Using a Fingerprint To Log On to Your PC
Once the stuff of James Bond films, fingerprint-reading sensors have now gone mainstream as a way to log on to your computer, or on to Web sites you visit. In the consumer market, fingerprint recognition is sometimes sold as a better form of security, since prints are presumed to be harder to spoof or copy than passwords; and sometimes as a convenience, since it's much easier to swipe your finger than to remember a bunch of passwords.
Even if they are used mainly as a convenience, fingerprint readers can contribute to security, because people using them are less inclined to adopt insecure methods for remembering passwords, like writing them on visible Post-it Notes, or using the same simple password again and again.
Still, fingerprint readers are relatively rare in consumer PCs, so we thought we'd try some out to see how easy and effective they are. We were curious about how simple it is to train a computer to recognize a fingerprint, how accurate the readers are, and how easy it is to use them instead of passwords.
We tested two laptops with built-in fingerprint readers -- a high-end $2,149 ThinkPad Z60t from Lenovo Group Ltd., and Toshiba America Information Systems Inc.'s $1,899 Protege R200. We also tried Microsoft Corp.'s $40 Fingerprint Reader, which attaches to the USB port of any computer, desktop or laptop, running Windows XP.
All three of these can use your fingerprint for logging on to a computer, rather than typing your password each time, and each also functions likewise with Web sites that require user name and password identification.
Our conclusion is that these fingerprint readers were simple to set up and worked pretty well, but that some of the software that controls the process is confusing and could be a lot better. Fingerprint authentication isn't perfectly secure. Nothing is. Some fingerprint readers have been fooled by plastic molds of fingerprints. But they sure are convenient.
Also, other types of biometric authentication are competing with fingerprints. While we were doing our tests, we got a look at one challenger, a gadget from Fujitsu that reads entire palms and the veins running through them. As your hand hovers palm-down over this device for a couple of seconds, special technology captures an X-ray-like image of your palm and its veins.
This technology is more advanced than fingerprint-recognition devices, as it won't work unless it detects blood coursing through the veins in your hand. Also, Fujitsu says, it's much more difficult to imitate another person's internal structure, since it can't be viewed by the naked eye, nor can it be lifted from a surface, like fingerprints. But it won't be in consumer computers for years.
Microsoft's Fingerprint Reader was straightforward. After loading its included software, we plugged it into our PC's USB port. Its oval surface area was a perfect fit for a finger, making it the most comfortable to use, and its center glowed red once attached.
We followed a setup wizard to get started, selecting two fingers from a diagram of right and left hands. After selecting each -- we used our right and left index fingers -- we touched each correct finger onto the Reader four times to get an accurate scan. To use this recorded print as our password, we simply touched our finger to the Reader whenever opening a new browser screen that required password data. We had to type in our user names and passwords the first time, but after that the reader software allowed us to substitute a fingerprint swipe.
We tried various Web sites, including Trumba (the online calendar we use); the New York Times Web site; Evite.com, an invitation service; a cooking Web site called Epicurious.com; Yahoo.com; and Gmail.com. We couldn't open Evite using Microsoft's Fingerprint Reader, as it uses a Java technology that Microsoft explained wouldn't work with the device.
When setting the Reader up with Gmail, we entered the wrong password for our account, and accidentally saved it with the fingerprint, so whenever we tried to use our fingerprint with the log-in page the wrong password was automatically entered. This was easily fixed by retyping the password within the device's Log-On Manager.
This device works only on Internet Explorer 6.0 or above and the MSN 8.0 or 9.0 browser. If you ever should decide you no longer want to use the Fingerprint Reader, you can simply unplug it and go back to entering your passwords on required screens.
The Lenovo ThinkPad and Toshiba Protege both use barely noticeable fingerprint recognition devices that are built into the lower right edges of their keyboards. Each worked the same way -- by dragging a finger over it, top to bottom, like petting an animal with one finger.
