Beyond Passwords: 3 Alternate Security Devices
Computer security is one of the highest priorities for IT departments, and every major corporation has staff devoted to maintaining a secure computing environment. The standard toolkits include firewalls, intrusion detection and prevention, anti-malware and any number of software systems that protect the contents of computers against would-be intruders. But even with all that digital protection, research shows that one of the biggest areas of vulnerability remains physical access to users' computers. These three security devices offer protection at the workstation level, blocking access to anyone without the appropriate credentials.
While each offers robust security, each takes a different approach to the identity verification criteria. AccessSmart's Power LogOn uses a smartcard, Digital Persona uses a fingerprint scanner, and SensibleVision's FastAccess uses facial recognition via an attached webcam. I found each to work as advertised, denying or allowing access appropriately.
SensibleVision FastAccess is the most automatic and unobtrusive security device of the three. The application uses a webcam attached to the computer and applies facial recognition to analyze the face it sees, matching it against the characteristics of the face belonging to the authorized user. After installing the software, the first step was to connect the webcam.
SensibleVision says that nearly any USB-connected webcam will work. I tried both a relatively high end Creative unit and a low end Logitech QuickCam and didn't notice any difference in performance. It seems that the facial recognition process does not depend on a particularly high resolution image to identify the necessary features. On the other hand, I did notice a difference when changing lighting conditions. When the light source is behind the face, FastAccess has more difficulty identifying the features than when the lighting is in front or to the side. It had no problem when I used standard fluorescent office lighting.
The system needs to be "trained" to the user's face. This is a simple process that involves sitting in front of the computer with the webcam on top of or below the monitor. One note here: FastAccess takes over the webcam to the exclusion of any other applications. If you routinely use your webcam for chat or video blogging, you will need to suspend FastAccess' use while you use the other application, or add a second cam.
While FastAccess is active, it constantly looks for a face in its field of view. When it finds one, it draws a box around it, alerting the user. If the face matches that of the user, the Windows password is automatically entered and the PC is unlocked. I tried to fool the system by wearing glasses, combing my hair differently, and wearing a headset. In each instance, FastAccess didn't recognize me, and asked me to sign in manually with my password. However, when I tried the same tricks a second time, the system recognized me as the same person, having recorded the new shapes and associating them with my login profile.
Different Systems, Different Features
It's possible to set the timeout duration to suit your situation. For maximum security, I set the system to timeout within five seconds of losing my face. When I got up from my desk or even turned away, my PC locked. But as soon as I returned and faced the webcam, the computer was available again.
An interesting application is to set the system for multiple users, each with their own login. This is great for shared computers because FastAccess will automatically log one user out and another in when each sits down at the keyboard.
An additional feature shared by the other security systems as well, is the ability to create user logins for applications and web sites. FastAccess calls it single sign on, and it's a very useful feature that goes beyond just logging onto the PC. It allows users to have complex and therefore more secure passwords for all their applications, decreasing the chance for identity theft as well as corporate intrigue.
FastAccess is sold as a starter kit that includes software for three workstations for $399. Discounts are available for larger quantities, and webcams are available separately.
AccessSmart: Power LogOn
Power LogOn uses smartcard technology to authenticate users to their accounts. Smartcards are certainly not new to the enterprise environment, but have not been widely adopted in the SMB world. AccessSmart wants to change that, and its Power LogOn system is aimed precisely at this market.
The system is available in both a USB and PCMCIA version, making it suitable for both laptop and desktop deployment. I tried both and was happy with the ability to use it to access two computers. Probably the biggest single benefit of this is that I was able to use the same smartcard in both readers. That may not seem such a big deal until you consider how many of us use both a desktop and laptop computer interchangeably.
I set up the reader by installing the driver and password application on both machines. I then started with my desktop system and configured my card with a master password and a local password. The two passwords allow me to use different accounts on different machines if necessary. To simplify my life, I used the same login name on both systems.
The smartcard has some memory capacity; enough to hold a hundred or so user account names and passwords. That makes it a natural for storing passwords and login information not only for the computer, but also for software applications and online accounts. I logged into my various accounts and let the password manager record my login information for each. The system has a variety of configuration options that let me set whether to automatically fill in the login information and complete the login process, or simply fill in the fields and let me click the login button myself.
