I suppose this review may be thought of as two. The SecuGen EyeD Hamster fingerprint biometric reader and the SecuIBAS 'internet' authentication suite software.
The EyeD Hamster is a relatively small but robust optical fingerprint reader manufactured in Korea. It is extremely well finished and attractive in appearance, looking very acceptable alongside any workstation. Connectivity is via USB and there is a weighted stand supplied to keep it in place on the desktop. A reassuring red glow upon activation shows that all is well with the hardware, which incidentally installed flawlessly via the usual plug and play USB routine under Windows 2000 (SP2). This is a good example of a fingerprint biometric reader that should prove both easy to use and reliable, with little maintenance other than keeping the optical surface clean.
SecuIBAS may be thought of as an authentication infrastructure, divided into three primary areas: the client software, your company web server (or online service provider) and the SecuIBAS server. The authentication and biometric matching engines are located on the SecuIBAS server, which may in turn be thought of as two layers, the business logic and data access layers. Communication between the SecuIBAS server and the OSP/web server is via HTTP and SSL, while communication between the client and web server will depend somewhat on where the web server sits (LAN or remote).
The whole idea of course is to provide a secure web services login via the use of biometric identity verification of the user. This is how it works in broad terms.
A user requests the login page from the web server/online service provider, which returns the page accordingly. The user enters the appropriate information, provides his or her biometric and submits the page. The web server receives the information and requests the biometric authentication service from the SecuIBAS server. The SecuIBAS server retrieves the matching biometric from the SecuIBAS database and performs the matching process via the SecuGen algorithms, returning the result back to the web server, which takes the appropriate action and, in turn, communicates back to the client. If all is well, the user's biometric is confirmed and access to the desired information granted accordingly.
Security levels are policy based and may be configured on the server via the supplied Policy Manager utility. This allows you to set minimum levels according to transaction type at this point, which will, if necessary, override user choices. For example, you may allow the user to select between password and biometric-based authentication for access to several services, but may enforce a biometric check (thus overriding user settings) for especially important transactions. Having configured transactions in this way, users and groups may be assigned to transactions accordingly. To counteract against replay attacks, SecuIBAS employs a one-time template (OTT) technique whereby a unique tag is sent from the server. This is used in the template creation process, ensuring that each template submitted is different from the last.
SecuIBAS operational compatibility is comprehensive, supporting the major server and (Windows based) client systems and also a variety of programming options such as active server pages, HTML, Active X, active template library, HTML scripts and SQL. Browser support is for MS Internet Explorer 4.0 or higher and Netscape Navigator 4.0 or higher. Most environments should easily deploy the SecuIBAS infrastructure.
In previous SC evaluations of biometric products, we have occasionally criticized the supporting documentation, both for its form (often only on the CD as a PDF file) and content (sometimes seriously lacking). SecuGen turns the tables on us this time with an outstanding product manual for SecuIBAS. An attractive silver hinged presentation box, sleeved by a black cover with silver lettering, contains a proper, printed 155-page attractively presented manual. And, the beauty is more than skin deep, with well-written information covering installation, administration and management tools, even a developer's reference for web browser extensions. Top marks to SecuGen then for attention to detail.
In conclusion, this product represents an interesting progression from typical product offerings from biometric vendors. Rather than simply supply a biometric reader and rudimentary software with which to interface to the Windows login process, SecuGen have broadened the thinking out to the internet/intranet/extranet with an appropriate architecture to provide biometric identity verification for web applications.
If you are seriously interested in pursuing such an idea, then you should carefully consider SecuGen approach could be right for you in light of your own operational architecture and space, especially from the security perspective. As an enabling tool kit, it has much to offer, but you need to understand how it might work in your environment.
Since receiving this product we have learned that SecuGen have developed a new product platform called SEAS (SecuGen Enhanced Authentication Service). The first SEAS-based product will be a plug-in for Netegrity SiteMinder, a popular e-business access control product. This will provide for biometrically enabled SiteMinder-protected web sites and web applications.
