[ISN] Biometric Security Not Ready to Replace Passwords

From: InfoSec News (isnat_private)
Date: Mon May 06 2002 - 00:27:15 PDT

  • Next message: InfoSec News: "[ISN] Melissa Creator Sentenced On State Charges"

    By Carlos A Soto, Government Computer News
    02 May 2002, 2:05 PM CST
    Biometrics vendors are doing their best to supplant passwords as the
    chief form of computer security, but Government Computer News Lab
    tests indicate that many of their products are not quite ready. Some
    developers have continued to improve already good devices, but others
    need to go back to the drawing board.
    Bad biometric security is worse than no security at all because it can
    lock out a legitimate user, admit an interloper or - perhaps most
    dangerous - lull a network administrator into a false sense of safety.
    For this review we examined six fingerprint-recognition devices and
    one voice-recognition device. A word of caution: An administrator
    cannot deploy large numbers of any of those fingerprint devices
    without third-party administrative software.
    This year, to test the efficiency of multiple biometrics products on
    the same computer system, we used the Saf 2000 software suite from
    SafLink Corp. of Bellevue, Wash. Saf 2000, priced at $49.95 per
    client, lets the administrator manage multiple biometric devices on a
    I created four accounts on a 1-gigahertz Pentium 4 PC running
    Microsoft Windows 2000. With the easy-to-use Saf 2000 administrative
    software, I enrolled a different trait for each account.
    L&H Speech Verification software from Lernout & Hauspie Speech
    Products USA Inc. came bundled with the SafLink suite and was by far
    the weakest link in this review. It was so sensitive to ambient sounds
    that it sometimes wouldn't let me log in if the air conditioning
    wasn't on as it had been during enrollment.
    I had to enroll three times before the software was satisfied with its
    template of my voice. Each enrollment required saying "my voice is my
    password" three times, as in the movie "Sneakers." So I had to say the
    phrase nine times to get a good template.
    The software made an X-Y graph of my speech patterns, pronunciation
    and speed. It calculated a mean of these points and converted the
    pattern into a template for identification.
    Even so, it couldn't recognize me when I had a cold or spoke too
    quickly or slowly. Although the software was user-friendly, it
    demanded perfect conditions and lots of patience, just as face
    recognition does.
    Every biometric device forces a user to standardize the entry of the
    trait that is being recognized. After a time, logging in on the device
    becomes second nature, like typing a familiar password. But although
    I've tested voice recognition in the past and used it intensively for
    a month for this review, I still dreaded logging in each morning.
    Most of Lernout & Hauspie has been acquired by ScanSoft Inc. of
    Peabody, Mass., and what remains is having financial difficulties.  
    Neither L&H nor ScanSoft any longer supports the speech-verification
    software in the SafLink bundle, which SafLink originally licensed from
    The SecuGen Mouse from SecuGen Corp. of Milpitas, Calif., also came
    bundled with the Saf 2000 software. It was the only biometric mouse in
    the review that connected to the test PC via a combined parallel port
    and PS/2 cable. SecuGen sells other mice that connect to a
    universal-serial-bus port.
    The $119 parallel-port model used a track and ball, not optical
    tracking, but it had a fast, embedded optical chip for fingerprint
    recognition. The optical sensor, which recorded a thumbprint only, was
    on the left side of the device. To enroll other prints, the user would
    have to pick up the mouse.
    SecuGen curved the top of the mouse leftward to make placing the
    thumbprint more natural. That would inconvenience left-handed users.
    Despite those minor design flaws, the SecuGen mouse did its job well.  
    It never failed at log-in, and I could not get around its security.
    Like the SecuGen mouse, the ergonomic U-Match Mouse from BioLink
    Technologies International Inc. used an optical sensor to pick up
    Because the U-Match mouse was larger than the SecuGen, as well as
    ergonomically shaped, the fingerprint plate at the left side was
    clumsier to use.
    The U-Match had USB connectivity and a scroll wheel. Also, the
    oxidation and erosion of paint by finger moisture we observed when we
    reviewed the U-Match a year ago were no longer a problem.
    We wish the U-Match were optical instead of track and ball; optical
    innards don't require cleaning and operate more smoothly. But the
    U-Match seemed too bulky and heavy to glide smoothly even if it were
    The ID Mouse from Siemens AG used a small, more sophisticated silicon
    chip to identify fingerprints.
    It was the only optical laser mouse in the review, and it cost $119.  
    For those reasons, and its USB connection, our Reviewer's Choice and
    Bang for the Buck designations went to the ID Mouse.
    Siemens smartly placed the ambidextrous fingerprint sensor at the
    center of the device so that a user could enroll any finger
    The Microsoft Windows XP operating system has been out for more than
    six months, and you'd think every biometric product would now be
    XP-compatible. But only two of our fingerprint devices had drivers for
    XP when we started reviewing biometric devices in February.
    Only one of those products had XP-compatible software and was
    XP-certified: the $130 DFR-200 BioTouch USB fingerprint reader with
    BioLogon 3 software from Identix Inc. These products were also the
    easiest to set up and use.
    The BioTouch USB reader with BioLogon 3 connected at least a minute
    faster than serial-port devices, which sometimes required rebooting
    twice. BioTouch installation took just one reboot.
    Because the BioTouch USB had an optical sensor for fingerprints, it
    was bulkier than a silicon-chip device. It also had an awkward
    arrangement for placing a finger on the optical sensor. The BioLogon 3
    software converted that data into a log-in algorithm, stored on a
    server or desktop PC.
    Users wary of identity theft are increasingly reluctant to put a
    fingerprint credential on a networked system that could be hacked.  
    Sony Electronics Inc. and a Swedish company, Precise Biometrics, have
    an answer.
    Their fingerprint-recognition devices keep the print data in the
    devices themselves, not on a server or PC, and they have added other
    security enhancements. Last year we looked at Precise Biometrics's 100
    SC. This year, the new USB-connected Precise 100 MC surpassed our
    expectations, earning a Reviewer's Choice designation.
    The Precise 100 MC received an A-minus grade for better speed and ease
    of use in a streamlined hardware design. The 100 MC design abandoned
    the SC line's silicon sensor, from Veridicom Inc. of Sunnyvale,
    Calif., in favor of a smaller chip from AuthenTec Inc. of Melbourne,
    Another improvement to the $200 Precise 100 MC was the addition of a
    $10 smart-card token with an 8-MHz mini-processor running Java.
    Although XP drivers are ready for the MC, the suite isn't yet
    Sony Electronics focused on hardware with the FIU-710 Puppy. Known for
    sleek designs, Sony did a good job of making the $200 USB unit light
    and easy to handle.
    The Puppy, which performs the functions of fingerprint reader and
    smart card, is far smaller and thinner than the Precise 100 MC. Sony
    manufactured the silicon chip, which performed in our tests perhaps a
    tenth of a second faster than the speedy 100 MC. It also seemed more
    durable thanks to a metal sensor cover that retracted when a finger
    slid onto the chip.
    The Secure Suite software bundled with the Puppy was easier to install
    and set up than the Precise suite.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon May 06 2002 - 03:47:00 PDT