Product Reviews

Biometric Security Products: Secugen EyeD Hamster and EyeD OptiMouse

My hamster doesn't have a creaky wheel

My hamster doesn't have a creaky wheel to run on. Instead, he uses optical components to scan my proffered finger and provide input to prove my identity to server-side software. Fingerprint scanning for authentication provides little comparison with the fingerprint matching done to identify criminals. Instead of performing visual comparisons of the unique topography of your digital extremities, the scanner maps a large number of data points at distinctive markings and the distances between them. This information is compared to previously stored sets recorded in the Active Directory during your registration.

Unlike keystroke analysis or voice recognition, fingerprint-scanning biometrics depends on hardware to collect the data. An assortment of mice, keyboards, and other things you placed your fingers on or in are available. SecuGen provided me with two: an optical mouse with a scanning window where most thumbs are placed during mouse control, and a "hamster," a black device roughly the size of two Zippo lighter that fit comfortably in the palm of my hand. You can change your grip to place any of your logon pods (otherwise known as fingertips) over the hamster's scanning window. Once authenticated, you return it to your desktop until it's needed again. Protocom SecureLogin V2 Windows 2000 domain authentication software accompanied the mouse.

Product Information

EyeD Hamster, $119 EyeD OptiMouse, $139
SecuGen
Milpitas, Calif.
(408) 942-3400 www.secugen.com

Installations, Configuration and Registration
Installation can be a little more difficult here. It's made more so by the existence of a single executable on the installation CD-ROM and a requirement for manual modification of the Active Directory Schema. Much against my better judgment, but with no other choice, I started installation before reading any documentation. Happily, I was then given the choice to just install documentation. Documentation is copious, but a shortened list of steps provided a simpler road path through it.

Step one requires modification of the AD schema. While the instructions were excellent, this approach leaves much room for user error. A misstep here could leave one with hours of troubleshooting only to find that the new user attribute was incorrectly entered or never added to the user object. I know I'm whining here; real nerds insist on doing their own schema changes, shun Group and Local policies in favor of scripting their own registry modifications and never ever use a GUI when a command prompt will do. Still, I can't be the only one who feels I've paid these kind of dues in the past. Just let the install program do something I can easily mess up, ok?

Next, the instructions include modifications at the BIOS level to support parallel port usage by earlier devices. Since my new little buddies had USB connectors at the other ends of their tails, I skipped this part. Instead, I installed the software. Like most biometrics, you can't use them until users register, and you can't register until you install the hardware. SecuGen avoids the possible nightmare (install the hardware and you may find yourself unable to logon because you haven't registered) by allowing unregistered users to continue using their normal login procedures.

Hardware installation merely requires connecting the creature to the system. Windows 2000 notices the hardware change and loads the driver. Finally, I was ready to register my fingers. SecureLogin provides a registration utility. To run it you must be a member of the SecureLogin Adminstrators group, a group created when the product is installed. Select a user account, click the radio button corresponding to the digit to be registered, have the user place that finger on the device, and click the register button. An image of the finger print appears on the screen (see figure). If the image is acceptable, you're allowed to continue registering other fingers. Incidentally, SecuGen advises you to have users register several fingers. There's no guarantee that a finger roughened by gardening or other physical work on the weekend will be a useful authentication tool come Monday morning.

SecureLogin
Feeding fingerprints to SecureLogin. (Click image to view larger version.)

Once registered, the user can use any registered finger to start the authentication process, if it's acceptable, the first time authentication also requires password entry. You can remove the password requirement.

Mouse or Hamster?
Unlike keystroke analysis, fingerprint scanning biometrics allows you to choose the auxiliary device to use for entry. The EyeD Optimouse looks almost exactly like any other mouse you may have. However, along the left side of its ergonomic blue and white body is a window into its soul, er, a plastic window on which to place a registered finger. It's conveniently placed right where your thumb normally rests. Obviously, if you have to use another finger, it's a little more awkward. Well, a lot more awkward but can be done. Remember, this is only necessary for authentication—you don't need to be able to continually point, click, and present usable body parts at the same time. Incidentally, this thumb position placement is perfectly aligned to solve one of the issues common to most readers; when a fingerprint scanner is first used, it's difficult to get the finger lined up to get a good print.

The EyeD Hamster sits upright on your desktop. Its slanted top provides the plastic window. However, after some awkward but successful uses of it in this position, I found it much easier to use when it I cradled the device in the palm of my hand. Smokers from pre-BIC lighter times can empathize here: I discovered this convenience when I realized I was absentmindedly playing with the hamster as if it was a worry stone, or favorite lighter. Once I noticed that it only took a few minutes to find comfortable, natural ways to make the window accessible to any digit. I think it may just become my favorite, biometrics and soul soothing in one small package—who would have figured?

Issues
My SecuGen contact made sure he was available to answer any questions and actually provided an answer to a question I hadn't asked yet. (Are these guys psychic or what?) The big selling point of biometrics is that it can replace or strengthen the typical user ID and password combination by insisting on an authentication process which requires the presentation of some biological evidence—perhaps a fingerprint, voice, retina or iris scan, or keystroke pattern. Any implementation of biometrics therefore, can have a fatal weakness. If a user can somehow go around the biometric and use only my user ID and password, then adding the biometric layer is useless. Can a user, for example, logon from a client machine that does not have the software loaded and forego biometric authentication? Can she use biometrics to logon to one account, but then use RunAs to logon to another, sans biometrics? Before I had a chance to test it, SecuGen provided the answer: Yes, well maybe, and here's what to do.

In normal operation, a workstation that does not have the client software loaded will not allow a user to enter their normal user ID and password. In normal operation, an authenticated user can use RunAs to run applications as another user without the need for biometric authentication. That is, if the user knows a valid account name and password, he can use that information and the RunAs service to run applications. He will not be required to present any biometric information (fingerprints) and there is no way to force this to be required.

However, a simple adjustment can be made to close this hole and require biometric authentication in order to successfully logon. A simple registry key modification allows the product to change the user password to a unique value each time the user logs on. This means that no registered user can ever again logon using a password, because they don't know what the password is. They cannot move to a workstation which does not have the client loaded. While nothing prevents anyone from using the RunAs service, they will be unsuccessful for the same reason: They do not know the password. While a password-cracking program could potentially be used to obtain the password offline, if the user is a frequent user of the system, the cracked password is most likely useless as it has already changed

Remember, however, that there is nothing that will automatically require all users to be registered. An unregistered user can still use a password. Some of you may consider this a boon, as there are processes that require the use of a password, so some administrative accounts may need to remain unregistered. Others may see this as where all biometric products break down—the biocontainment/ user registration issue. Indeed, if any account is not registered, and I know that password, I can use it to logon.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

comments powered by Disqus
Most   Popular