret, is still a good practice. You may also disable Runas to prevent its misuse.
- Containment: I tested an earlier version of Biopassword in 2002. In that version, there was nothing to prevent a user sitting at a workstation, or a domain member computer that didn't have Biopassword installed, from logging on using a valid user ID and password. In other words, there was no way to enforce the use of biometrics only. From my tests, and according to Biopassword documentation, that still appears to be the case.
DigitalPersona Pro for Active Directory
and the U.are.U Fingerprint Sensor
Those looking for an AD-based biometric solution may want to take a peek at DigitalPersona Pro for Active Directory, which requires extending the AD schema and provides Group Policy-based Administration Tools. A separate workstation product provides client-side support. Tying it all together is the Digital Persona U.are.U fingerprint sensor, which gives a registered user one-touch logon, access to Web sites requiring logon, and file encryption and decryption.
I tested DigitalPersona Pro for AD 3.0.1 and the U.are.U Pro 3.0 Workstation Software in a single Windows Server 2003 domain.
Installation is straightforward and direct—a breeze for anyone who understands AD basics. If you've installed Microsoft Exchange Server, DigitalPersona's installation process is similar.
Likewise, administration is easy and familiar. Instead of adding a new administration console, U.are.U provides an administrative template that can be added to a Group Policy Object (GPO) for the domain or Organizational Unit (OU) in the normal manner. In addition, administration for clients such as Windows 98 and Windows NT 4.0 can be managed through Systems Policy. Figure 2 shows the GPO template additions.
|Figure 2. The Group Policy Object Editor can fine-tune biometric configuration.
(Click image to view larger version.)
In my test, I created a special OU for workstations that requires fingerprint authentication. This allowed me to dictate different levels of sensitivity within the same domain. For example, one of the configuration choices, Multi-credential logon to Windows, defines what type of authentication will be required:
- Fingerprint only
- Password only
- Fingerprint or password
- Fingerprint and password
Requiring multi-factor authentication is an excellent way of hardening systems and preventing compromise, because it's difficult for an attacker to obtain both factors, but it isn't needed in all environments. Remember that every additional security step you put users through takes time. You'll have to weigh that against your requirements to lock down systems.
Another primary use of different GPOs is to support cached credentials. Caching credentials on the workstation is more risky than not caching them. But when credentials aren't cached, and the workstation can't connect to the domain, the user can't authenticate. Not caching credentials is great when a stronger level of security is required, but disastrous for laptop-toting road warriors. Fortunately, laptops can be put in a separate OU that specifically allows cached credentials.
Other administration choices include:
- False Accept Rate Used in Fingerprint Match: All biometrics have false positives, known as the false accept rate, and false negatives. One of your jobs will be to tune the system to find an acceptable rate.
- Maximum Size of Identification List: The number of users who can use biometrics from the same workstation.
- Maximum number of finger prints: The more fingers that you register, the longer authentication may take and the higher the possibility of false acceptance. U.are.U recommends two fingers, one on each hand. This way an injury to one hand won't prevent logon. (Even a slight injury, such as scratches on fingers, may impact logon.)
- Log Events: You can log U.are.U events in the Windows Security log, as long as auditing is enabled.
- Use Remote Authentication Server: A computer can be configured to authenticate using credentials stored in the local U.are.U database.
- Network Start Timeout: The maximum amount of time a workstation will wait for an IP address assignment from the network.
Workstation Installation and Configuration
A separate program, the workstation software, must be installed on every computer that will use fingerprint biometrics for authentication. Installation is quick, and the documentation shows how to deploy the software with AD.
First-time users must log on with their password and register by picking a finger and touching the sensor. Once four good images are set, the user continues with other fingers—as many as policy dictates. A small utility allows users to manage credentials (such as delete and register fingers), configure workstation properties, configure quick access to Web sites that require logon (by simply touching the sensor) and encrypt files.
Make no mistake, this program isn't for techno wimps. You need a firm grasp of AD and biometrics. If you don't truly understand DigitalPersona Pro, you may provide a false sense of security. You must follow the instructions, and do follow-up. If, for example, the DNS SRV records don't get registered, clients can't find the server and instead register locally. If you adjust the false acceptance parameters incorrectly, you make it easy for attackers to break in. If you don't prepare users and have the required hardware available, you could end up in the unemployment line. Finally, with the range of possible configurations, you'll need to determine your biometrics security policy before the install. Make sure the policy is appropriate for your organization—and that you can implement it. Preventing laptop users from caching credentials on the local workstation, for example, isn't likely to be a career-enhancing move.
