|F E A T U R E|
Biometric Authentication Management
December 27, 1999
By Timothy M. O'Shea and Mike Lee
Fingerprints, facial features, voiceprints--each is one of a kind. So what could be better than using these to identify network intruders? By relying on unique biological traits, biometric authentication systems have proved their worth for years in standalone applications within high-security environments, such as government installations and financial institutions. As prices fall and the hardware technology improves, the market grows.
Biometric hardware can provide authentication via voiceprint, facial scan, retinal patterns and fingerprints. With so many options available, vendors have begun developing software to integrate the devices into everyday networks.
Biometrics has moved from simple desktop implementations to network-authentication systems. New applications provide solutions to problems that range from the small homogeneous shop's need for authentication into a domain, to the distributed organization's demands for integration with firewalls, perimeter security and multiple operating platforms. But even though the vendors whose applications we tested are improving their products to deliver timely solutions to these problems, they're mostly appropriate for smaller, simpler networks. No product we tested offers the enterprise the same level of integration found in either token or smart-card systems.
As with most new markets, several stumbling blocks stand in the path of rapid adoption. First, an overwhelming number of products--330, according to the ICSA (International Computer Security Association) 1999 Biometrics Survey--are marketed by a diverse pool of vendors, which raises concerns over standards, integration with existing systems and long-term support. The products we tested run on the Microsoft Windows platform and offer no integration into security at the perimeter. Promising changes and enhancements to security, the upcoming release of Windows 2000 is also keeping biometrics vendors on their toes. Each vendor whose product we tested is scheduling version releases in step with Windows 2000 to ensure compatibility with the new system.
The market is showing signs of consolidation as device vendors begin to team up with software makers. None of the companies we questioned cared to divulge its new partnerships beyond saying agreements are in the works.
On the standards front, several proposals are in development, most notably HA-API (Human Authentication API) and BAPI (Biometric API). HA-API (released in 1997) provides a means to interface to various biometric technologies, but only under the Win32 platform. BAPI, under development by the BioAPI Consortium, provides an OS-independent standard and makes the API biometric-independent. The first version of this standard is expected in the first quarter of 2000 and will allow for integration into firewalls, network perimeter devices and operating systems. For now, partly because of the immaturity of the standards, each software product we tested supports a limited number of devices. Each vendor we spoke with indicated that it will work with customers to support other devices on an as-needed basis.
Beyond the lack of firm standards, biometric technology still gets a bum rap from end users. Many associate fingerprint scanning with the fingerprinting of alleged criminals and are hesitant to accept this technology. The calculated scanning, comparison and storage of our unique biological traits makes some feel their privacy is being violated. Also, though biometric authentication can ease administrative headaches, such as password management, and improve upon user identification, integrated support across the enterprise is missing. Don't look for detailed auditing, support for numerous management platforms and other such features; they're just not here yet.
Nevertheless, it makes no sense to ignore biometrics. This developing and dynamic market has drawn vendors who are constructing smart products and simplified solutions to network security and authentication puzzles. Prepare to share in the benefits, and some of the growing pains, if you choose to join early adopters from financial institutions, health and pharmaceutical companies and government organizations.
No biometric system will let you rip out the existing authentication structure. Most shops maintain a combination of authentication technologies, and your biometric solution should offer some appreciation of these systems, or provide a model that will integrate with your existing technologies in the future. Products that best accomplish this integrate existing technologies (such as smart cards) with biometrics and establish a management interface that allows for the addition of modules to support new technology. Shops that are in good shape for biometrics will have a largely homogeneous Windows NT platform with an authentication system that is primarily password-based. Larger shops may be able to integrate biometrics into specific applications or for some users as the market develops.
Our Editor's Choice award goes to BioNetrix Systems Corp.'s BioNetrix Authentication Suite 2.0. This system stood out in our tests with its comprehensive feature set, smart user management and simplified integration. BioNetrix is developing the product to integrate beyond NT and into the enterprise authentication arena to add nonbiometric authentication support. As Windows 2000 looms and the network enterprise continues to be a mix of platforms and authentication challenges, the BioNetrix software suite looks to the future, in which your authentication system encompasses several technologies and platforms across the enterprise. Indenticator's BioLogon and Saflink's SAF2000 finished just a bit behind. Their integrated feature sets enhance NT while providing ease of use. Each offers well-developed smart-card implementations for added security.
How We Tested
We tested each product to determine its ability to provide basic authentication via biometrics within a closed network (consisting of an NT server and NT workstation clients). We were particularly interested in the integration of the biometric software with the NT authentication systems. As the products were installed and configured, we noted the relative ease of this process and the clarity and depth of the documentation provided to assist us. We then examined each product's additional features, paying close attention to the process of enrolling new and existing users, and the process of authenticating from the desktop to allow local and network access through the server.
Finally, we briefly examined the fingerprint scanners, focusing on the ease of use, features and general feel of these devices (see "Fingerprint Scanners: Hands On," page 49).
All testing took place in our Syracuse University Real-World Labs®. Our clients were installed on Dell Computer Corp. OptiPlexes with 400-MHz Pentium II processors and 256 MB of RAM, running Windows NT Server 4.0 updated with Service Pack 5.
|PAGE: 1 I 2 I 3 I 4 I 5 I 6 I 7 I 8 | NEXT PAGE|