But we found the Lenovo software, Client Security Solutions, to be much too geeky. For one thing, it confused us with two options for controlling the start-up of the machine. One was the familiar Windows log-in process, and the other was a "power-up" log-in, which occurs before the Windows screen appears and doesn't exist on most computers. But, it was possible to set up the Lenovo system in such a way that you were never given the opportunity for a different user to log in to Windows.
Also, an annoying screen offering fingerprint access to technical settings of the PC, something mainstream users would never use, would appear each time our ThinkPad was restarted, before it disappeared too quickly to read it.
Lenovo told us that we could use its software to replace other passwords on the computer with our fingerprint, including those on Web sites -- like the Microsoft device. We walked through about seven steps in the ThinkPad's detailed Client Security Setup Wizard to enable this feature, and then started training the laptop to remember our user names and passwords for Web sites. But this process took much longer than the others, and in the end we still weren't successful in swiping our fingerprint in place of Web site user names and passwords.
The Toshiba Protege's OmniPass Finger Print Software was much more user-friendly. A few explanatory menus walked us through how to replace our Windows log-in names and passwords with fingerprints, and replacing Web site passwords was just as intuitive. We simply typed in a Web site address -- such as
www.yahoo.com -- and after entering our user name and password, selected a "Remember this password" option. A key icon appeared on the screen, which we dropped near the log-in data that we wanted to be remembered. The next time that site was opened, we simply swiped a finger instead of entering a password.
All three devices advise users not to rely on their fingerprint readers for absolute security, and instead, encourage them to create and use "secure" passwords -- those that contain tricky combinations of numbers and letters -- for very important password-protected data.
We were favorably surprised by how much time we saved by using our fingerprint, rather than typing passwords into various Web sites.
Fingerprint recognition is a smart solution for saving time and avoiding the memorization of long lists of passwords. Just make sure the system you choose is meant for average users, not engineers.
