Biometrics suites earn a thumbs up

We're all familiar with the scene in the spy movies where our hero encounters a door that won't open without fingerprint, voice or even retina verification. Biometrics -- equipment that authenticates users based on their unique biological features -- works well in the world of espionage and certainly makes for some great plot twists on TV or film.

But just how practical is it for the more pedestrian environment of the enterprise network? How secure is the biometric database? Are the biometric devices the systems support reliable? Can you manage them without adding staff and/or overtime? Are they cost-effective? And can the devices survive a fall from a desktop? Most importantly, is biometric authentication right for your company and your network?

---

---

If your company has resolved the tangle of ethical issues surrounding biometric authentication and has decided to take the plunge, keep in mind that your biometric system can't be implemented in isolation from other network systems. Developing and managing a biometric authentication system has to be an integral part of your network's total security plan.

Biometric authentication can be extremely secure because it authenticates biological characteristics that are unique to each person. There can be no stealing, guessing or spoofing of the human iris, for example. Furthermore, it is much more secure than a password or a token because the former can be guessed, and both can be stolen.

A solid and comprehensive biometric authentication system can't be implemented on the fly. These systems are complex and, for maximum security, must be customized to suit the needs of each company. Therefore, the question you should ask yourself is, "Do I have the time, money and expertise to craft a bulletproof biometric authentication system?" Only if the answer is an unequivocal "yes" should you begin to evaluate products.

With the intent to implement a near-impregnable system, we set out to determine whether network-based biometric authentication was ready for the thrills and chills of a large organization. We reviewed only those enterprise-level biometric authentication suites designed for network deployment. That means the systems we tested had to do one of two things: provide their own security database and administration tools, or integrate seamlessly into Windows NT domain security.

The products we tested fell mainly into two groups. The first group, authentication systems based on a combination of fingerprint, password and smart card verification, included American Biometric Company's Trinity 2.5 (although the company says Trinity will have multiple biometrics in future releases) and Identix's BioLogon 2.0.

The second group, authentication suites, included BioNetrix Systems' BioNetrix Authentication Suite, Keyware Technologies' Biometric NT Logon (an OEM product) and SafLink's SafLink 2000 Multi-Biometric Enterprise Security Suite.

These suites include multiple biometrics systems, fingerprint, voice and face verification. The vendors also included a variety of fingerprint scanners, face and voice recognition systems. We also tested IriScan's IriScan product (see Our 'not so impossible' mission ).

BioNetrix Authen- tication Suite Recieves our award for its combination of security, durability , documentation and technical support.

While all of the products were worth consideration, one stood out. For its combination of security, durability, documentation and technical support, BioNetrix Authentication Suite wins our World Class Award.

The art of self-defense

Authenticating users is worthless if the security surrounding the authentication database is weak. Therefore, security of the authentication system was our prime concern. In the biometric authentication systems we tested, security is handled in one of two ways.

In the first method, security is accomplished via tight integration with NT, in which the authentication system creates fields for biometric data storage as extensions to the NT Security Account Manager (SAM) database. These systems take advantage of the security features NT uses to safeguard the SAM. These products also rely on the Microsoft CryptoAPI for any data encryption they employ. SafLink 2000 and BioLogon 2.0 use this method of authentication database security.

In the second security method, the authentication system builds and manages its own database and provides its own security for this database. BioNetrix Authentication Suite, Trinity 2.5 and Biometric NT Logon employ this means of database security.

All the products scored well in self-defense. SafLink 2000 and BioLogon 2.0 were well-integrated with NT and took full advantage of SAM, although BioLogon 2.0 integrated a bit tighter with NT.

The products with independent databases also rated high in security, although it's difficult to judge Trinity 2.5's vulnerability because it uses a proprietary database and management system.

The top marks go to the BioNetrix product, with honorable mention going to BioLogon 2.0. BioNetrix Authentication Suite handles all NT authentication levels itself, rather than relying on NT domain security. It requires an initial logon to NT, which sets the NT Graphical Identification and Authentication (GINA) level. GINA is an NT Dynamic Link Library (DLL) that challenges users to supply their user IDs, domains and passwords. BioNetrix Authentication Suite keeps the GINA level, then adds a biometric challenge layer, which means that the product can respond to authentication challenges beyond the GINA level.

Further bulletproofing its security, the BioNetrix product performs client/server data exchanges using the Diffie-Hellman key exchange and encrypts transmissions using Data Encryption Standard, Triple DES or Blowfish data encryption algorithms.

Trustworthy, but not foolproof

Reliability wasn't a major stumbling point for any of the products, especially the fingerprint systems. All the products we tested let network managers control the type of biometric information gathered as well as its relative importance in determining whether system access is granted. For example, SafLink 2000, Biometric NT Logon and BioNetrix Authentication Suite all support multiple biometric measurements, and the number and type of biometric authentications required can be configured for each individual client workstation.

Trinity 2.5 and BioLogon 2.0 allow network managers to set access parameters based on any combination of password, fingerprint or smart card. Again, American Biometrics said future releases of Trinity would have more types of biometric authentication, but for the time being the only biometric support is fingerprint.

In addition, SafLink 2000 also supports smart cards, while BioNetrix Authentication Suite does not. Although Keyware's Biometric NT Logon does not support smart cards out of the box, it has a smart card application tool kit to allow companies and integrators to develop their own smart card support. Keyware is pursuing an OEM strategy, which is one of the reasons the company provides a host of application tool kits in addition to the smart card tool kit, including kits for telephony and Internet authentication.

