The FIU is available in two models, and the principal difference between the two is finger orientation. You can't place your finger sideways or upside down for authentication with the FIU. On the other hand, because the platen is deeply nested between two ridges, it was difficult to get a bad reading. In our tests, the Sony FIU showed excellent enrollment results, reading every user correctly the first time.

We were unable to fake out this device no matter what we tried. Sony's fake/live finger detection relies on resistive and capacitive measurements through a special coating on the platen surface, as well as a special contrast sensitivity algorithm. While Sony's device would occasionally wake up when a fake finger was pressed to the platen, the image was always rejected.

Sony's NT Logon software--the Sony Puppy Secure Logon--is supplied by I/O Software, the largest U.S. distributor of the FIU in the United States. Puppy software, now in version 2.0, is well-integrated into Windows NT. Like the others, it replaces the NT GINA (Graphical Identification and Authentication) logon screens with its own login, but it's actually more convenient than the others. NT typically assumes the last user ID is being accessed, so users get in literally at the touch of a finger. There's no need to use the keyboard, not even for the CTRL-ALT-DEL Secure Attention Sequence. And performance is consistent across host computers because all verification happens right on the FIU.

Sony Puppy replaces NT passwords with fingerprints, and it lets you use fingerprints and passwords in combination or simply standard NT passwords. Between client and Primary Domain Controller, Puppy uses Triple DES encryption with three 64-bit keys. Authentication criteria is set on a per-user basis, unlike the ABC system, where all users had to use the same criteria. The software also can be configured to use adaptive verification, which gradually replaces old fingerprint enrollment data with more recent prints, better adapting to the physical and environmental changes that gradually happens to finger surfaces.

Unlike NRI's software, Puppy uses a separate administration application from User Manager for Domains, an approach the vendor says it believes will better protect users from upgrade problems down the road. Also, unlike NRI, Puppy put encrypted fingerprint data right into the NT SAM (Security Account Manager) database, where it can take advantage of NT's internal security services--without having to maintain an external database.

Other products that worked with Sony's FIU include SecureStart/ISA, an operating system-independent boot-up mechanism using a $99 ISA board that protects system start-up. Another approach in development uses ROM BIOS extensions that are being released by American Megatrends, Award Software International and Phoenix Technologies in mid-1998. The Sony device works well in these environments because it can operate independently of the host computer.

National Registry Inc. Secure Keyboard Scanner
NRI is the most well-known fingerprint-authentication company for general-purpose enterprise data network security. It introduced a line of fingerprint-recognition systems in fall 1996 and has since shipped more than 1,200 scanners. NRI offers readers embedded in keyboards or standalone devices, coupled with frame grabbers installed externally, on ISA boards or PC Cards.

NRI doesn't view itself as a hardware company, with good reason. Although we liked NRI's NT software, we found a number of flaws with the scanners. We expected NRI to exit the hardware business entirely and recent events back us up. Just as we went to press, NRI qualified three of the next generation of alternate sensors, too new for this review: CrossCheck Technology's Verifier, Veridicom's VPS and Who? Vision's TactileSense.

Among the problems: NRI's scanners didn't attempt to check for live fingers, and we were able to get into the system using a rubber mockup. Next, the data path between scanner and PC wasn't encrypted, making the standard video image that was sent to the frame grabber subject to snooping attacks. The requirement for an external frame grabber and connectivity to the PC parallel port--even in the keyboard-imbedded version--made setup clumsy.

Finally, the plastic platen was subject to scratching, which may render the device unusable.