用指纹当密码
指纹识别装置曾是007电影中的高科技产品,现在却已成为用户登录电脑或上网时识别身份的主要方式之一。在消费市场,有时指纹识别装置的卖点是其更好的安全保障,因为人们认为指纹比密码更难以窃取或复制;有时则是因为它的便捷:按下指纹要比记住一大堆密码容易得多。
即使从便捷的角度来看,指纹识别装置也对电脑安全有好处,这是因为使用指纹认证的用户很少会采用那些不安全的方式记住密码,如在便签条上写密码或重复使用同一密码等。
在普通个人电脑上,指纹识别装置还不太常见,因此我们想试用几种产品来比较一下它们的便捷程度和效果。我们想了解让电脑学会识别指纹是否容易,识别的准确度如何,以及用指纹而非密码登录有多便捷。
我们测试了两台内置指纹识别装置的笔记本电脑:一台是联想集团(Lenovo Group Ltd.)的高端笔记本ThinkPad Z60t,售价2149美元;一台是东芝美国信息系统公司(Toshiba America Information Systems Inc.)的笔记本Protege R200,售价1899美元。我们还试了微软公司(Microsoft Corp.)推出的售价40美元的指纹识别器,它能通过USB接口接入任何台式或笔记本电脑,适用于Windows XP操作系统。
这三种指纹识别装置都能让用户以指纹登录电脑,不必每次输入密码,而且登录需用户名和密码的网站时,也能发挥同样的作用。
我们的结论是,这三种指纹识别装置都安装简单,效果不错,不过一些用于控制流程的配套软件有点让人摸不著头脑,还有很大的改进空间。和世上所有事情一样,指纹认证技术并非绝对安全,一些指纹识别装置会错把塑料指模认作指纹,不过它们使用起来还是很方便的。
其他类型的生物认证装置也在与指纹识别器争夺市场。在测试过程中,我们还看到一种由日本富士通公司(Fujitsu)推出的产品,能识别整个手掌及掌上的血管,只要把整个手掌覆盖在仪器上几秒钟,这种特殊技术就能像X光成像那样抓取你手掌及其血管的图像。
这种技术比指纹识别装置更先进,因为它要检测到手掌上的血液流动情况才进行认证。富士通公司还表示,模拟另一人的手掌内部构造要困难得多,因为肉眼无法观察到手掌的内部结构,也无法像指纹那样进行表面复制。不过,这种技术在近几年内还不会应用到普通电脑上。
微软公司的指纹识别器使用起来很简单,只要启动自带软件后把仪器通过USB接口插入电脑就可以了。仪器的读取区正好覆盖一个手指,使用起来很舒适,而且一接入电脑读取区中心就会发出红光。
我们通过一个安装向导来启动仪器,从一对左右手的示意图上选择两只手指作为读取对象。选择好后(我们选了左右手的食指),我们把每个手指放在读取区上四次,以进行精确扫描。当使用指纹作为认证密码时,我们只要在打开一个需要密码的界面时把手指放在读取区上就行了。首次做登录时我们需要输入用户名和密码,但随后指纹识别器就能将指纹替代原先的密码。
我们试验了各种网站登录界面,包括我们常用的在线日历网站Trumba,纽约时代报(New York Times)的网站,社交网站Evite.com,美食网站Epicurious.com,雅虎网站Yahoo.com,以及电邮网站Gmail.com。我们用微软的指纹识别器无法登录Evite网站,因为它使用的是微软确认无法与其指纹识别器兼容的Java技术。
当设置用指纹登录Gmail网站时,我们意外地输入了错误的登录密码,并与指纹关联起来,因此每次我们用指纹登录时,错误的密码被自动输入。这个问题能用指纹识别器自带的登录管理软件(Log-On Manager)重新输入密码后马上解决。
该设备只适用于Internet Explorer 6.0以上及MSN 8.0或9.0版本的浏览器。如果不想再用指纹识别器,你只需拔下设备,就能重新回到输入密码进行登录的方式。
联想ThinkPad以及东芝Protege笔记本的指纹识别器都不易被人察觉地设置在键盘右下角部位。两者的工作方式相同,只要将手指自上而下滑过读取区,就像用一只手指抚摩宠物那样。
不过,我们发现联想的配套软件“客户安全解决方案”(Client Security Solutions)过于繁琐。首先让我们困惑的是,它让我们选择启动机器的两种方式,一种是我们熟悉的Windows登录方式,一种是所谓的“高级”登录,在Windows界面前出现,而市面上绝大多数电脑都未采取这种方式。不过,这种方法可以让联想的电脑只归你一人使用,其他用户根本没有机会登录Windows系统。
此外,我们每次启动ThinkPad笔记本时,都会跳出一个讨厌的屏幕,询问是否为进入电脑设置界面提供指纹登录,还没等我们看清是怎么回事就又消失了。
联想告诉用户说,通过配套软件,他们还能用指纹替代密码登录电脑上其他界面,如网站登录──这和微软的指纹识别器功能一样。我们在“客户安全解决方案”软件上大概用了七个步骤才实现这一功能,然后开始教笔记本记住我们登录网站所用的用户名和密码。这一过程所用的时间比其他设备长得多,而最后我们也没有成功地用指纹替代网站登录名和密码。
东芝Protege的OmniPass指纹软件要方便得多。用户通过几个引导步骤就可以将Windows登录用户名和密码替换成指纹认证;替换网站登录密码也同样简便,只要输入网站地址,如
www.yahoo.com,输入用户名和密码,选择“记住这个密码”选项,然后一个钥匙图标就会出现在屏幕上,把它拖到要记住的登录数据附近就行。下次打开这个网站时,刷一下指纹就能登录,不再需要密码。
三种指纹识别装置都告诉用户指纹认证并非百分之百安全,并鼓励用户创建并使用“安全”密码,即那些由数字和字母组成的复杂密码,用于保护那些非常重要的保密数据。
我们很高兴地发现,使用指纹认证登录网站而非输入密码能节省大量时间。
指纹识别技术是节省时间和避免记忆大量密码的很好方法,只要确保你所选的产品便于一般用户使用、而非面向工程师就好。
