Fingerprint readers prove reliable at log-in

Biometric vendors are doing their best to supplant password security, but GCN Lab tests indicate they're not quite ready yet. Some developers of biometric products have continued to improve already good products, but others need to go back to the drawing board.Bad biometric security is worse than none at all because it can lock out a legitimate user, admit an interloper or'perhaps most dangerous'lull a network administrator into a false sense of safety.For this review we examined six fingerprint recognition devices and one voice recognition device. Facial recognition devices and iris scanners, which employ entirely different techniques, will be reviewed in the April 29 issue.Fingerprint devices fall into two categories: mice with embedded sensors and standalone units. Because mice play a dual role'desktop navigation as well as network authentication'they could make standalone fingerprint devices obsolete. That's why several vendors are starting to bundle fingerprint recognition devices with smart cards or some other security token.Fingerprint technology is improving mostly because vendors are now focusing on developing their strongest products instead of stretching their resources between software and hardware.These business factors, plus the world's heightened emphasis on security, are the reasons fingerprint biometric technology is maturing fast. It can make a respectable substitute for passwords or serve as a password complement, though it still needs improvement.Caution: An administrator cannot deploy large numbers of any of these fingerprint devices without third-party administrative software. The software that comes with the devices is satisfactory only for individual client PCs.Over the last three years, the lab has encountered almost every imaginable pitfall in fingerprint biometric products. It sometimes seems that I've enrolled and re-enrolled my thumb at least a million times.This year, to test the efficiency of multiple biometric products on the same client system, we used the Saf 2000 software suite from SafLink Corp. of Bellevue, Wash. Pronounced 'safe' and priced at $49.95 per client, Saf 2000 lets the administrator manage multiple biometric devices on a network.I created four accounts on a 1-GHz Pentium 4 PC running Microsoft Windows 2000. With the easy-to-use Saf 2000 administrative software, I enrolled a different trait for each account. software from Lernout & Hauspie Speech Products USA Inc. came bundled with the SafLink suite and was by far the weakest link in this review.It was so sensitive to ambient sounds that it sometimes wouldn't let me log in if the air conditioning wasn't on and had been during enrollment.I had to enroll three times before the software was satisfied with its template of my voice. Each enrollment required speaking the phrase 'My voice is my password' three times, just like in the movie 'Sneakers.' So I had to say the phrase nine times to get a good template.The software made an X-Y graph of my speech patterns, pronunciation and speed. It calculated a mean of these points and converted the pattern into a template for identification.Even so, it couldn't recognize me when I had a cold or spoke too quickly or slowly. Although the software was user-friendly, it demanded perfect conditions and lots of patience, just as facial recognition does.Every biometric device forces a user to standardize the entry of the trait that is being recognized. After a time, logging in on the device becomes second nature, like typing a familiar password. But although I've tested voice recognition in the past and used it intensively for a month for this review, I still dreaded logging in each morning.Most of Lernout & Hauspie has been acquired by ScanSoft Inc. of Peabody, Mass., and the remaining portion is having financial difficulties. Neither L&H nor ScanSoft any longer supports the speech verification software in the SafLink bundle, which SafLink originally licensed from L&H.The from SecuGen Corp. of Milpitas, Calif., also came bundled with the Saf 2000 software. It was the only biometric mouse in the review that connected to the test PC via a combined parallel port and PS/2 cable. SecuGen does sell other mice that connect to a Universal Serial Bus port.The $119 parallel-port model used a track and ball, not optical tracking, but it had a fast, embedded optical chip for fingerprint recognition. The optical sensor, which recorded a thumbprint only, was located at the left side of the device. To enroll other prints, the user would have to pick up the mouse.SecuGen curved the top of the mouse leftward to make placing the thumbprint more natural. That would inconvenience left-handed users.Despite these minor design flaws, the SecuGen mouse did its job well. It never failed at log-in, and I could not get around its security.Like the SecuGen mouse, the ergonomic U-Match Mouse from BioLink Technologies International Inc. used an optical sensor to pick up fingerprints.Because the U-Match mouse was larger than the SecuGen, as well as ergonomically shaped, the fingerprint plate at the left side was clumsier to use.The most notable improvements that BioLink has added since our last review [] were USB connectivity and a scroll wheel. Also, the oxidation and erosion of paint by finger moisture we observed when we last reviewed the U-Match were no longer a problem.We wish the U-Match were optical instead of track and ball; optical innards don't require cleaning and operate more smoothly. But the U-Match seemed too bulky and heavy to glide smoothly even if it were optical.In contrast, the from Siemens AG used a small, more sophisticated silicon chip to identify fingerprints.It was the only optical laser mouse in the review, and it cost $119. For those reasons plus a USB connection, our Reviewer's Choice plus Bang for the Buck designations went to the ID Mouse.Siemens smartly placed the ambidextrous fingerprint sensor at the center of the device so that a user could enroll any finger comfortably.The Microsoft Windows XP operating system has been out for more than six months, and you'd think every biometric product would now be XP-compatible. But only two of our fingerprint devices had drivers for XP when we started reviewing biometric devices in February.Only one of those products had XP-compatible software and was XP-certified: the $130 fingerprint reader with BioLogon 3 software from Identix Inc. These products were also the easiest to set up and use.The BioTouch USB reader with BioLogon 3 connected at least a minute faster than serial-port devices, which sometimes required rebooting twice. BioTouch installation took just one reboot.Because the BioTouch USB had an optical sensor for fingerprints, it was bulkier than a silicon chip device. It also had an awkward arrangement for placing a finger on the optical sensor, which recorded the minutiae points of a fingerprint. The BioLogon 3 software converted that data into a log-in algorithm, stored on a server or desktop PC.Users wary of identity theft are increasingly reluctant to put a fingerprint credential on a networked system that could be hacked. Sony Electronics Inc. and a Swedish company, Precise Biometrics, have an answer for these wary users.Their fingerprint recognition devices keep the print data in the devices themselves, not on a server or PC, and they have added token security that is becoming important to federal public-key infrastructure efforts.Last year we looked at Precise Biometrics' 100 SC. This year, the new USB-connected surpassed our expectations, earning a Reviewer's Choice designation. The Precise 100 MC received an A- grade for better speed and ease of use in a streamlined hardware design. The 100 MC design abandoned the SC line's silicon sensor, from Veridicom Inc. of Sunnyvale, Calif., in favor of a smaller chip from AuthenTec Inc. of Melbourne, Fla.Another improvement to the $200 Precise 100 MC was the addition of a $10 smart-card token with an 8-MHz miniprocessor running Java.Although XP drivers are ready for the MC, the suite isn't yet XP-compatible. Sony Electronics focused on hardware with the . Known for sleek designs, Sony did a good job of making this $200 USB unit light and easy to handle.The Puppy, which performs the functions of both fingerprint reader and smart card, is far smaller and thinner than the Precise 100 MC. Sony manufactured the silicon chip, which performed in our tests perhaps a tenth of a second faster than the speedy 100 MC. It also seemed more durable thanks to a metal sensor cover that retracted when a finger slid onto the chip.The Secure Suite software bundled with the Puppy was easier to install and set up than the Precise suite.