SAF/NT also forced us to configure and manage the Microsoft SQL Server engine. In two separate installations, we were inadvertently locked out of administrator accounts because of SQL database problems. This was primarily because of the default SQL Server database sizing and the use of logging, which consumes 512 bytes per user daily.

We resolved these problems by issuing SQL commands from a remote workstation and establishing a regular database archive cycle.

Instead of integrating fingerprint data directly into the NT SAM database, like Sony or Digital Persona do, SAF supplied user passwords to the NT security system during login. SAF/NT requires at least a 100-MHz Pentium with 32 MB of RAM to finger-enable a workstation. It also was incompatible with the Novell IntranetWare Client for Windows NT.

Biometric Access Corp. SecureTouch
We found that BAC's SecureTouch scanner is a relatively heavy unit that requires a good deal of real estate on the desktop: It measures about 3x5 inches at the base. It also lacks live/fake finger detection and doesn't encrypt the communication channel to the host PC. Even worse, we were able to break into the system using fingerprint images lifted from a tabletop.

Despite its size, the SecureTouch was surprisingly inexpensive. Prices start at $199 and drop to $119 for volume purchases. Included in this package are sample software for capturing and matching prints, as well as a Windows95-based access control application. At press time, BAC was working on a GINA login application for Windows NT.

The BAC device delivered the lowest false rejection rate for logins, mostly due to the preconfigured default settings that were so lax, even photocopied images were accepted as valid fingers. The BAC unit also can optionally store actual fingerprint images, a practice many consider a violation of privacy if abused.

American Biometric Corp. BioMouse
We initially had high hopes for American Biometric's BioMouse, but we ended up being disappointed. At first glance, the lightweight unit appeared to have much in common with the Digital Persona U.are.U, but BioMouse didn't perform nearly as well. Users complained about its awkward and unforgiving finger orientation, flimsy plastic legs and difficult scanning process.

ABC's approach to Windows NT Logon software is similar to Sony's FIU--it uses a standalone application for fingerprint enrollment. However, the software employs a crosshair approach, forcing users to place the center of their fingers' features on the screen and press a capture key with the other hand. In addition, the scanning area of the BioMouse is much smaller than the actual platen surface, resulting in a high number of rejected login attempts attributed to bad finger orientation.

ABC offers software for Windows95, Windows NT and an Entrust Identity Plug-In. On a per-device basis, an administrator can set eight levels of false acceptance rates, from one per 1,000 to one per 1,000,000. Keep in mind that low false-acceptance rates can result in users being rejected from the system. Other settings that could be adjusted included touch sensitivity, motion sensitivity and speed.

Identix TouchSafe II Fingerprint Identity Verification Terminal

Identix has a background in biometrics for non-computer environments, such as building access control, time and attendance, the FBI Automated Fingerprint Identification System and criminal law enforcement agencies. The TouchSafe II showed these roots--with its bulk, high cost and slow operation. Identix acknowledged that it will be forced to introduce new devices to compete on cost and convenience in the enterprise.

TouchSafe II was difficult for most of our testers to use, turning in very high false reject rates when using the system default settings. On average, 52 percent of our attempts were incorrectly rejected, and 60 percent of the time the women in our test group tried to authenticate the system, it didn't recognize them.

The device also required very firm, even pressure on the platen, which felt unnatural for most of our enrollees. We also were required to place our finger on the platen for several seconds in order to get an acceptable reading.

To properly configure the TouchSafe unit, administrators must set three threshold values--verification, false finger and high security--as well as a flag for image quality checking during enrollment.

While it's possible to tune these settings to reject false fingers and latent images on the platen, most administrators will shy away from setting these and stick with the defaults. Under these conditions, fake finger detection was not activated and we were able to get into the system with a rubber mockup.

Moreover, the defaults produce such a high false reject rate that administrators may be tempted to set thresholds too low. We discovered that latent images on the glass and photocopied fingerprint images could authenticate too the system if settings are too lax.

David Willis can be reached at dwillis@nwc.com. Mike Lee can be reached at mlee@nwc.com.