We also want to sing the praises of the weighted BioDecision Module function of Keyware's Biometric NT Logon. Keyware is unique in offering network managers the capability to make access decisions based on a set of weighted authentication criteria (for example, verifying fingerprint 100%, voice 90% and face 85%). This lets net managers set parameters for allowing anything from full access to retries on password entry.

Managing the mysterious

While ease of installation varied little from product to product, manageability did. BioLogon 2.0 and SafLink 2000 integrated smoothly into the NT user management system. BioLogon 2.0 gets the highest marks for installation - its installation and enrollment procedures almost completed themselves. SafLink 2000 and Trinity 2.5, on the other hand, have somewhat more complicated procedures. Because BioNetrix Authentication Suite uses its own authentication database and management console, it was more complex than the others. This is probably unavoidable, given all the features the product has.

The BioNetrix product has the slickest installation of any of the products we reviewed. The BioNetrix Biometric Starter Kit comes in a neatly packed, clear plastic briefcase that contains everything you need to get started. Furthermore, its BioNetrix Administration Manager configuration tool made installation and user management a breeze. However, BioNetrix Authentication Suite requires Microsoft SQL Server, which functions as the back-end security database. Make sure you have SQL installed and ready to roll before you begin. But don't fret about SQL database security because the BioNetrix product stores the database password in a secure portion of the NT registry after encrypting it.

We also want to mention the excellent auditing and reporting tools provided by BioNetrix Authentication Suite and BioLogon 2.0. Both products received extra points for these outstanding and easy-to-use management features, which were far superior to the other products we tested.

Durability was an issue mainly for Trinity 2.5 and BioLogon 2.0 because these systems are largely tied to one type of authentication device. While Trinity's BioMouse Plus is an accurate little fingerprint-scanning, smart card-reading rodent, its double-dongle construction is a bit delicate and may not survive desktop warfare. The Veridicom fingerprint mouse used by the Keyware and Identix products - which also comes packed in BioNetrix's Biometric Starter Kit - is far more solid.

The BioNetrix product, on the other hand, supports nearly every brand of biometric authentication device imaginable, giving you the opportunity to select the best breed of each type of device.

Self-destructing documentation

Finally, before you head off to build your biofortress, we want to emphasize that developing and implementing a thorough biometric authentication system is a job for professionals, and you will need additional development help to implement it properly. All these companies have integration assistance available for an additional charge - plan on using it.

Although BioLogon 2.0 has a wholly self-evident user interface and very comprehensive help, and Trinity 2.5 has excellent technical support, for documentation and support, no one gets higher marks than BioNetrix Authentication Suite. The documentation is extensive, well-organized and thorough. Best of all, included in the cost of the product is a full day of on-site installation support. By contrast, the documentation for SafLink 2000 was dismal, and we're still waiting for some of our technical support calls to Keyware to be returned.

Safety in numbers

All the biometric authentication systems we reviewed worked surprisingly well. The fingerprint/password/ smart card combinations -- Trinity 2.5 and BioLogon 2.0 -- are secure and reliable, although Trinity is rather complex and at times overwhelming. SafLink 2000, BioNetrix Authentication Suite and Biometric NT Logon are all great choices for shops that need multiple biometric authentications. However, for security, flexible manageability and unparalleled support, BioNetrix Systems' BioNetrix Authentication Suite is truly outstanding. Now your mission is to implement biometric authentication before your network self-destructs.

How we did it We had a blast trying to break into our Windows NT Server network with NT Workstation and Windows 95/98 clients. Our server was a 350-MHz dual Pentium II running NT Server 4.0 Service Pack 4 and Microsoft SQL Server. Our clients were a mixture of Pentium II and Pentium III PCs ranging in speed from 350 MHz to 600 MHz. Our top priority was the security of the authentication database, therefore we evaluated access security as well as encryption for passwords and client-server communications. We then evaluated the ease and security with which these systems could be configured, new users enrolled and existing user profiles amended. Systems that provided multiple layers of authentication received higher marks, as did systems that allowed individually configurable user authentication levels. While ease of installation, manageability and database security were our primary concerns, we also made sure the devices performed reliable authentication and updated their databases accurately and securely. Finally, to test durability we subjected the products to approximately a year's worth of normal wear and tear by connecting and disconnecting, installing, uninstalling and reinstalling, dropping off desks, etc., to check for delicate connectors, crack-prone covers and the like.

Bracco is principal analyst for Enterprise Infrastructure at Current Analysis in Sterling, Va. She can be reached at tbracco@currentanalysis.com

Our 'not so impossible' mission
Testing out the face and voice recognition systems

Feature: The enemy within
Feature writer Sharon Gaudin describes software tools and policies for establishing effective internal security.

Feature: Biometrics eyes the enterprise
Biometrics offers a reliable way to authenticate users.

Interactive scorecard and NetResults

Biometrics research page
Loads of info including white papers, publications, forums and usergroups.

Face-off: Is the use of biometrics an invasion of privacy?
Companies are beginning to use biometrics to secure networks, but is it an invasion of privacy? Samir Nanavati of the International Biometric Group and Barry Steinhardt of the ACLU are online this week to debate with you. Read their statements and then jump in with your comments and questions.

Security survey
According to our exclusive Network World/Enterprise Management Associates survey, authentication tops the list of security concerns.

12 questions to ask before you deploy a biometrics authentication suite

See a network topology for the BioLogon Server

White paper on biometric and smart card user authentication
PDF format, Adobe Acrobat reader needed

Read about the challenges that the biometric industry faces