The Kensington VeriMark IT fingerprint key is a small USB biometric authentication device with built-in anti-spoofing techniques and which relies on a match-in sensor to ensure that the fingerprint image remains within the sensor (‘off the grid’), therefore reducing (close to zero) the risk of any security breaches and the beauty of this device is that it not only works with unlocking a single PC, but simultaneously with multiple computers and services.
Kensington VeriMark IT | |
---|---|
Amazon.com | Check Product |
Kensington.com | Check Product |
Yes, I know that more and more laptops already have a fingerprint sensor embedded somewhere on the chassis (usually near the keyboard), but while some tech enthusiasts change their laptop every couple of years, the corporate world moves at completely different speed than the technological development, so I don’t doubt that lots of employees are still stuck with older hardware where a fingerprint authentication is out of the question.
The only argument that can be made against the biometric authentication and in favor of the PIN/password is that the latter can be changed as many times as necessary, while the former can’t be replaced once exposed, but the Kensington VeriMark IT fingerprint key seems to have fixed this shortcoming and, since the manufacturer claims that it’s one of the fastest devices of its kind, let’s have a closer look and see if Kensington VeriMark IT is indeed a worthy addition to the security layers of an office or for your personal computer.
Kensington VeriMark IT: Design, Installation and Functionality
The idea behind any type of USB dongle is to be as small and as unobtrusive as possible and the Kensington VeriMark IT fingerprint key is indeed very compact, measuring only 0.75 x 0.6 x 0.3 inches, so it does leave about 0.25 inches outside for a small LED indicator to let you know if the fingerprint has been registered or not (well, you will know if the authentication has failed, but it’s a nice addition nevertheless). The accessory is made of zinc alloy, so it is mostly covered by a gray matte finish (it does retain fingerprints quite easily), while the touch-sensitive area is made of black plastic and, if it wasn’t for the small key-shaped transparent LED, you could easily mistake it for a mouse or keyboard dongle.
So yes, the Kensignton VeriMark key is small, lightweight and extremely easy to lose, which is why for the single-PC version (K67977WW), the manufacturer has added a small cover that could be attached to the keychain; unfortunately, the multi-PC version (the one I am testing) does not have such cover (if it’s your personal PC, you should just leave the dongle always connected, especially when you’re traveling – you’ll lose a precious USB port, but you won’t lose your fingerprint key).
Before purchasing the Kensington VeriMark IT fingerprint key, it’s important to know that for OS account authentication, the device is compatible only with Windows 7, 8, 9 and 10, and, if you’re using the latter, you don’t have to install the software since the driver will automatically download through a Windows update. My main computer uses Windows 10, so in order to install the Kensington VeriMark, I connected the dongle to a USB Type-A port and from Windows, I accessed the Accounts section (click on the Windows key and then click on the small cogwheel to go to the Settings > Accounts) and then I clicked on the Sign-in options.
If you’re unsure whether the drive is installed or not, you can check it by going to the Device Manager and searching for the Biometric devices. After accessing the Sign-in options, click on the Windows Hello Fingerprint and just follow the instructions to set up your fingerprint (or fingerprints – it supports up to 10 individual ones). The fingerprint key is also compatible with Windows Hello for Business, Office 365, OneDrive, Outlook, Skype, Windows Azure and other Microsoft services which opens up the possibility for the IT administrators to easily manage the employees authentication methods.
But that’s not all because the VeriMark IT is also FIDO2/WebAuthn compatible which means that you also get the option to use the fingerprint key as part of the two-factor authentication to log into various websites, apps or services directly from a web browser (all the popular ones are supported: Mozilla Firefox, Microsoft Edge, Google Chrome and even Apple Safari).
Let’s take for example DropBox – you do want it to be as secure as possible from any potential threat so, to add the Kensington VeriMark IT as an additional layer of protection, you have to first enable the Two-Factor Authentication: access your Personal account and then go to Security > Two-step verification and on the right, click on the Off switch. Doing so, it will ask for the account password and then you can either use the text message option or a mobile app (I selected the former since I already have too many apps installed).
After the service has been activated, you do get the option to add a biometric device. Select Security key and follow the instructions to add the Kensington VeriMark as a means to log into your account. The thing is that if you decide to log into your DropBox account from a different device, you do need to register your U2F key using the same account on each of your computers.
I have tested a few storage devices that had built-in enterprise-level security (the iStorage diskAshur 2 and the SecureDrive BT), both with anti-tampering measured put in place, so, I was wondering whether it’s possible to compromise a Kensington VeriMark IT fingerprint key. The device relies on a Synaptics FS7600 match-in sensor which uses a 192 MHz processor, a hardware accelerated image processing unit and a hardware accelerated encryption engine which encrypts the data using AES and TLS 1.2 algorithms, while the fingerprint database is stored on the internal flash memory of the Kensington VeriMark IT.
Since all the processing is done withing the Match-in Sensor and all the biometric data is being stored outside the host device (the data being heavily encrypted), it does mean that it should be impossible to force a positive match using the fingerprint key, even in the extreme case when the host (the computer) is fully compromised – it can happen when the Kensington VeriMark IT may be stolen (these keys are small and can easily be lost, but the security layers do ensure that a third-party will not be able to make use of them to gain access to your computers or network).
What if someone would clone a fingerprint using a 3d printer, does the Kensington VeriMark IT have some anti-spoofing measures implemented? The Synaptics FS7600 sensor does rely on the PurePrint technology in order to help better distinguish between the genuine and fake fingerprints (all I could find about it is that it uses AI, which is kind of a vague statement) and Kensington says that false rejection rate (FRR) is at 2%, while the false acceptance rate (FAR) is at 0.001%. This put it far above the accuracy of the regular phone fingerprint sensor which usually has the FAR set at 0.35% and the FRR set at 6% (it also make it more expensive) and indeed, I have not experience any false positives so far (I don’t doubt that it will happen from time to time, just a lot less often). As for speed, I mainly use the Kensington VeriMark IT for authenticating into a Windows computer and the key is very fast, being able to recognize the fingerprint almost instantaneously.
Note: It’s worth mentioning that the device is TAA-compliant and it also complies with the international privacy laws (GDPR, BIPA and CCPA).
Conclusion
Google reports that all of its employees use a two-factor authentication with a USB security key on their work-related accounts and that this approach has fully eliminated any successful phishing attacks or account takeover, so it’s clear that using a biometric USB key is an excellent addition for any company that values the security of its data. Keeping that in mind, the Kensington VeriMark IT is one step forward than most of its competitors, featuring a match in sensor for improved security, the ability to use one USB key for multiple computers (and services) and the sensor has proven to be very fast and accurate, so if you need an extra layer of security to your company or your personal computer, the Kensington VeriMark IT fingerprint key is one of the best solutions available right now.