Biometric Security Not Ready to Replace Passwords

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/176325.html

By Carlos A Soto, Government Computer News
WASHINGTON, D.C., U.S.A.,
02 May 2002, 2:05 PM CST
 
Biometrics vendors are doing their best to supplant passwords as the
chief form of computer security, but Government Computer News Lab
tests indicate that many of their products are not quite ready. Some
developers have continued to improve already good devices, but others
need to go back to the drawing board.

Bad biometric security is worse than no security at all because it can
lock out a legitimate user, admit an interloper or - perhaps most
dangerous - lull a network administrator into a false sense of safety.
 
For this review we examined six fingerprint-recognition devices and
one voice-recognition device. A word of caution: An administrator
cannot deploy large numbers of any of those fingerprint devices
without third-party administrative software.

This year, to test the efficiency of multiple biometrics products on
the same computer system, we used the Saf 2000 software suite from
SafLink Corp. of Bellevue, Wash. Saf 2000, priced at $49.95 per
client, lets the administrator manage multiple biometric devices on a
network.

I created four accounts on a 1-gigahertz Pentium 4 PC running
Microsoft Windows 2000. With the easy-to-use Saf 2000 administrative
software, I enrolled a different trait for each account.

L&H Speech Verification software from Lernout & Hauspie Speech
Products USA Inc. came bundled with the SafLink suite and was by far
the weakest link in this review. It was so sensitive to ambient sounds
that it sometimes wouldn't let me log in if the air conditioning
wasn't on as it had been during enrollment.

I had to enroll three times before the software was satisfied with its
template of my voice. Each enrollment required saying "my voice is my
password" three times, as in the movie "Sneakers." So I had to say the
phrase nine times to get a good template.

The software made an X-Y graph of my speech patterns, pronunciation
and speed. It calculated a mean of these points and converted the
pattern into a template for identification.

Even so, it couldn't recognize me when I had a cold or spoke too
quickly or slowly. Although the software was user-friendly, it
demanded perfect conditions and lots of patience, just as face
recognition does.

Every biometric device forces a user to standardize the entry of the
trait that is being recognized. After a time, logging in on the device
becomes second nature, like typing a familiar password. But although
I've tested voice recognition in the past and used it intensively for
a month for this review, I still dreaded logging in each morning.

Most of Lernout & Hauspie has been acquired by ScanSoft Inc. of
Peabody, Mass., and what remains is having financial difficulties.  
Neither L&H nor ScanSoft any longer supports the speech-verification
software in the SafLink bundle, which SafLink originally licensed from
L&H.

The SecuGen Mouse from SecuGen Corp. of Milpitas, Calif., also came
bundled with the Saf 2000 software. It was the only biometric mouse in
the review that connected to the test PC via a combined parallel port
and PS/2 cable. SecuGen sells other mice that connect to a
universal-serial-bus port.

The $119 parallel-port model used a track and ball, not optical
tracking, but it had a fast, embedded optical chip for fingerprint
recognition. The optical sensor, which recorded a thumbprint only, was
on the left side of the device. To enroll other prints, the user would
have to pick up the mouse.

SecuGen curved the top of the mouse leftward to make placing the
thumbprint more natural. That would inconvenience left-handed users.

Despite those minor design flaws, the SecuGen mouse did its job well.  
It never failed at log-in, and I could not get around its security.

Like the SecuGen mouse, the ergonomic U-Match Mouse from BioLink
Technologies International Inc. used an optical sensor to pick up
fingerprints.

Because the U-Match mouse was larger than the SecuGen, as well as
ergonomically shaped, the fingerprint plate at the left side was
clumsier to use.

The U-Match had USB connectivity and a scroll wheel. Also, the
oxidation and erosion of paint by finger moisture we observed when we
reviewed the U-Match a year ago were no longer a problem.

We wish the U-Match were optical instead of track and ball; optical
innards don't require cleaning and operate more smoothly. But the
U-Match seemed too bulky and heavy to glide smoothly even if it were
optical.

The ID Mouse from Siemens AG used a small, more sophisticated silicon
chip to identify fingerprints.

It was the only optical laser mouse in the review, and it cost $119.  
For those reasons, and its USB connection, our Reviewer's Choice and
Bang for the Buck designations went to the ID Mouse.

Siemens smartly placed the ambidextrous fingerprint sensor at the
center of the device so that a user could enroll any finger
comfortably.

The Microsoft Windows XP operating system has been out for more than
six months, and you'd think every biometric product would now be
XP-compatible. But only two of our fingerprint devices had drivers for
XP when we started reviewing biometric devices in February.

Only one of those products had XP-compatible software and was
XP-certified: the $130 DFR-200 BioTouch USB fingerprint reader with
BioLogon 3 software from Identix Inc. These products were also the
easiest to set up and use.

The BioTouch USB reader with BioLogon 3 connected at least a minute
faster than serial-port devices, which sometimes required rebooting
twice. BioTouch installation took just one reboot.

Because the BioTouch USB had an optical sensor for fingerprints, it
was bulkier than a silicon-chip device. It also had an awkward
arrangement for placing a finger on the optical sensor. The BioLogon 3
software converted that data into a log-in algorithm, stored on a
server or desktop PC.

Users wary of identity theft are increasingly reluctant to put a
fingerprint credential on a networked system that could be hacked.  
Sony Electronics Inc. and a Swedish company, Precise Biometrics, have
an answer.

Their fingerprint-recognition devices keep the print data in the
devices themselves, not on a server or PC, and they have added other
security enhancements. Last year we looked at Precise Biometrics's 100
SC. This year, the new USB-connected Precise 100 MC surpassed our
expectations, earning a Reviewer's Choice designation.

The Precise 100 MC received an A-minus grade for better speed and ease
of use in a streamlined hardware design. The 100 MC design abandoned
the SC line's silicon sensor, from Veridicom Inc. of Sunnyvale,
Calif., in favor of a smaller chip from AuthenTec Inc. of Melbourne,
Fla.

Another improvement to the $200 Precise 100 MC was the addition of a
$10 smart-card token with an 8-MHz mini-processor running Java.

Although XP drivers are ready for the MC, the suite isn't yet
XP-compatible.

Sony Electronics focused on hardware with the FIU-710 Puppy. Known for
sleek designs, Sony did a good job of making the $200 USB unit light
and easy to handle.

The Puppy, which performs the functions of fingerprint reader and
smart card, is far smaller and thinner than the Precise 100 MC. Sony
manufactured the silicon chip, which performed in our tests perhaps a
tenth of a second faster than the speedy 100 MC. It also seemed more
durable thanks to a metal sensor cover that retracted when a finger
slid onto the chip.

The Secure Suite software bundled with the Puppy was easier to install
and set up than the Precise suite.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.