Be aware that the Runas service isn't protected by fingerprint authentication; it requires only a password. If you want to lock down authentication and require the use of fingerprints, disable the Runas service.
Understand also that file encryption using the one-touch system doesn't add protection to the Microsoft Encrypting File System. Using your fingerprint to encrypt a file is a DigitalPersona process. It's easy and it works, but if you save a decrypted file back to disk, it won't be encrypted again by default. You're going to have to provide users with instructions to safeguard their files.
I don't know enough about the algorithms used for DigitalPersona's file encryption to judge what other protections may be required. Are data shreds left on the disk in plain text when the file is encrypted? Should you also clear the page file when rebooting? You may want to spend some time here determining whether DigitalPersona encryption is a viable approach for your organization. Should you decide to ban its use, you can prevent this feature from being installed, or remove it later.
Targus DEFCON Authenticator
Targus DEFCON Authenticator is a small, plastic device with a capacitance sensor for fingerprint authentication. It connects via a USB cable to PCs running Windows 98, ME, 2000 or XP Professional with a Pentium or higher processor.
A copy of OmniPass software from Softex comes with the model PA460 device I tested. No AD or other domain integration software was provided. An enterprise product, integrated with the AD edition of OmniPass, should be out soon.
I tested the device on a non-IBM system. After installing the Authenticator and rebooting, I logged on with my password and up popped the "Using Your FingerPrint Sensor Software" screen, part of the Softex OmniPass password vault software. When the software is configured correctly, you can use a single password to access multiple applications and Web pages that require unique accounts and passwords.
OmniPass stores account identification data and passwords in a special "vault," which is accessible only via the master password. This master password can be the Windows logon, or you can register a fingerprint scan instead. A useful companion utility, Weblink, allows you to store logon information for Web sites that require authentication. When you browse to the site logon page, the OmniPass popup allows you to enter the master password or place your finger on the sensor.
Registration with DEFCON Authenticator was difficult. It took time to place my finger so the software and sensor would recognize it. OmniPass has a management utility, accessible from the task bar and programs menu, that enables you to add other users, require a separate logon to OmniPass and access the password vault. A note in the accompanying PDF file insinuated the software could be used for OS logon, but no instructions were included and I never found the missing information.
Adding passwords, on the other hand, is simple. Open the application, or go to the vendor's Web logon page, right click on the OmniPass key icon on the taskbar and choose "Remember Password." Enter a friendly name for the application along with the appropriate user ID and password. You can decide to enter the master password for logon, or automatically log on from stored credentials.
This tool has a lot going for it. If I want to access Web mail from my PC, I can authenticate with my finger. Even if someone logs on as me, or if I fail to lock my workstation or log off, no one can get to my mail.
Another use is to record the alternative user ID and password needed to map drives. Setting up this account was also easy. After selecting a different account in the mapping drive dialog and entering the proper credentials, OmniPass records the credentials. Afterwards you can map a drive with a read of a finger.
Managing the password is simple. Log on once and store password data in the vault. After that, use the master password or finger to access your sites and applications. After accessing the vault you can remove passwords, or unmask the credentials in case they've been forgotten—a boon for forgetful users. And years later, when you ditch OmniPass, or need access from another machine, OmniPass serves up the long-forgotten credentials. This can also be a problem, however—if someone learns your master password, they've got access to all the family jewels, and there is no way to disable the use of the master password. Using your finger, it seems, is just a convenience.
SecuGen Hamster and Mouse
The SecuGen Hamster is a box-shaped optical fingerprint scanner device that sits in a stand or can be held in your hand. The SecuGen OptiMouse is just what you'd expect—a USB mouse equipped with an optical fingerprint scanner on its left flank. It's easy to use when you register and use your right thumb, but awkward for any other finger.
Once you plug in either device, a diagnostic utility fires up, which helps register your finger and ensure the Hamster is working properly, right down to adjusting the brightness and contrast. It even helps you practice scanning. Figure 3 shows the diagnostics in use.
|Figure 3. Some of SecuGen's basic device configuration is handled by simple sliders.
(Click image to view larger version.)
I received a copy of the SecuDesktop software to try with these scanners. SecuDesktop lets you use a finger to authenticate to the Windows desktop, encrypt and decrypt files, and use your finger in place of a password to unlock a screen saver.
The SecuGen SecuManager administration tool lets you view an event log (successful and failed authentication events), switch from a required user ID and fingerprint logon to fingerprint only, and set the configuration of folders for encrypted files.
