Original URL: http://www.theregister.co.uk/2004/10/05/biometric_thinkpad_t42/

Biometric IBM ThinkPad T42

Fingerprint-scanning prototype

By Trusted Reviews

Posted in Reviews, 5th October 2004 09:40 GMT

TrustedReviews.comReview Last week I attended an IBM briefing, held at The Clink Museum near London Bridge. The Clink was an old Prison and the museum is full of gruesome memorabilia relating to the bad old days of sadistic incarceration. The reason that IBM chose this particular venue is because the theme of the evening was security, and what better place to talk about security than in a prison?

IBM had a lot to talk about when it came to security, but the most interesting part of the presentation was the announcement that the T-Series of ThinkPads were going to be equipped with biometric security in the shape of a fingerprint scanner. On display were two pre-production T42 notebooks, complete with the foresaid scanner, and while other journalists were busy scanning their fingertips, I was negotiating the release of one of the imprisoned notebooks. Thankfully the negotiations were successful, and a prototype T42, with integrated fingerprint scanner, was set free and shipped to the TrustedReviews office the next day.

So, sitting in front of me right now is a notebook very similar to the ThinkPad T42 that I reviewed a few weeks ago. However, just below the cursor keys is a slim, and very unobtrusive fingerprint scanner. IBM has chosen to go with a swipe-scanner rather than a touch-scanner, for a number of reasons. First and foremost is that a swipe-scanner provides better security. Because you have to drag your fingertip across the scanner, there is no way to "lift" a fingerprint from the surface. Your fingertips contain oil, which is why you leave fingerprints on surfaces when you touch them, and why cat burglars always wear gloves in the movies. With touch-scanners, you will leave a pretty accurate impression of your fingerprint on the surface of the scanner itself, and if someone really knows what they're doing, they could remove that print and use it to fool the scanner into thinking that they are you. The second reason for going with a swipe-scanner is that it can be far smaller than a touch-scanner, since it doesn't have to accommodate your whole fingertip. The third and final reason is that touch scanners have a habit of getting dirty, and need to be cleaned regularly to maintain an accurate read of your fingertip. Swipe-scanners can take a bit of getting used to, but once you get the hang of drawing your finger across the surface smoothly, you won't have a problem.

The capacitive sensor technology in the fingerprint scanner, senses the patterns of electrical resistance caused by the ridges and furrows in the fingertip. Multiple readings of the fingerprint are taken while it is slid across the surface of the scanner. All the readings are then combined to form an accurate image of the swiped finger.

When I first booted up this special ThinkPad T42, I was greeted with the "IBM Fingerprint Software" window. This is where you can configure the fingerprint scanner and enrol the fingers that you wish to use. The first thing I did was to enrol one of my fingers in the Power On security section. This would allow me to protect unauthorised booting of the notebook with a fingerprint instead of a password. When you enrol a finger, you have to scan it three times successfully. Once that is done, the software amalgamates all three images into a single image, to which it will compare any scans that it receives in the future.

Now, the Power On password has to be enabled in the BIOS for the Power On fingerprint security to work. However, when I enabled this, it ended up asking me to swipe my finger and then ask me for the password as well. However, after a couple of reboots and a bit of BIOS fiddling, this problem resolved itself. Then when I switched on the T42, I was asked to swipe my finger and when the Power On password screen appeared, it instantly registered "OK" as if I had just input the correct password and the boot continued.

Of course since the Power On security layer is something that occurs well before Windows has started up, the fingerprint data can't be stored in a Windows file or folder. Instead, the fingerprint scanner itself stores the fingerprint data and retrieves it when the Power On security request is made. You can store a total of 21 profiles in the scanner, which should be more than enough, unless you share one notebook between a score of users. If you're worried about someone extracting the fingerprint data from the scanner and breaking your security, dont be. The scanner only stores a tiny amount of data for each fingerprint, just enough to ensure an accurate match, and nowhere near enough to recreate a complete fingerprint.

You can also apply fingerprint authentication to your Windows login. However, to save you having to swipe your finger twice and wear it out, you can tell the fingerprint software to automatically login the user that passed the Power On authentication. If more than one person uses the notebook, you can quickly and easily switch between users with the fingerprint scanner instead of passwords.

For an IT manager, biometric security will make life much easier. Gone will be all those phone calls from users who've forgotten their passwords. And there will be no more worries about insecure passwords, or even keystroke loggers, trapping passwords and passing them onto hackers and fraudsters.

