Biometrics look ready for prime time
- By John Breeden II
- Feb 01, 2006
Panasonic BM-ET330 Iris Reader
Sagem MorphoAccess 221-D
Technologies improve just in time for HSPD-12 rollouts
Sony FIU-810 Puppy
You are unique, just like everybody else. At least that's how a good biometric device sees you. The ridges on your fingers, the blood vessels in your eye and even the contours of your hand set you apart from everybody else in the world. And they can act as a credential for accessing facilities or information on a network. Thus the requirement under Homeland Security Presidential Directive-12 that tomorrow's federal Personal Identity Verification cards be designed to hold fingerprint data.
But biometrics have never been quite so simple. Companies in the industry have struggled for years to gain acceptance as many early devices were cursed with poor accuracy rates, and hackers'using techniques as simple as shining a flashlight onto a sensor where an authorized userhad just left a fingerprint'were able to defeat seemingly ironclad security.
And the software behind the scenes also used to fare poorly. It often was difficult to use and offered little real value in securing data that wasn't already achievable through traditional passwords.
Faced with these challenges, and growing government interest in using biometrics to secure buildings and systems, vendors have begun to specialize in either the hardware or software side of biometric applications. This concentration has led to marked improvement in both.
As a result, biometric features'both simple and complex'are starting to permeate IT, from systems that scan the blood patterns in your hand, to simple fingerprint scanners used to secure tiny flash storage drives. Lots of new computing devices, such as the Fujitsu LifeBook p7120D notebook (to be reviewed in a later issue), now come standard with a 15-cm-per-second slide biometric (fingerprint scanner) to help lock down mobile computers.What we found
Given this rapidly expanding landscape of biometric solutions, the GCN Lab rounded up a variety of different products in more of a survey of current technologies than a comparative review. We tested everything from enterprise software products that integrate an array of biometric readers, to PC add-ons that secure a single system.
We found that the hardware problems that once plagued biometric devices have mostly been eliminated, at least in core technologies like fingerprint scanning. The blending of optical chips, which could sometimes be fooled by hackers, and silicon ones, which are accurate but also more expensive and fragile, have helped make fingerprint readers one of the most popular methods of biometric authentication.
We found that false positives, mistakes by a biometric system that allow an unauthorized user into a facility or network, have been largely eliminated. But false negatives are still a problem, if only a minimal one.
Ultimately, we were most impressed with how much enterprise software has improved in allowing users to discover and manage a wide variety of biometric devices. Going forward, the software will play a much more important role in security solutions, as physical and logical access controls merge.Comnetix Intelliscreen and IntelliServerPros:
Easy-to-use interface; works with most biometric devices Cons:
Most installations will require custom designed applicationsPrice:
$11,000 per client; $40,000 per server comnetix intelliscreen/intelliserverPerformance:
A-| GCN LAB
Reviewer's Choice |
Comnetix is one of those companies that chose to work on the software side of biometrics instead of trying to perfect hardware gadgets. Although it offers several standalone solutions to government customers, the real value of the Comnetix package is that the software will work with any standard biometric device. This could be a real boon for large government agencies where different departments have standardized on different hardware platforms over the years, because it will let disparate systems share and compare data.
To test this point, we set up a Comnetix client and server in the lab. Initially they were attached to a Smiths Heimann Biometrics LITE-Xe scanner commonly used for police booking systems. Later we integrated other scanners and biometric devices into the software without much trouble.
We've had experience with the Smiths Heimann scanner products (not that kind of experience), and while the hardware is top of the line, the user interface can best be described as merely functional. Putting the Comnetix front end over the scanner's original one really raised the scanners' functionality.
The Comnetix software is designed to train users on the proper use of biometric devices. It does this by notifying users not just that something has gone wrong, but why it went wrong.
For example, when rolling someone's fingers across the scanner, a common mistake is to work too quickly and accidentally skip a finger by scanning one twice. The software will alert you when this occurs and tell you exactly what you did wrong. It is able to do this because it first scans an entire hand and then the compares each finger you swipe to the overall scan. This ensures, for instance, that the left index fingerprint going into the database is in fact from the left index finger. If someone is missing a finger or has it in a bandage, users can indicate the anomaly in the system just before the scan.
