FOR

One of the vendors who understands this shift and has been providing suitable software for a while now is Ankari. Its Trinity software suite provides enterprise tools for both server and client areas, although the client software may also be used for standalone workstations if required. Predominantly for Microsoft Windows environments, Trinity enables the use of passwords, tokens (smartcards and SecurID tokens) and biometrics to authenticate users either at standalone or networked workstations.

For standalone workstations passwords or biometrics may be used in conjunction with user names, while, for networked environments, smartcards and certificates may also be used in various combinations with passwords and biometrics if desired. Ankari's BioMouse and BioMouse Plus, Precise Biometrics 100A/100SC, any Veridicom biometric sensor and Digital Persona scanner may be used with Trinity, while BioMouse Plus and CardDrive, 100SC and any standalone PC/SC-compliant smartcard reader are also supported. [Ed note: Ankari states that it is currently working to support all major fingerprint sensing technologies and expects to support Authentec, Infineon and ST Micro in the near future.] In addition to straight network access, Trinity facilitates a single sign-on regime, where individual applications (including web-based dialogs and forms) may be accessed via the automatic provision of user credentials.

When a standalone configuration is employed, user data and templates are stored within a local secure database. In a networked environment, a centrally-located database stores such information via a Trinity server. If an LDAP-compatible directory is in use within the enterprise, then multiple Trinity servers may be configured to use this service, providing a degree of load-balancing and fault-tolerance. In such a configuration the Trinity clients must be set up accordingly with the addresses of the servers, any one of which they may use.

Administration may be undertaken from anywhere on the network by an authorized administrator. In practice, thinking through such an architecture, setting up administrator rights, educating users and rolling out the whole thing would, in most cases, prove to be a non trivial exercise - but then, this would be the case in implementing any new authentication methodology within the enterprise. For Trinity, Ankari provides fairly comprehensive documentation in Adobe Acrobat format on the installation CDs that will help the typical LAN/security manager to understand the Trinity architecture and overall concept. For an unusually large or otherwise complex situation, it may be prudent to check such an understanding with Ankari's technical support function before embarking upon implementation.

In use, the Trinity client software loads faultlessly and is easy to set up with clear, intuitive dialogs for configuring all the main options. Managing a local database of users and their authentication requirements is straightforward and logical, as is enrolling users' biometrics. In fact, the biometric enrolment is particularly interesting, with visual feedback as to the fingerprint image quality, making it an intuitive experience for the user while stressing the importance of correct finger placement and pressure upon the sensor. Furthermore, the quality of the enrolment may be tested immediately after the process in order to ensure a reasonable expectancy of trouble-free subsequent operation: this may be particularly important with large user bases. For the purposes of this short review, the software wasn't tested in a typical enterprise client-server configuration. However, reading through the manuals, it is clear that Ankari has given much thought to such a configuration and one wouldn't expect any significant problems in this respect.

In networked mode, it is possible to make use of smartcards and certificates to enhance the process further if required. Smartcards may be used in conjunction with either a password or biometric and the BioMouse Plus peripheral, looked at in this review, combines a fingerprint biometric and smartcard reader in one simple package. SecurID tokens may also be incorporated if necessary.

When using a smartcard, the available card 'real estate' may be configured to accept various combinations of user data and cryptographic store space. The biometric template may also be stored here, allowing verification against either a central database, when the server is available, or locally via the smartcard. In fact, many typical corporate authentication strategies may be accommodated via the Trinity software suite, making this a versatile package for corporate security managers.

In summary, the Trinity suite from Ankari represents a good all round solution for those wishing to provide enhanced authentication security within the corporate environment. Most security/LAN administrators will find the overall concept and configuration options straightforward enough and shouldn't have too much difficulty implementing a Trinity system.

We would like to see a little more support for other biometric devices though, especially as we are starting to see biometric sensors appearing as embedded items in keyboards and other peripherals. The design and overall finish of the BioMouse Plus device, while perfectly functional, may not appeal to all tastes in this context. Perhaps flexibility in this area will increase as the product evolves. Notwithstanding this minor observation, Trinity offers a ready-made 'off the shelf' solution for those wishing to implement advanced authentication techniques within the corporate environment today. As such, it should be welcomed as an interesting and capable package.
   

SC On-Line
SC Magazine
www.scmagazine.com