Product Group Tests
Offering solid performance, self-enrolment and a full range of Active Directory schema extensions, we rate DigitalPersona Pro as our Best Buy.
A multi-factor authentication tool for physical access control, Bioscrypt’s V-Station gets our Recommended rating.
Full Group Summary
This month's crop of biometric tools offers strong authentication for sensitive information and there is an interesting trend towards lower costs, discovers Peter Stephenson
Biometric authentication covers a lot of territory, but we saw a lot less breadth this year than last. For example, last year we reviewed a facial recognition device, but the lack of such an item this year should not be construed as it vanishing from the biometric landscape. Rather, the product has been sufficiently successful that a new version was being upgraded and not available for review.
There is an interesting trend towards lower cost. In fact, some biometric PC-access control systems are either at or below the price of tokens. This has interesting implications for user-level access control. When we looked at fingerprint scanners last year, they were criticised by their competition for false positives and negatives, and their higher cost, given what they are intended to do. This year, I cannot agree.
Most of the products this year are fingerprint scanners, and they show specifications that are quite acceptable for false positives and negatives. As to using them for endpoint authentication, they have - partly thanks to Windows - excellent authentication characteristics.
One problem that is implied with the addition of an external authentication device is bypassing the device and cracking the computer's password. This could be troublesome for laptops. Today, there is no problem in cutting off 'ctrl-alt-delete' or restricting Windows login. Most of the products we tested also had the ability to access Active Directory (AD).
One of the perennial complaints about fingerprint scanners is their error rate. There are three types of error rates: Type I (false positives); Type II (false negatives), and Crossover (where both types are equal).
Fingerprint scanners are characterised as the false acceptance rate (FAR), false rejection rate (FRR) and crossover rate, along with other considerations such as failure to enroll (FTE) and ability to verify (ATV). ATV is the product of 1-FTE and 1-FRR. The lower the ATV, the more reliable the product.
Many products now offer an adjustable FAR and FRR in order to obtain a crossover rate that is acceptable for the environment in which the product will be used. Since such factors as skin colour, age and a dirty environment can have an effect on ATV, it may be desirable to tune the product to the specific application.
How we tested
We tested the products in a pre-established Windows domain. Where the device could connect with AD, we established user authentication using AD parameters and extensions if the product offered them. We considered each product's ease of implementation and enrolment, and effectiveness in an enterprise environment.
As most of today's fingerprint scanners offer adjustable FAR and FRR, we were less concerned about that than we were about the things that worry system administrators when methods of authentication other than passwords are in heavy use throughout the enterprise.
The first rule of biometrics is to decide what you will be using the product for. Biometric devices for protecting physical locations are different from those that protect data on the network. We examined a couple of products that use fingerprint scanning for physical access control.There are also proponents of very strong biometric authentication that goes beyond fingerprint scanners because of their false acceptance and rejection rates. Examples are facial recognition, retinal recognition and vascular scanners. But these are a lot more expensive.
The bottom line is: know your application well, know your population and the environments in which they will use biometrics, and apply biometric applications where they will do the most good. For example, people who travel a lot and carry sensitive data on a laptop may want to consider whole disk encryption and biometric-access control.
Beyond pure security, there is the convenience factor and how it improves security. Some of the products we tested allow a form of single sign-on, both to applications and organisational resources, as well as to websites. This may appear to be little more than convenience, but if it prevents users with many passwords from writing them down and, potentially, compromising them, there are definite benefits.
Mike Stephenson contributed to this Group Test.