Eikon for Mac
Company: UPEK, Inc.
Software security on the Mac can mean a lot of different things to a lot of people. Do you have virus protection? Do you back up your files? Do you have a strong password? Do you require a password from sleep and start-up? Are your Bluetooth and wireless networks secure? This list could go on and on as to exactly what Mac security means to you, and each and every one of these is important. But for me, there is one more issue of security that is seldom covered, and that is unauthorized access to my computer. Since I mostly use a laptop, I worry about someone either using my machine to see my personal files if I leave it on my desk, or simply stealing the machine all together, and then having access to everything about me at their fingertips (no pun intended.)
First off, to be more secure from unauthorized access to this kind of “attack”, you need a really secure password. Experts in the security field say that your password should be changed often, should never be a word in the dictionary or any proper name, and should be at least 8 to 10 characters long. Great, what that really means is some random set of characters that you have to change frequently. And being long and random, you will probably end up writing them down somewhere so you do not forget. That, unfortunately, is not very secure at all. So most people, for convenience sakes, use a familiar word or name of 5 or so characters for their passwords, and those are easily cracked.
Sure, I have a “strong” password I thought was fairly secure at 8 quasi-random characters, but a password cracker found it in less than 4 hours. I should use a longer password in my machine, but typing that every time is a pain, and becomes easier to make errors when typing, meaning trying several times. And what about managing multiple users on the same machine? That means even more passwords to get lost, stolen or forgotten. So how do you handle this nightmare? How about using Biometrics?
Biometrics describes the science of recognizing someone based on physiological traits, typically fingerprints or eye scans. Upek has introduced a new device that not only makes your computer more secure, but also solves these security issues in one small USB device. The Eikon Digital Privacy Manager works on the Mac to provide users with an encrypted security device that uses fingerprints to gain entry to your computer. The eikon basically records and stores up to 10 fingerprints (a numerical representation of the print actually) for up to 10 users, and then later uses those scans to log you into your Mac, and if you want, unlock your keychain as well. It also handles multiple users in a very easy to set-up manner.
Imagine walking up to a Mac in your home, school, or office. Instead of typing a user name and a long password, you simply swipe your finger on a small device, and the Mac logs you into the computer automatically and unlocks the keychain for that user’s session. No more writing down a complex password, no more worries about someone finding out your password and using it, no more forgetting, because it is your finger that authorizes your entry into the machine, and that you cannot forget. And the device is portable, you can move it from one machine to another if you like to log into multiple machines.
Now, there are a few limits however. The fingerprint info is stored inside the device, and not on the Mac, and each fingerprint is associated with a unique account, and an individual fingerprint can only be stored in the unit once. That means that a unique finger can only unlock one account on one machine. So if you wanted to use the same device on two different computers, you would have to use two different fingers. This also means that the same finger cannot log you into two different accounts on the same machine either. But these are small issues.
And do not worry if you loose the device or it is not connected to your machine, because as an administrator on the computer, you can allow (an option) each user to still use a password (they should be long), or limit access to an administrator only password (it should be very long) when the device is not present to restrict access to certain accounts. If the unit is missing, a few seconds after the “swipe finger” dialog appears, it will change to one asking for your password, you enter it, and your in. Ok, so my password is now 16 characters long, and is a total pain to get right, but I hardly type it anymore, so no big deal.
Installation is easy; you install their “Protector Suite” software, plug in the device, enter a few finger scans and your done. From within the program you can manage all aspects of the device and its use. In the fingerprints options, you can add, update, or remove fingerprints for each account, up to 10 fingerprints per account, one for each finger! This also means that you could allow a trusted individual to access your account simply by swiping their finger into one of the empty slots. It is recommended that you enroll at least two fingers, one on each hand, just in case of an accident. While typically a cut will not invalidate a finger swipe, a recent healing bad cut on my index finger caused it to not be recognized for a while. Local and global settings let you set unlocking key chains, modifying permissions of users, requiring a password with the finger swipe or not, and what is displayed when authentication is required. You can also manage other users, and completely erase the device as well.
Adding a finger scan is as simple as selecting a “scan location” and then swiping your finger three times, but the interface for adding finger scans is not exactly graphically accurate. When adding scans, they show two hands, and a finger scan location for each of your 10 fingers. However, any finger scan can go into any location, and does not, in fact even have to be from the same person. For example, I scanned the index finger of both my left and right hand into those locations on the interface for my account. But I wanted my wife to have access to my account as well, and she wanted to use her index finger too. A look at the interface told me that both index finger spots were used. But it did not matter actually, I simply selected an empty slot (the left little finger), had my wife scan her index finger (three times) and now she can unlock MY account with her index finger as well. The only gotcha here is IF she wanted to use this device on her computer, or she had her own account on this machine, she would then not be able to use that index finger to unlock her own account, and would have to pick a different finger. Yes, it sounds more confusing than it is, and I think the graphic is just there to make normal use simpler, but if your remember one finger, one account, period, and you will be OK.
As for how well it works, I am hooked. The device is quite small, a little large than my thumb. There is also the “Eikon To Go” direct plug in version, looking like a small USB drive if you want even smaller. It has a non-slip bottom so it stays put on the desk, and a long enough cord to allow it to reach USB ports in the back of your computer.
As for use, I put in a very long password to my computer, that now after 21 hours and 51 minutes (about 750,000 attempts) has not been cracked. When I turn on or wake my computer, I am simply presented with a dialog that asks me to swipe my finger, I do so, and I am logged in, unlocked and ready to go. There have been a few bumps in the implementation however, but they are annoyances in most cases. For example, if the device is missing, typing a long password takes a lot of time, and the login dialog can time out. In addition, the “swipe finger” dialog has a place to enter a password, but if the device is not found, that dialog changes after a few seconds, so if you started typing before it changed, you get unknown characters into the second dialog and have to start over. I have had to learn to simply wait for the change before typing my password. And on occasion, my computer has hung on wakening from sleep, sometimes requiring a reboot, sometimes just putting it to sleep and reawakening again works fine. However, the people at Upek tell me they are aware of this issue and should address them in the next release of the software.
Lastly, because of the way the Mac implements security and passwords, the finger scan does not work for all places where your password is needed. Confirmation dialogs for keychain items, for example, use a different authentication method than does login, so it asks for a password and not a finger scan. Yet, installing software asks for a finger scan. However, I noted that when I changed my login password for this device, my older, and shorter keychain password did not change, so this has not been too much of an issue actually.
The bottom line: A great solution to making your Mac a bit more secure.
The Pros: Low price, small size, easy to use, good encryption, stable software.
The Cons: Multiple users and fingers can become confusing, occasional hangs on wake from sleep, does not handle ALL security password dialogs. I also think the software should show up in the Preferences Window.