You can override the fingerprint with either a password or password disk (a disk on which you save your password, created by the software)—just in case a fingerprint scan someday fails. In a domain environment, centralized management might provide the ability to register the user again. But without a domain-based solution, access to the computer could conceivably be lost if not for the password override feature. Also, because only the Top Administrator (the first user registered) can uninstall the software, being able to override authentication rights of long-departed employees may be a lifesaver.
A backup program allows you to back up all authentication information and user templates. This is the first biometrics software to prominently feature a backup program.
SecuDesktop has a lot of benefits. A simple fingerprint secures the operating system logon, screen saver password, and encrypts and decrypts files. You can select a folder in Windows Explorer and set it for encryption; any file copied to or created in the folder will then be secured—after you provide your finger. Therein lies the rub. If you want to work with multiple encrypted files, you're constantly prompted to authenticate. This may be okay with the mouse, but picking up the Hamster all the time is annoying. As a failsafe, you can't uninstall SecuGen until you remove encrypted folders.
|Products at a Glance
Biopassword version 4.07
Contact company for pricing
BioNet Systems LLC
for AD version 3.01
U.are.U Pro 3.0
Authenticator model PA460
SecuGen Hamster III
Siemens ID Mouse
$119.00 (via reseller)
I'd have enjoyed testing more enterprise-ready software with these devices. While the device and desktop software provide authentication to the domain, nothing is stored in AD and there's no centralized management.
Siemens ID Mouse
Siemens provides a useful workstation suite of software for use with the Siemens ID Mouse or with the Fingertip ID Board (made by Cherry). One unique feature: the OS logon can be used in Verification or Identification mode. Verification mode is the normal mode for most biometric devices. It requires that you enter a user ID, then scan a finger to access the account. Identification, on the other hand, requires no account information. Instead it takes the fingerprint scan and compares it to its database of scans. When it finds a match, you are logged on automatically using the account recorded in the database for the scan. You can set it to require a fingerprint only, or fingerprint and password logon, though Siemens cautions against fingerprint only because a defective sensor will block access.
The software also lets you use a fingerprint scan instead of a screensaver password, and protects Microsoft Office files with the "Save File with Fingerprint" option from the File menu. After naming the file, you're prompted to scan your finger. To open the file, you again scan a finger. Passwords can also be stored for Web application access.
Unlike other products, this one can handle single sign-on, so a single finger scan at logon authenticates the user for access to screen savers, applications, Web sites and files. This may be attractive for environments with little security risk, but go with multiple access scans in high-risk ones.
I liked this fingerprint sensor and software the best for a desktop scenario. The sensor was easy to use, and always got good results.
We would be remiss if we didn't point out that biometric devices of the type discussed in this article have been subject to various types of attack. Earlier this year I wrote about a Japanese scientist's success in mounting a "gummy finger" attack on many scanners. His work has been repeated often by others.
Nearly two years ago a German magazine wrote in some detail about its successful attempts at spoofing fingerprints (www.heise.de/ct/english/02/11/114). The article suggests that breathing on a device might bring back a valid fingerprint from latent images left in fatty residue from fingers. It also suggests you can activate a latent print on a biometric mouse by placing a water-filled plastic bag over the device, and by dusting the device with fingerprint powder and pressing adhesive tape over it. The authors also claim they can lift fingerprints from a water glass or CD using powder and tape and successfully use them with a biometric device.
The authors admit that success with all these methods is intermittent, although some work better than others. I don't have a fingerprint kit, and putting a bag of water on a mouse seemed a little dangerous. I did try blowing on the Siemens device, and was able to see a fingerprint emerging on the screen. Each time, however, my heavy breathing failed to pass the Siemens comparison test. In other words, I couldn't get it to work. I advise conducting your own research into the matter, and be aware that different types of attacks have been successful on different devices.
If you're considering biometrics:
- Do your research. Determine what you want to do and look for hardware and software that fits.
- Don't ignore the warnings about biometric problems. Look for ways products can be compromised. Can you provide other mechanisms and practices that reduce the threat? Can alternative products be used?
- Look closely at the software options. Do they integrate with AD or provide good central management tools?
These are requirements in order to make products suitable for large implementations. There are many products suitable for the home user or small business; very few are truly designed for the enterprise. Of the products reviewed, only two provided software that might be appropriate for the enterprise: Biopassword and DigitalPersona for AD. The rest are merely fingerprint scanners with workstation software—they're fine in a small business or for personal use, but lack enterprise features.