GonzoBanker is proud to provide another valuable service for our faithful readers. Where can bankers find unbiased testing and analysis of new technologies? The annual technology conferences? Hah, you can only get the salesmen’s spin on their own products. (Are you surprised that every vendor claims its product is the best?) GonzoLabs will feature hands-on testing of new technologies making inroads into the industry. Research will be presented on an irregular basis and will present statistically insignificant results. Think of it as Consumer Reports for the financial services community.
Multiple GonzoBanker articles have featured biometric technology including last week’s discourse on two-level security and my own article, “Time For Biometrics?” Okay, okay, so I Googled biometrics to see what could be found on the subject. Multitudes of vendor claims presented little to answer the question: “Does this technology really work or are we still in the early phases of discovery?”
Biometrics is the subject of our research, but which technology should be tested? There are a lot to pick from, including fingerprints, retina scans, face geometry, hand geometry and ear geometry. There is even consideration of using other body parts, e.g. the tongue and genitalia. This would certainly give new meaning to “logging on” to a computer. Wouldn’t getting money from an ATM using this biometric present an interesting image!
After presenting my planned expenditures to examine multiple biometric technologies to the GonzoBanker capital committee, the result was no, nyet, non, and every other way to say “too expensive.” Additional pleadings finally produced results: $125 was approved to perform an in-depth review of multiple fingerprint technologies.
Is this technology ready for prime time? That is the question to be answered. Due to the limited budget, two different technologies were selected for testing. Products from Microsoft and Sony were purchased from an Internet site.
The Microsoft Experience
Microsoft’s basic product is a very affordable $48. The fingerprint reader is small and features an oval glass surface on which to place the finger to be scanned. Software was delivered on a CD.
Software installation was disappointing for a Microsoft product. It went like this:
Within a minute the process was completed and instructions for connecting the reader device were displayed on the desktop.
What a disappointment! I started this test early in the evening expecting to reboot my computer multiple times, de-install the product at least once, call support, then format the hard drive and reinstall Windows XP. No such luck. Installation was completed in a few minutes and my first introduction to a real biometric security device began.
With the installation completed, it seemed like a good time to read the manual. The first step following installation is to configure the device and user options. Let’s see, Start Program, select Microsoft Fingerprint Reader and the administration window appears.
Now I had to register my fingerprints amidst a warning that it is wise to register more than one finger in case of damage to a single finger. OK, I’ll register three, surely the odds of “damaging” three fingers is relatively low. Starting with the index finger, registration required placing the same finger on the reader four times. After the fourth round, a message was displayed indicating that the fingerprint was satisfactory and was saved. On average it took two to four print cycles for each finger to get a satisfactory fingerprint image. Registering three fingers on my right hand took a total of ten minutes to complete. Had I registered all ten fingers, the maximum allowed, it would easily have taken a half hour.
Next it was necessary to select the features to be secured by my fingerprint. Basically the user can select two features: 1) sign on to the computer, and/or 2) sign on to any application or Web site that utilizes a user ID and a password.
A large “WARNING” followed the use of fingerprints for computer sign on. It stated that should the fingerprint reader fail or should the software not recognize my fingerprint for any reason, the only solution was to reformat the hard drive and reload Windows XP. Whew, that’s an easy decision – do not use a fingerprint to secure the sign on to my computer.
After starting Internet Explorer, here’s what happened:
Over the next few weeks, 20 Web sites were registered for use. Continued use of the reader quickly uncovered its weakness. Glass covers on the readers were susceptible to dirt, dust and grime. After a short period of time the reader seemed not to work. After several tries, I discovered the problem was the dirty glass.
Summary
My first thought was the increase in Help Desk volume because of failed scans.
Sony Puppy
Sony’s Puppy product costs $75. Like Microsoft’s solution, the box contained a CD and a small fingerprint reader. However, the Puppy’s reader is boxier and has a metal surface on which to place the selected finger. “Reading” a print uses conductivity of the fingerprint ridges on the plate and does not require an optical “view” of the finger.
Registration of fingers proceeded as before. Each finger registration required four separate scans before the software would “accept” the fingerprint. Sony’s process was a bit faster, but in some cases required starting over before a single print could be registered.
Now the software was configured before the first use. Sony’s software gave the choice of using just a fingerprint, a fingerprint and a password, or a fingerprint or a password. Choosing the last options seemed the safest way to go. Next it was necessary to determine the fingerprint used for validation. That fingerprint would be the one that would be requested when signing on to a Web site or the computer. Fortunately, the WARNING on signing on to the computer was noticeably absent.
After shutting down and restarting the computer, a Puppy dialogue box appeared instead of the usual Microsoft sign on. After placing my finger on the reader, I was quickly logged onto my computer. Hmmm, not bad, and if my index finger was “damaged” I could also use my password. This is a nice feature.
Registration of a Web site followed a similar pattern. Navigate to the Web site, fill in the user ID and password then use a key sequence to tell the Puppy software to register the site. Future visits to the site could now use my fingerprint for a sign on. From box to using the product required a very manageable 15 minutes. I must be well up the learning curve.
Summary
If I had a choice, I would use Microsoft’s software and Sony’s reader. Unfortunately, that option was not available.
Ready for prime time?
Implementation of simple biometric technology is interesting; it works reasonably well for an individual but would have a number of issues when installed across the enterprise. This is a great way to store a number of unique user IDs and passwords without risking their loss.
As a CIO, it would be better to implement a single sign on rather than deploying this technology as a way to solve the multitude of user IDs and passwords. However, in selected areas requiring a higher level of security, this type of device could be very effective if combined with a password.
–caf