Most units we tested required external AC power, though there was variance here, too. BAC's device is powered via the keyboard connector and Identix's TouchSafe II is driven by the ISA board in the host PC. NRI's external frame grabber also is wall-powered, but it can be shared by two scanners.

The Digital Persona and Sony scanners encrypt transmissions over the wire running to the host PC, preventing the authentication data from being hijacked for later playback. The ABC device uses session keys on every frame transmitted to thwart replay attacks. BAC, Identix and NRI don't attempt to encrypt this channel, leaving them wide open for wire snooping and replay attacks.

There were also differences in the way these devices are calibrated and sensitivity is adjusted. Most people are not fingerprint experts, so it's important that systems be self-calibrating and have a minimal range of sensitivity settings. For example, Sony's FIU uses a five-point sensitivity scale, acknowledging that it may be necessary to adjust the settings based on your user population. The ABC unit has a custom camera that self-adjusts without any administration, though sensitivity settings must be adjusted. Digital Persona and NRI revealed no calibration or sensitivity settings, an approach that we favor. The last thing you want is a miscalibrated system operating.

The Identix scanner falls at the opposite extreme. Using three thresholds, each on a 200 point scale, administrators must adjust various aspects of the retrieved image. Unfortunately, if you mistune it, fraudulent users can get past the device. We did this using copies of latent fingerprint images lifted with adhesive tape from a table. Using the same techniques, we cracked into BAC's SecureTouch, this time using its default settings.

Digital Persona U.are.U
The U.are.U scanner would take top honors in a biometric beauty contest. It looks like some Bauhaus-inspired art piece, yet it's surprisingly functional. It reads very quickly--faster than any other device we tested--without requiring the user to press a capture key. It also works in any orientation; enroll or verify the finger sideways or upside down, and the unit can still do its job.

In our tests, U.are.U had the highest average user success rate. Although one person in our test group required multiple attempts to enroll and authenticate, most users never had to try the device more than once. U.are.U impressed most participants with its ergonomic design and its ability to fit just about anywhere on their desks.

The U.are.U scanner also is highly secure. It didn't respond to our fake finger tests, nor could we use lifted prints to get in. To protect against wire snooping, U.are.U sets up a 128-bit challenge-response encryption link to the host PC. Packets sent across this link also are time-stamped to prevent replays. It didn't rely on operating system mechanisms to encrypt data between host PC and back-end server, but handled this task in the hardware directly.

U.are.U is a very new product, so software has not matured. While Digital Persona is working on a Windows NT 4.0 authentication mechanism (see "The Software Battle Has Just Begun," on page 90), it is hampered by the fact that Microsoft Corp. doesn't offer USB drivers for Windows NT 4.0. Like other vendors, Digital Persona plans to replace the user login authentication mechanism and provide administration tools integrated into the common tools used by NT administrators, such as User Manager for Domains.

Digital Persona also recently announced the addition of a Microsoft Internet Information Server (IIS)-based authentication mechanism with client-side ActiveX or Java controls for Web users. Make no mistake, U.are.U is the authentication device to watch in 1998.

Although we acknowledge that USB is an excellent way to connect fingerprint-authentication devices, we're disappointed that it's the only option available. The USB specification has been around for quite a while, but vendors only now are beginning to include it as standard equipment, and implementations can be flaky.

For example, the Micron Electronics' PC we that used for our testing couldn't wake up the USB devices when the computer came out of sleep mode. As a result, we'd like to see Digital Persona offer an alternative interface to what is otherwise a superior device.