Everything You Need to Know About Fingerprint Scanners
Notebook computers are a systems security manager’s nightmare — and with good reason. Every day, thousands of notebooks venture outside the secure gates of agency offices, most carrying sensitive government data or providing a pipeline directly into federal servers. And while the news reports the few high-profile losses — nuclear secrets, and hundreds or thousands of stolen Social Security numbers — many more notebooks disappear every day, never to be seen again.
Among the tools available to keep data safe on notebooks, biometric fingerprint scanners are among the newest and possibly least understood. Though a valuable security asset, fingerprint scanners should be viewed as just one component of a three-part security approach, says Shab Madina, Hewlett-Packard’s worldwide product manager for business notebooks and an expert on notebook security.
This security triangle consists of “what you know,” i.e., your passwords; “what you have,” typically a smart card (or HSPD-12 card in the government); and finally, “who you are,” your physical identification, as recorded by the fingerprint reader in your notebook. Depending on the level of security needed, an information technology manager might require the use of one or all three.
How They Work
Nearly all fingerprint readers in notebooks consist of a thin gold-colored bar, about half an inch long, typically located on the palm rest.
When you swipe your finger across the bar, the scanner registers the valleys and ridges that make up your fingerprint. The resulting image is then analyzed and converted into a template — a sort of numerical map representing the location of distinguishing features (minutiae) in your fingerprint.
The more points on the map, the more accurate and secure the scan. A complete image of your fingerprint is never retained in the notebook. The swiping action also makes bar scanners more secure than the older pad scanners — pressing your finger on a static pad can leave a recoverable fingerprint.
The first time you use a notebook’s fingerprint scanner, the newly created template is linked to your user identification. Thereafter, each time you swipe your finger the system creates a temporary template and compares it against the stored template. Get a match, and you’re in.
Many scanners have the ability to learn more about your fingerprint with each swipe, making them better able over time to read off-angle swipes and a wider range of swipe speeds, says Toshiba product manager Craig Marking.
Protection Plus Convenience
All notebooks with fingerprint scanners also include security management software. Some vendors simply include a basic application from third-party software developers. Better versions are designed to tie into a notebook’s overall security management with a user-friendly interface. HP, Lenovo and Toshiba, for example, all combine fingerprint scanning with BIOS security, data encryption and system password management in a single umbrella application on their notebooks.
A second feature commonly included with most notebook-based fingerprint scanning applications is password management — not just for your power-up or Microsoft Windows login but all of your Internet passwords as well. Whether users find this useful or not depends on how well their other applications containing password management work.
Fingerprint scanning is exceptionally convenient when logging back into Windows. If you frequently walk away from your notebook during the day, typing in a password every time you want to unlock Windows is a pain. Security is enhanced, too, because users are likely to accept a shorter time between system idle (the time when they are not working on the notebook) and automatic system lock.
1888: At the age of 66, Sir Francis Galton — a cousin of Charles Darwin — was the first to develop a method for analytically defining the unique characteristics of an individual’s fingerprints and for comparing prints against one another.
Productivity Versus Protection
Fingerprint-scanning systems walk a fine line between usability and security. Make the scanning too stringent, and the number of false rejections (when the scanner rejects a legitimate user) goes up — along with user frustration. That’s more of an inconvenience than a security risk — the notebook user simply goes back to using a password.
Make the scanning too loosey-goosey and the number of false rejections goes down — which is great, except for the problem that false acceptances go up, along with an accompanying increase in security risk.
Most vendors set a specific balance point between false rejections and false acceptances. HP’s application, however, is a bit unusual because it lets you adjust the level of security from a one-in-3,333 chance of false acceptance to a one-in-20,000 chance.
HP’s Madina says that IT managers needing even higher levels of security can purchase more stringent matching algorithms from third-party software vendors. (Interestingly, all of the manuals reviewed for the article from different vendors state that fingerprint accuracy is not guaranteed.)
Lenovo and Toshiba let you use a fingerprint swipe at the power-on password level. HP and Fujitsu notebooks work only at the Windows login level. That’s no less secure because you can still use a password, but it is less convenient.
Ultimately, it’s the IT manager’s decision what level of security to enforce. And remember, fingerprint scanners are just one part of the security toolkit, but one that can be used at all levels of protection. For maximum security, use a three-tier authentication: Force a notebook user to insert a smart card, enter a password and scan a finger.
Toshiba Portégé M400
A notebook/tablet PC, the M400 has its fingerprint scanner located on the screen bezel. Slightly recessed and vertically mounted, the scanner is a bit cumbersome to use with any finger other than your thumb. I often had to make up to three swipes before the Toshiba recognized my print.
Toshiba’s Security Center is a nicely integrated package that combines administrator security features with Windows security and the Upek Protector Suite software fingerprint login management app. Setting up fingerprint scanning is not as automated as the setup of the HP or Lenovo, but it does have a similar security level and ease-of-use adjustment.
Lenovo ThinkPad T61
The ThinkPad system does a nice job of stepping you through security setup. Initially, it asks for a new logon password and then pops up a window for enrolling your fingerprint. Enrollment is much like what you get with other brands: You swipe a finger three times so that the system has a good template. It then suggests that you enroll one or more fingers.
The fingerprint scanner is conveniently located on the far right side of the palm rest. The scanning application, from Upek, is nearly identical to the one I found on the Toshiba — right down to a More Convenient/More Secure slider. It’s relatively intuitive and easy to use. It never took more than two swipes to log on, and in most cases one swipe did the trick.
Fujitsu LifeBook T4220
Another notebook/tablet PC, the Fujitsu comes with a scanner that’s mounted much like Toshiba’s — on the bezel. And it has the same issues: Scanning with any finger other than the thumb is awkward, and I often had to swipe two or three times for recognition. The scanning software, from OmniPass, seems more user-friendly than that on the HP, Lenovo or Toshiba. It’s simple to use and easy to navigate but does not provide any security below the Windows logon.
HP Compaq 8710p
HP combines its fingerprint management system, Credential Manager, with its comprehensive ProtectTools Security Manager utility. Some of the terminology, such as “credentials,” is not user-friendly, and the menus are deeply layered, but the system is generally well organized and detailed. One of the categories, for example, is Multifactor Authentication, which gives you various ways to use fingerprint scanning and passwords, either combined or separately.
The only flaw is that fingerprint security can be used only at the Windows login level — not at power on. Like the three other scanning systems, the HP includes a security level slider. It lists a one-in-20,000 chance of a false acceptance at its highest security setting. Enrolling a fingerprint at this setting can be a slow process. I had to swipe my finger very slowly and carefully for it to accept the scan, but that’s a fair degree of assurance.
Most fingerprint scanner-equipped notebooks use one of two technologies to create an image of your fingerprint:
Capacitive scanners record the difference in conductivity between the ridges and valleys that make up a print. Because they read the outer surface of your skin, older or poorly designed capacitive scanners can be spoofed by molds of your finger or even by using the “dead finger” so popular in spy flicks.
Radio frequency scanners, used in both Hewlett-Packard and Toshiba notebooks, penetrate the skin’s surface and read the print within the live tissue. According to AuthenTec, a major RF scanner vendor for notebooks, this technology is unaffected by changes in the surface of your finger (such as abrasion from a weekend of gardening without gloves) and cannot be spoofed.
