Cyber-Sign gives secure feeling

Looking for an inexpensive, nonintrusive and secure way to control access

to applications and data? For many agencies and departments, Cyber-Sign

Enterprise Server 2.0 may be just the ticket.

We all know the problem with passwords: They can be forgotten, guessed

or stolen. That's the rationale behind biometric security systems, such

as fingerprint and retinal scanners. Unfortunately, many users are uncomfortable

having their biological characteristics measured and stored. That's where

Cyber-Sign's dynamic signatures come in.

Unlike security systems that depend upon passwords and even such static

biometrics such as fingerprints, Cyber-Sign measures a dynamic human behavior — the act of writing. In addition to the shapes of the characters in the

signature, Cyber-Sign also measures the speed of signing, the pen pressure

and the stroke order. Even an excellent forgery wouldn't fool Cyber-Sign.

Signature profiles are stored on a single secure server. And because

Cyber-Sign employs TCP/IP, you can easily use it over the local-area network,

your wide-area network or the Internet. The Cyber-Sign Enterprise Server,

which runs on Microsoft Corp.'s Windows NT 4.0 Service Pack 4 or above,

stores signature profiles in a relational database. You have your choice

of employing either Microsoft's SQL Server (6.0, 6.5 or 7.0) or Oracle Corp.'s

Workgroup Server (7.3 or 8.0).

We found it extremely easy to register signatures, and it was significantly

easier than registering fingerprints with most fingerprint security systems.

The program prompts the user to sign his or her name three times in succession,

then reports whether the signatures registered successfully. The only trouble

we had registering signatures was that one user, whose normal signature

was an illegible scrawl, had to "clean up" his signature a bit.

Cyber-Sign strikes the right balance of flexible reading of signatures

and strong security. Even with significant variations in signing, legitimate

users were verified in each case. Test users attempting to copy signatures

were detected and flagged.

Cyber-Sign also does a good job of ensuring the security of its own

data. All communications between the server and clients — including signature

registrations — can be encrypted, and the administrator can set up to four

levels of client access, ranging from complete access to the ability to

verify only one's own signature.

For now, at least, the major weak point of Cyber-Sign is its lack of

software. If you want to use Cyber-Sign for accessing computers or operating

systems, you'll have to do some programming yourself using the Cyber-Sign

software developer's kit. The personal version of the kit and the client/server

Enterprise SDK each cost $2,750.

Similarly, little software is available for integrating Cyber-Sign with

applications. A Lotus Development Corp. Notes plug-in, which costs $100

per user, allows users to attach Cyber-Sign signatures to documents for

authentication. You can also use the plug-in to substitute signatures for

Notes passwords.

Another plug-in for Microsoft Windows ($30 per user) enables users to

attach signatures to Microsoft Office application documents. A new plug-in

for Adobe Acrobat ($100 for Acrobat itself and $50 per user for Acrobat

Capture) rounds out Cyber-Sign's offerings for integrating with other applications.

There is one other potential Achilles heel in the Cyber-Sign system:

the pen. All computers accessed through the Cyber-Sign system must be equipped

with writing tablets and pressure-sensitive pens. Simply keeping track of

the pen can, for some users, be a major challenge.