Biometrics gets better but still needs some work

The biometrics market is maturing past its once-flimsy hardware and confusing software.Two biometrics roundups ago, the GCN Lab could consistently fool a vocal-facial biometric duo by making animal noises at log-in.This time, however, each of the six biometrics products we tested could do its job. Our hacking efforts and animal impersonations failed to break into any of the secured systems.There's still plenty of room for improvement, however. Some biometrics programs are less user-friendly than they should be, particularly when installed under newer operating systems. Microsoft Windows XP, for instance, produced some software conflicts.[IMGCAP(2)]We reviewed four of the six products with the Saf2000 software tool from SafLink Corp. of Bellevue, Wash. It could run multiple biometrics products under one graphical identification and authorization (GINA) interface. Priced at around $50 per client, Saf2000 was easy to install on a Pentium III test PC with 256M of RAM.Because biometrics devices are only as strong as their operating system, we installed and tested each product in both Windows 2000 and XP environments.Price and ease of setup were factors in determining the overall grades. But we gave more weight to reliability, security and logical interfaces. If biometrics software gets too complicated, the administrator can easily make installation errors that render the safeguard useless while conveying a false sense of security.We recommend agencies adopt biometrics not to replace passwords but rather to complement them. Most biometrics programs by default will admit users based on recognition alone. That's like keeping the car doors locked but the windows open.We suggest reversing such defaults and requiring users to type in passwords, especially where networks store sensitive data.The most secure method we tested this year was iris authentication using the Panasonic Authenticam combined with Iridian Private ID iris-scanning software and KnoWho verification software.An iris forms before birth in a random process called chaotic morphogenesis. No two irises form identically, even on the same person. That should make iris identification quite difficult to circumvent, and to our knowledge it hasn't been done yet.The main drawbacks are the slowness of recording iris patterns and the intrusiveness of the enrollment process.By partnering with Panasonic, Iridian could devote all its engineering resources to improving the software instead of developing both hardware and software. The result this year was easier software setup and a less intrusive interface.Three years ago, it often took us several unblinking seconds'sometimes as much as a half-hour of attempts'to enroll a user successfully.This year we could speed volunteers in and out in a few seconds. Logging in was merely a matter of adjusting the distance between eye and camera.The price for the Panasonic Authenticam meanwhile has dropped as low as $99 online, with the average price around $219.Under Saf2000 and Windows 2000, Iridian's Private ID and KnoWho worked well and installed easily. But compatibility with Windows XP was another story.[IMGCAP(3)]We could not locate downloadable XP updates or patches on Iridian's Web site. Despite several attempts, we never made the software work properly under XP.Nevertheless, the Authenticam coupled with Iridian's software merited a Reviewer's Choice designation and an A grade for robust protection. Licensing costs the same as last year: $25 to $75 per seat depending on infrastructure.Although iris authentication is virtually impregnable, it theoretically could be hacked if, say, a terrorist killed an authorized user and removed an eyeball to present to the camera. But the iris decays rapidly after death, so the eye would have to be used within seconds.Despite our curiosity, we couldn't find a volunteer for such a test.Partly because of the possibility of removing or replicating body parts, two technologies have developed in fingerprint biometrics.Some fingerprint devices have silicon chips, others have optical sensors. Both types use algorithms to compare a fingerprint scan against stored characteristics called minutiae, but silicon chips have the additional ability to register heat, electrical impulses and blood flow.That would make it harder to fool a silicon-chip device, for example, by presenting a replica of an authorized person's finger. Also, silicon readers can integrate smart cards for extra security.That's the case with the Precise 100 MC from Precise Biometrics Inc., which received a Reviewer's Choice designation and an A- grade for easy setup, high security and smart-card integration.The Precise 100 MC stores and matches a user's fingerprint on the smart card instead of a separate computer. That improves durability because smart cards are far more rugged than fingerprint readers. Also, the data is less hackable on a smart card than it would be on a PC and is further secured by encryption.A Precise smart card works in any 100 MC device, so enterprise installation would be easy and relatively inexpensive. The 100 MC costs about $200 per unit and the smart cards about $10 each.Although Precise has stopped developing the software for its devices, we had no problems using Saf2000. But Saf2000 did not support the two optical sensors we tested. We installed them under Windows 2000 and XP using their own proprietary software.[IMGCAP(4)]The DFR-200 BioTouch USB from Identix Public Sector Inc. has been called the Rolls-Royce of optical fingerprint readers. Its GINA software installation wasn't as intuitive as that of the Digital Persona immediately below, but it came close. The BioTouch was considerably easier to use than the Digital Persona because weight and bulk kept it in place during use. Digital Persona's U.are.U Pro and U.are.U 4000 sensor had the most effortless setup in the review. All we had to do was install the software and plug the device into a Universal Serial Bus port.Changes to the GINA software also made it easier to log in than with many other programs, including Saf2000. Moments after placing a finger, we were logged in. The only problem was that the U.are.U was less bulky than the Identix optical reader and a lot less ergonomic. The sensor placement area was too large for fingers, which could easily miss the target. A thumb proved more accurate.Average Web price was $77, making U.are.U an economical alternative to silicon-chip readers.Silicon-chip readers tend to be more expensive enterprisewide and to fail sooner than optical scanners. Both drawbacks were present in the Sony FIU-710, better known as the Puppy.The Puppy had the sleekest form factor plus a carrying case ideal for travelers. But unlike the 100 MC, the Puppy did its own processing and storage. Losing or breaking the device would mean losing not only $200 but also the user's enrollment data. In contrast, a 100 MC user would still have credentials stored on the smart card and could log in with another device. Losing the card would require re-enrollment, but replacing it would cost $10.Sony's design was smooth, and the Puppy was easy to install and use under both OSes.To see photos from the biometrics tests, go to gcn.com and type 113 in the GCN.com/search box.