Focus: Biometric authentication
Product: DigitalPersona Workstation Pro and Server 4.0
Price: Server, $1,499, plus $50 authentication license per user; Workstation without reader, $60, with
Biometric authentication has met considerable market resistance, mostly because of integration issues, accuracy and cost. With improved technology and the introduction of laptops equipped with fingerprint readers, biometrics may be starting to move into the mainstream. DigitalPersona Pro is a robust single sign-on (SSO) software suite that allows an enterprise to replace passwords with biometric fingerprint readers or provide dual-factor authentication.
Installation and setup: B+
There are two pieces to the suite: DigitalPersona Pro Workstation software for individual systems and the server component, which integrates with Active Directory on your domain controller. While the workstation software can function by itself, the server provides domain-wide SSO.
Installation is straightforward. The server installation requires a few more steps to integrate with Active Directory, but it's all detailed in the manual. After installation, the workstation software starts a wizard, which records your fingerprint. After a few repetitions, we were able to register a fingerprint in less than 10 seconds. The workstation software automatically detects any Digital-Persona Pro servers on the local network.
Both the server and workstation software can be purchased with or without DigitalPersona's fingerprint reader. The latest version of DigitalPersona Pro offers wide support for third-party readers, such as those becoming popular in new business-class laptops. The DigitalPersona optical reader is quite good; we found it to be accurate, with few false negatives and no false positives.
Workstation (single user): B-
The workstation software, in standalone mode, is rather simple. It integrates with Windows logon and also provides an SSO function that seems to be geared toward home users. The SSO feature provides an automatic wizard that will detect the login fields in many applications. Unfortunately, we found there are some apps it does not support (such as terminals, like Putty). It also supports only Internet Explorer, a problem considering the growing popularity of Firefox. However, it is very easy to use, fast and accurate with applications it supports.
Server (centralized environment): B+
The server software is much more robust. The SSO wizard allows manual creation of login templates to support applications that the automatic wizard can't detect; these templates are pushed out to desktops via GPOs.
Creating a template is fairly easy. You need to make sure the window title is accurately reflected within the SSO administration tool. You then enter the actions required for login--e.g., entering keystrokes into a field, time delays, or x-y coordinates of a window. Templates can also be created for password-change forms, which can be used to automatically generate passwords. The created templates can be either pushed out to workstations via GPO or copied manually.
The server centrally manages fingerprint data for all users, with tight Active Directory integration. It also provides event logs for fingerprint logins to help with regulatory compliance, but lacks strong reporting capabilities. It also provides a handy query tool to easily discover who has registered fingerprints.
Enterprises looking for a biometric single sign-on solution won't be disappointed with what DigitalPersona Pro offers. The software is easy to use, and can function with single- and two-factor authentication.
DigitalPersona Pro Workstation was tested as a standalone product on Windows XP desktops, and in an AD environment with the server component on Windows Server 2003.
This review originally appeared in the March 2007 edition of Information Security magazine.