Touch-and-go computer access

Testing by Michelle Speir and Lisa L. McNair

When trying to increase computer system security, new procedures often can be burdensome, forcing employees to remember multiple passwords or learn new routines.

Biometric security devices, such as fingerprint recognition devices, can help. They combine the security of biometrics — the use of physical characteristics to identify a person — with an easy-to-use interface. In this case, it's the touch of a finger.

TouchPass 2.0 from NEC Technologies Inc. is a client/server solution designed for large installations, unlike the fingerprint recognition systems we reviewed last year from Compaq Computer Corp. and Digital Persona Inc., which work only on client machines.

The NEC system consists of an optical fingerprint scanner called the BioMouse, an A/C power adapter and software to install on a Microsoft Corp. Windows NT 4.0 server and a Windows NT 4.0 or Windows 98 client. The system also can be used on stand-alone workstations. The BioMouse is available in a parallel port model, which we tested, or a PCMCIA model for use with notebook computers.

The concept behind fingerprint readers is simple. Once a computer is turned on and reaches the log-in prompt, the user places a finger on the optical scanner. The scanner compares the current fingerprint image with an archived set of images stored as mathematical representations and performs a one-to-one match. If a match is found, the user is logged in to the system.

The recently released TouchPass 2.0 that we tested offers tighter integration with Microsoft's network administration tools than did TouchPass 1.0. The new version has other nice enhancements, such as the ability to generate random passwords to fulfill Windows NT 4.0's password requirement and the option to log in using a fingerprint and a password. Within the next few months, NEC plans to release a version of TouchPass that is compatible with Windows 2000.

Setting up and configuring the system was not difficult, but we did find some things not to our liking. The most inconvenient feature was the separate A/C power adapter. (Neither of the systems we reviewed last year needed an external power source.)

The worst aspect of the adapter is the location of its connection to the BioMouse scanner. Instead of connecting to the scanner itself, the A/C adapter connects to the side of the scanner's parallel port plug, which gets connected to the back of the computer. This setup causes the A/C adapter to stick out at a 90-degree angle, which may block access to any port next to the parallel port.

On our client workstation, the PS/2 mouse port is next to the parallel port. Since PS/2 plugs are relatively small, we were able to squeeze them in while we had the TouchPass A/C adapter connected. However, a serial port next to the parallel port on our server could not be used at the same time the adapter was connected.

The TouchPass server software blends seamlessly with the Windows NT User Manager for Domains. You can add new users with the standard NT administration tools, but there are a few extra steps required to enroll fingerprints along with each user.

After filling in the appropriate information in the New User window, you click on the TouchPass button to set log-in rights and register fingerprints. Four options are available: biometric log-in only; both biometric log-in and password required; either biometric log-in or a password; and password log-in only.

You can enroll up to 10 fingers for each user. TouchPass suggests enrolling at least two in case a user injures a finger. The enrollment process involves capturing the fingerprint image three times.

We found the TouchPass scanner to be a little more temperamental than those from the systems we reviewed last year. We experienced a lot of bad reads and had to keep adjusting our finger positions (on-screen messages instruct you to move the finger up, down, left or right). In fact, we were never able to register the index finger of one of our testers. Even when a finger seemed to be in the right position, the system sometimes instructed the user to adjust the pressure.

While NEC recommends leaving the system settings at their defaults to ensure proper security, administrators can adjust threshold values if registering and reading fingerprints seems too difficult or takes too long.

The wizard-guided installation of the client software was simple. Just be sure you know the server's IP address; you will need it during the installation. The TouchPass manual lists an IP address to use for a stand-alone installation.

The TouchPass software modifies the Windows NT log-in screen slightly. The TouchPass logo appears on it, and the screen instructs users to place a finger on the scanner or to press CTRL-ALT-DELETE to log on. The fingerprint is not actually scanned at this point; it just gets you to the next step, where you must type in a password and/or place a finger on the BioMouse for scanning.

Logging in with TouchPass was easy most of the time, but the system occasionally had trouble reading the fingerprint image. We occasionally had to scan a finger repeatedly to gain access. This became frustrating because it was difficult not to overcompensate when the software instructed us to reposition the finger. Interestingly, the finger could be rotated up to about a 45-degree angle and the image could still be read.

Overall, this is an effective and easy-to-use system that blends well with Windows NT and affords increased security while eliminating the need to remember passwords. Our biggest complaint is the placement of the A/C adapter connection. In fact, it would be nice to see NEC eliminate the power adapter completely, as Compaq and Digital Persona have done.

At the same time, TouchPass distinguishes itself from the competition with its client/server architecture. This allows user accounts to be closely controlled by a system administrator. What's more, roaming users can log on to any client on the network without having to reregister fingers. It is TouchPass' client/server architecture that makes it considerably more expensive than the other systems, but the cost might be well worth it for enterprise environments.