Product Reviews

Datawise claims that 30 per cent of help desk support calls are from users who've forgotten their logon passwords. Administrators consequently need to balance the security implications of long periods between enforced password changes and the cost involved with forcing users to remember a new password every couple of weeks. The Digit aims to solve the problem by using fingerprints instead of passwords to log on to Windows 95, 98 or NT 4 systems.

The Digit is a parallel port device that takes its power from a keyboard pass-through. This allows it to work with Windows NT 4 as well as pre-OSR-2.1 Windows 95 systems, and there's a USB version in the pipeline as well. To work as a domain logon verification system, server and clients need to be running NT 4 SP-3 or Windows 95/98 with TCP/IP installed; a NetWare version is due to be released later in the year. I first installed the Digit on a system running NT 4 Server configured as a primary domain controller. The software supplied replaces the standard NT logon screen, and adds options to the Security screen and User Manager. Enrolling each user takes less than a minute, and involves entering the requisite username and password, then placing a finger on the pad twice in succession. Enrollment on the server can be carried out from the NT Security screen or by using the User Manager, which also allows you to delete fingerprint information.

When

ADVERTISEMENT

used for client domain logon, users can be verified via the primary or backup domain controllers. Datawise claims that it's extremely hard to reverse engineer the information for nefarious purposes because the fingerprint information is stored as a template of co-ordinates detailing distinguishing features rather than plain images. Also, fingerprint templates and logon information are stored and transmitted using Microsoft's Crypto API with 40-bit encryption, so it's a pretty secure system.

If a client workstation is used by just one person, logging on is simply a case of placing the enrolled finger on the reader for a second or so. The system then logs the user in as normal with no username required. If the workstation in question is used by more than one person, they'll need to enter a username and pick the correct NT domain for verification, so forgetful users will ensure that calls to the help desk aren't totally eliminated.

Once installed on a Windows 95/98 client, the Biologon client service replaces the client for Microsoft Networks as the primary network logon, and fingerprints are enrolled as before. Although its main function is providing security for client access to network resources, the Biologon services also considerably increase local Windows 95/98 access security, denying access if the right fingerprint or password isn't forthcoming.

In tests, the system worked like a charm as either a local or domain logon system, and it rarely required more than one attempt to read a fingerprint. It was generally tolerant of fingers placed at angles or towards one side or the other of the pad, and took about a second to identify prints. Even if the recognition fails for a legitimate user, you can opt to log on by typing the password as normal.

The Digit certainly works but, at £80, equipping a large network will involve a considerable outlay. It remains for network administrators to decide whether this cost will be offset by reduced support costs.