The server side of the Comnetix software can store scans indefinitely and, if your agency has authority, submit scans to the national fingerprint database for quick checks against criminal records. It will even match fingerprints with other data such as mugshots, profiles of suspected persons, or tattoos. It makes it very easy to do advanced activities such as photo lineups based on biometric data collected.
Because it's so effective, the data must be guarded. For this, the Comnetix software performs two major security functions. It first lets you configure each user of the system very precisely. Perhaps a user is only able to search certain record types, or perhaps they can add data to the system but can't look at existing data. Whatever the case, you can make the system as restrictive or as open as the law and your policies require.
Second, everything that happens within the system is logged. If someone prints a record, Comnetix records the identity of the user who issued the command, and exactly what was printed and where. It also logs searches and records viewed, so the agency has a complete audit trail.
The software is not especially expensive considering it can make use of almost any biometric device, even those considered legacy systems. We have a five-year-old fingerprint scanner at the GCN Lab from a company that went out of business. It worked fine with the Comnetix system. The client software is available to government customers for $11,000; the server software will cost you $40,000. Overall, the system is exceptionally strong, especially for enrollment and identification purposes.
Comnetix Inc., (703) 904-4361, www.comnetix.comPanasonic BM-ET330 Iris ReaderPros:
Accurate, user friendly; nothing touches the deviceCons:
$3,700 for 25 usersPerformance:
The last time we saw a Panasonic Iris scanner it looked like a little Web camera. The device at that time required a user to move the camera lens by hand until it could see your eye. The new BM-ET330 has two cameras in a panel that can be set up on a desktop or mounted on a wall for access control. The cameras automatically rotate up 35 degrees or down 15 degrees until they can focus on the eyes of a person attempting to gain access. If they can't get a good image, the unit will speak to the person, asking them to move forward or to the left or right until they are in the correct position.
We tested the scanner with people ranging in height from under five feet to over six feet tall, and it worked well each time. Although the automated voice was easy to understand, we didn't hear it too often. The cameras did such a great job of finding the user that we had to move dramatically to one side or stand on a chair just to trigger the voice.
There was nothing intrusive about the system (a common concern when it comes to iris scanners), and it worked in all lighting conditions except extreme darkness. It's designed to be attached to a LAN and then tied into a security server that keeps all the records. Administrators can view access records over time through the software interface, and in certain cases even check to see what a person who was denied access looked like.
The scanning device has tamper sensors that can alert administrators or other security personnel if someone tries to mess with the cameras. We were not able to generate any false positives for access, and other than when we were really trying to avoid direct contact with the cameras, scans happened on the first try each time and were very quick.
Because nothing actually ever comes in contact with the iris scanner, unlike almost every other type of biometric access, there is little wear and tear on the BM-ET330, making it perfect for large user environments. The unit comes with a 25-user license agreement for storing profiles and can be expanded to 5,025.
The 25-user system we tested costs $3,700. High-traffic areas with a lot of authorized personnel will certainly cost more. But for this level of security, it may be worth the money.
Panasonic Security Systems, (201) 271-3069, www.panasonic.com/biometricsRecognition Systems HandKey IIPros:
Can store up to 32,512 users, fast authenticationCons:
Large unit could take getting used toPrice:
$1,725 per unitPerformance:
The HandKey II is designed for access control in high-traffic areas with lots of authorized users. The standard model comes with the ability to store the unique features of 512 users and can be upgraded to 32,512 users if needed.
To gain access to a doorway guarded by a HandKey II, users simply place their hand onto the large metal pad and the system scans it, looking at the contours of the hand, the distance between fingers and various other topography features unique to each person. The entire scan takes only about a second.
In our testing, the system was extremely reliable, giving no false positives, nor any instances where a valid user was denied access. Except for instances where we purposely misplaced our hands on the scanner to test it for false positives, it always granted correct access on the first try.
Still, hand positioning could present a problem. There are little plastic pegs on the scanner to help guide a person's hand into the right position, but it looks a little intimidating at first glance, and users will likely need to be shown the proper orientation before they use the device the first time.