But the fingerprint scanner is not the only security enhancement that IBM has implemented into the latest T-Series ThinkPads. IBM has partnered with data security specialist Utimaco, to ensure that ThinkPad users can keep their data safe, no matter how careless they may be with it. Utimaco SafeGuard Easy will keep every byte of data on your notebook encrypted, so that even if your machine is lost or stolen, no one can get access to the data stored on it. Unlike many encryption solutions, SafeGuard Easy does not need any user intervention, since the level of encryption can be configured so that everything you save to your notebook is safeguarded. I was concerned that keeping the entire contents of the hard disk encrypted could have an adverse effect on the performance, but Jackie Groves, Managing Director of Utimaco, assured me that the performance hit will be no more than two per cent and completely transparent to the user.

But what makes SafeGuard Easy so special is that it works with IBM's own Rescue and Recovery utility. The problem with encrypted data is that when you try to restore an image of an encrypted hard drive, all the data, including the boot records just look like garbage to the restore program. But with SafeGuard Easy, you can keep the entire contents of your drive encrypted, and still be safe in the knowledge that should your hard disk crash, you can restore all your data to a new drive despite the fact that it's encrypted.

Talking of Rescue and Recovery, the T42 in front of me also utilises IBM Rescue and Recovery v2.0. Building on features of the original Rescue and Recovery, version 2.0 makes it even easier for a ThinkPad user to stay productive. The Rapid Restore feature is of course still present, and allows users to restore to a working version of their operating system if something untoward happens. But for IT managers, it's now possible to send fixes and critical updates to users, and if they don't install the required content they will be removed from the network until their machine has been made "safe".

Of course these days, it's not just the data on your hard disk that you have to worry about. With so many forms of removable storage available, you need more than just your hard disk protected. Thankfully this latest T42 won't just encrypt data on its own hard disk, it will also be able to encrypt any files that you transfer to a USB flash memory key, or a removable hard disk, or even a CD-R disc. You can choose to encrypt the whole device or media, or you can create encrypted partitions, so that there is an area that can be read by other machines.

OK, so what's this pre-production T42 like apart from all the new security stuff? Well, pretty much every bit as good as the last one I looked at, or to be honest a little better. One of the things that disappointed me about the production T42 model I reviewed, was the relatively low screen resolution of 1,024 x 768, especially since the pre-production T42p I looked at sported a 1,600 x 1,200 screen. The model sitting in front of me right now has a 15in screen like the last two units, but has a resolution in between the two, at 1,400 x 1,050. This gives you a far more acceptable amount of desktop real estate compared to 1,024 x 768, especially when you consider the large physical size of the screen.

The keyboard is up to the usual IBM exemplary standard (despite being of US layout), with long travel, solid break and the feeling that every single key is individual. There isn't the slightest hint of keyboard flex, and typing is, quite simply, a joy. There's the superb IBM TrackPoint gracing the centre of the keyboard, for accurate pointer manipulation without having to remove your hands from the keyboard. But, if you happen to prefer touchpads, there's one of those too.

As always, connectivity is very well catered for. There's an integrated Gigabit Ethernet adapter and a 56K modem. But if you're not a fan of wires, there's an 802.11a/b/g WiFi adapter, covering all the available standards. If you need to connect to your mobile phone you can use the integrated Bluetooth support or even the IrDA port if you prefer to go "old school".

On the right of the chassis you'll find the CD-RW/DVD-ROM combo drive and a D-SUB port for connecting the notebook to an external monitor. On the left there are two PC Card slots, two USB 2.0 ports, an S-Video output, Ethernet port, a modem connector and mic and headphone sockets. At the rear is a parallel port and the power socket.

Inside, there's a 1.8GHz Intel Pentium M CPU, backed up by 512MB of RAM and an 80GB hard disk, while graphics come courtesy of a more than capable ATI Mobility Radeon 9600 chipset. Since this is a pre-production model, I wasn't able to run any benchmarks on it, so I have no idea how it performs or what the battery life might be like. That said, I don't imagine that it will be too different from any other ThinkPad T42 with similar components.

I will hopefully have a full production version of the updated ThinkPad T42 soon. Once that appears I'll be able to test it properly and see whether the new security measures do affect performance in any way. But with mobile computing becoming more and more common, any features that enhance the security of your data can't be a bad thing.

Visit The Reg's Review Channel for more hardware coverage.