The use of biometric authentication covers a lot of territory, but we saw a lot less breadth this year than last. For example, last year we had a facial recognition product. Lack of such a product this year should not be construed as counting it out of the biometrics landscape. Rather, it has been sufficiently successful that this group review came as the new product was upgrading and was not available for review.
There is an interesting trend toward lower cost. In fact, some biometric PC access control systems are at or below the price of tokens. This has interesting implications for user-level access control. Last year when we looked at these products, fingerprint scanners were criticized by their competition for false positives and negatives and higher cost given what they are intended to do. This year I can't agree.
Most of our products this year are fingerprint scanners, and they show specifications that are quite acceptable for false positives and negatives. As to using these products as endpoint authentication, they have - in part, thanks to Windows - excellent authentication characteristics overall.
A problem that is implied with the addition of an external authentication device is bypassing the device and cracking the computer's password. This is especially troublesome - potentially, anyway - for laptops. Today there is no problem cutting off ctrl-alt-delete or restricting Windows login. Most of the products we tested had the ability to access Active Directory (AD), as well.
One of the perennial complaints about fingerprint scanners is error rate. There are three types of error rates: Type I (false positives), Type II (false negatives) and Crossover (when both types are equal). In fingerprint scanners, these are characterized as False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Rate, plus others, such as Failure to Enroll (FTE) and Ability To Verify (ATV). ATV is the product of 1-FTE and 1-FRR. The lower the ATV, the more reliable the product.
Many products offer adjustable FAR and FRR to obtain a crossover rate that is acceptable for the environment in which the product will be used. Since such factors as skin color, age and dirty environments can impact the ATV, it may be desirable to tune the product specifically for the application.
How we tested
We tested in a pre-established Windows domain. When the device could connect with AD, we established user authentication using AD parameters and extensions if the product under test offered them. We looked at ease of implementation in the enterprise, ease of enrollment, and effectiveness of the product in an enterprise environment.
Since most of today's fingerprint scanners offer adjustable FAR and FRR, we were less concerned about that than we were about the things that bedevil system administrators when authentication other than passwords is in heavy use throughout the enterprise.
The first rule of biometrics is to decide what you will be using the product for. Biometric devices for protecting physical locations are different beasts from those that protect data on the network. We looked at a couple of products that used fingerprint scanning for physical access control.
Also, there are those proponents of very strong biometric authentication that goes beyond fingerprint scanners because of the false acceptance and rejection rates. Some examples of this type of strong biometrics are facial recognition, retinal recognition and vascular scanners. These are significantly more expensive than fingerprint scanners.
The bottom line: know your application well, know your population and the environments in which they will use the biometrics, and apply biometric applications where they will do the most good. For example, for heavy travelers who carry sensitive data on laptops, you may want to consider whole disk encryption and biometric access control.
Beyond pure security, there is the convenience factor and how it improves security. Some of the products we tested allow a form of single sign-on, both to applications and organizational resources, as well as to websites. This may seem like little more than convenience, but in fact, if it prevents users with many passwords from writing them down and, potentially, compromising them, there certainly is a security benefit.
Mike Stephenson contributed to this Group Test.