All profile data used by the HandKey II is stored locally within the device. This ensures that even if communications with the central security server are severed, your doors can still work and security be maintained. But there is also an Ethernet port, so you can attach a HandKey II to a central server and link all HandKey II devices together in one infrastructure.
The Handkey II costs $1,725 per unit, which could turn out to be a downright bargain if you funnel a lot of users through a few checkpoints.
Recognition Systems Inc., (408) 341-4100, www.rsibiometrics.comSaflink SAFsolution Enterprise Edition 1.3Pros:
Enterprise support, strong central management of multiple biometricsCons:
Can be difficult to set upPrice:
$200 per server with four users; $50 each additional licensePerformance:
SAFsolution is a server-based application, letting administrators centrally manage biometric log-ins. In an HSPD-12 architecture, it also provides the basis for an overall identity management system.
Setting up a user is not difficult, though it is a bit time consuming. Two attributes are added to each Microsoft user object in Windows 2000 server and also beneath each group policy object. These attributes contain the encrypted data from the biometric device, be it a fingerprint scanner, iris scanner or some other system.
We happened to have several biometric systems in the lab for the roundup review. Once the SAFsolution software was installed on a central server, the discovery process for each device was quick. You're given basic data about each device including what company makes it and what type of data it collects.
Adding authorized users takes more time, and you can't do it without some training. Because of this, the software comes with a tutorial explaining the log-in process and prompts users to enroll themselves, subject to verification and approval, of course. You can also set up a common administrative identity that allows several users to help with auditing and monitoring functions if you have only one administrator but lots of users and biometric devices.
Once you have a pool of authorized users, administrators can set up further policies for using the various devices. Perhaps you want user profiles to expire after a certain amount of time, to prevent someone who's left the agency from maintaining a valid biometric profile on your server. Once you have all the elements, we found these types of policies easy to implement.
The server software we tested surprisingly costs just $200 and comes standard with four client licenses. That's pretty good, but of course if you only have four users, the enterprise management of biometric IDs is overkill. You can add more licenses for $50 per seat, which could add up quickly depending on your environment.
Saflink Corp, (800) 762-9595, www.saflink.comRecognition Systems FingerKey DX 2000Pros:
Low cost, high securityCons:
Only works in low-traffic settingsPrice:
$1,000 for 50 usersPerformance:
The FingerKey DX 2000 works much the same way as Recognition System's HandKey but only scans a fingertip. It uses minutiae templates, which might not be as secure as full-scan data but reflect the direction the National Institute of Standards and Technology is taking with HSPD-12 specifications.
We did not record any false positives using the FingerKey system, but we did get a few false negatives. Out of 100 tries, a valid user was rejected an average of three times, thereby requiring a new scan.
The FingerKey we tested had enough memory for 50 users, though it can be upgraded to handle 2,000. The relatively small number of supported users reflects the modest price of the system: A single unit can be had for just $1,000. If you need to improve security in a small office, the FingerKey may be a good choice that won't blow your budget.
Recognition Systems Inc, (408) 341-4100, www.rsibiometrics.comUpek TCRU1C Fingerprint ReaderPros:
Highly accurate, inexpensiveCons:
$63 each in quantities of 1,000Performance:
The upek fingerprint reader is one of the most accurate biometric devices we tested. It has an extremely wide 12.8-by-18 millimeter active-sensor array, which helps eliminate false negatives. Out of 300 logins, we were incorrectly denied access just twice.
The reader is a 500-dpi, eight-bit grayscale silicon sensor that plugs into a USB port to lock down a PC. Once installed, you can't remove the reader without first turning off or deleting the software, which is not possible unless you are first logged in. So nobody can get around the security simply by pulling the plug.
While the scanner's accuracy was impressive, the sensor itself is really only useful for limited deployments'single user-PCs that need biometric protection. But combine this scanner with some of the management suites reviewed here, and you'll go a long way toward locking down a network.