The Smartcard Gets to Know Its Owner
The next time I logged out of my computer, AccessSmart requested my login PIN. When I supplied it correctly, the system logged me into Windows. In addition, once I authenticated myself to the smartcard, all the accounts and passwords that I had memorized on AccessSmart were available. In fact, the password manager acts like a 'favorites' list, so I could click the account name in the password manager and automatically bring up the application or web site and be logged in automatically.
The additional ability to use the very same smartcard in my laptop allowed me to take the card out of the desktop's USB reader (which automatically logged me out of the computer), and slip it into the reader in the PCMCIA slot on my laptop. I then authenticated myself to AccessSmart on the laptop and had immediate access to the same online accounts and applications that I had on the desktop.
The smartcard is secure enough to scare me. If I lose the master passcode, my only recourse is to reformat the memory and start over. In addition, if I (or someone else) makes too many wrong attempts to guess my PIN, the card is automatically erased. On the plus side, the system lets me make a backup of the card's data on my computer (which I can always log on to manually) that can be restored to a smartcard if mine is lost or damaged.
Power LogOn with the USB reader sells for just under $100, and the PCMCIA version sells for about $110.
DigitalPersona Pro uses a USB-attached fingerprint scanner to authenticate users. The USB connection makes the system suitable for both desktop and portable systems. And because the system uses fingerprints for recognition it offers flexibility (multiple fingerprints for each person) as well as security.
In some ways, DigitalPersona Pro is the most restrictive in its use because the product only runs on Windows 2000 and XP Pro. That leaves out the possibility of using it on XP Home systems. And at this time there is no support for Windows Vista, though the company plans a Vista compatible release this summer.
I was able to install the software on a Windows XP Pro system and attach the U.are.U 4000B fingerprint scanner via USB. When I rebooted the system for the first time, the DigitalPersona software led me through a setup wizard that created a profile linked to my Windows login. Once that was done I was able to scan different fingers that would initiate the same login.
The U.are.U finger scanner is a small device with a clear window on the top where you place your finger or thumb. The system requests you put your finger on the pad four different times. The prints themselves are not saved as images. Instead, the parametric analysis is stored. This makes reverse engineering a fingerprint impossible, and reduces the size of the data being stored.
The reader and software combination worked quickly every time when I logged into my Windows account. The process of setting up logins to applications and online accounts presented me with a few problems, however.
Different Technologies for Different Needs
When I attempted to create a login for a Hotmail account, the system didn't recognize the page as a legitimate logon screen. I rebooted the system again, and on the next try, the wizard worked properly.
Creating a DigitalPersona login is simple when it works, though I found it a bit restrictive in that the process depends on using a version of Microsoft Internet Explorer before version 7. To create a login, I touched the U.are.U pad which flashed a small window indicating I was recognized. An icon is also displayed on the top bar of the browser window, indicating that DigitalPersona recognizes the page as a valid login page. At that point I was able to click the icon and enter my user name and password information which the wizard automatically transferred to the Hotmail login page and successfully logged me in.
That process seems simple and secure. However, the next time I went to the Hotmail login page, I was not able to use the automated login. For some reason, the first attempt didn't record properly. The company's tech support was able to help me fix the problem, and it has worked correctly since then.
Overall, I like the idea of using fingerprint technology, and I know that this same technology is in use in a wide variety of products ranging from keyboards to PDAs and kiosks. I would like to see more latitude in the operating systems it can be used with. In addition to the DigitalPersona Pro package, there are several other configurations and combinations available to fit a variety of needs. See the company's web site for specifics.
DigitalPersona Pro with the U.are.U scanner sells for $150.
Take Your Pick
Every environment is different. Your situation may be better suited to facial recognition than fingerprint recognition. Or you may want to make use of a single smartcard to carry your login information between multiple computers. Each of these products offers significantly better security than what you can achieve with single factor authorization, or passwords, alone.
- Scott Koegler lives the digital lifestyle in the wilds of Western North Carolina, where he writes about computers, computing, software, and making them all work together. You can write to him here.
(c) 2000-2007 CMP Media LLC. All rights reserved.