UPEK Inc., (510) 420-2600, www.upek.comThumb drives and finger IDs
Not all biometric technologies control building or network access. Makers of tiny thumb drives have begun integrating fingerprint scanners to protect mobile files. Here are a couple.FBi DrivePros:
Stores passwords; enables secure remote e-mailCons:
Fingerprint scanner produces too many false negativesPrice:
$279 for a 512M drivePerformance:
Despite the name, the FBi drive is not built by the government. Instead, it's offered by a private company called Newport Scientific Research.
The FBi drive is a fingerprint scanner/flash drive for the mobile professional in need of extra data security. We tested a 512MB model that costs $279.
The drive does a lot of things that most people wish their flash drives would. Besides encrypting data on the drive (you can also use the bundled software to encrypt data on your PC), you can configure the FBi drive to help check your e-mail on the road. When you're finished, it will remove all traces of your visit from whatever remote system you are working on, a huge help if you are at a public kiosk. Last year, we looked at a product called the Xkey that did the same kind of thing and we liked it. Now it's nice to see the same kind of technology plus a biometric interface.
Or is it? This being a biometric roundup, we have to point out that the sensor on the FBi drive is not very accurate. It never let the wrong user see encrypted files, but sometimes it required three or four tries before a valid user was granted access. Very rarely was a legitimate user allowed in on the first finger swipe. False negatives are certainly better than false positives (accidentally letting an unauthorized user into the drive's data), but they're annoying and counterproductive. Unless the company can get the FBi drive's scanner to work better, it's little more than an expensive flash drive.
Newport Scientific Research Inc., (949) 721-5540, www.fbidrive.comSagem MorphoAccess 221-DPros:
Affordable; works with smart cards and fingerprintsCons:
A| GCN LAB
The MorphoAccess 221-D is one of Sagem's newest biometric systems, incorporating the best of the company's current line. It is both a fingerprint reader and a contactless smart-card reader that can provide one-to-one matching of a card-based biometric token. It also supports smart card and fingerprint-only identification against a database for agencies that aren't yet issuing cards with fingerprint data. Plus, it includes special technology for detecting when a fake fingerprint has been presented.
Not surprisingly, during testing we didn't encounter any false positives or negatives using smart cards only. When we threw fingerprints into the equation, the system returned just three false negatives and no false positives out of 100 authentications. We were not able to test the system's fake-fingerprint detection.
The terminal can store two fingerprint templates for up to 800 users. If you have more users, the company sells an MA 300 that can handle 48,000 pairs of fingerprint data, but that model doesn't support the contactless smart card, which will be a requirement under HSPD-12.
For administrators, the device integrates with commercial control systems through Ethernet or RS-422. It also has built-in tamper and theft protection. At a government price of $1,120 per device, the MA 221-D is well positioned for agencies that need physical security readers now and when they migrate their infrastructures for HSPD-12 compliance.
Sagem Morpho Inc., (703) 797-2665, www.morpho.comSony FIU-810 PuppyPros:
Acts as a single-sign-on device; allows public/private storageCons:
Only 62MB capacity, relatively high incidence of false negativesPrice:
The Sony Puppy may be little, but it has teeth. The dongle is not much larger than a thumb and plugs directly into a USB port. You can assign all your logins and even Web passwords to the device, so you don't have to remember them anymore. Just touch the reader, and it will present your credentials for you.
And in a true cloak-and-dagger application, you can assign multiple users to the Puppy and then pass secure documents between authorized users. The 62MB available on the Puppy for storage is divided into public and private areas that appear as separate drives within Windows. To access the encrypted private drive, an authorized user needs to give a fingerprint. Nobody else can get at the data.
At just $199, the Puppy is a good product for people who need to log into several secure Web sites and can't memorize all their passwords. It is also good if you need to share data between a select group of people and can't risk lost or stolen information. But as a biometric device, it's not exactly the best. During testing, we recorded an average of five false negatives per 100 tries, which may sound low but was on the high side of the systems we tested. Since the Puppy isn't going to be guarding your doors, that may be forgivable. But we'd understand your frustration if you couldn't get to an important document on the flash drive because the Puppy didn't recognize you.
Sony Electronics Inc., (866) 530-2963, www.sony.com/puppy