Re: Biometrics and AD

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 09/07/05


Date: Wed, 7 Sep 2005 19:13:43 +0200

I can agree with this. I would go with some recommendations to use
biometrics for _identification_ only (e.g. instead of me writing in
username -- computer figures it out from my fingerprint and e.g. doesn’t
give me any other option to provide PC with username) but not use biometrics
for authentication (e.g. for authentication you could still use e.g. smart
card or one time password or ...)...

There are also other issues to consider. What will you do if someone manages
to forge my fingerprints (this is quite possible specially with a lower
priced solutions and we leave our fingerprints just about everywhere – even
on smart cards ;-) -- ) -- how will you now allow me to access company
network? It will be pretty hard for me to change my fingers :-)... while it
is pretty easy to change password and even username!

Just some thoughts on the subject that should usually get an answer before
you decide to implement any biometric solution.

-- 
Mike
Microsoft MVP - Windows Security
"Jason Viers" <spam@beanalby.net> wrote in message 
news:OBPUs47sFHA.3040@TK2MSFTNGP14.phx.gbl...
> Ted Zieglar wrote:
>> Sorry to stick my nose in here, but the subject of biometrics is so
>> interesting to me.
>>
>> I believe that currently Microsoft doesn't recommend biometric logon for
>> applications needing a high level of security. Can you see this happening 
>> in
>> the future, or does Microsoft have to wait for the hardware to advance?
>
> The main problem I see with fingerprint biometrics is it's very easily 
> fooled, using only materials from a hobby store and an item that has a 
> valid user's fingerprint on it.
>
> http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci833464,00.html
>
> ----------------
>
> I haven't investigated biometric authentication much, but it seems there's 
> another problem for all biometric authentication methods - permanence of 
> keys.  Let's say that retinal scans is much more difficult to duplicate, 
> so my company implements that.  Someone really wants to get in, so they 
> jump through some amazing hoops, spend a couple grand, and manage to make 
> a fake duplicate retina of our CEO.
>
> In the normal password or smartcard world, it'd be no problem -- just give 
> them a new password and/or smartcard.  But the CEO only has one retina, 
> and it's been permanently compromised.  That method of verifying the CEO 
> no longer works, and there's nothing we can do about it.
>
> The fact that I only have one set of biometric data points, which are 
> duplicable, makes me worried about anyone using them to authenticate me.
>
> I can see biometrics being used in conjunction with smartcards and/or 
> passwords as another fence for intruders to hurdle, but not as a 
> standalone method for authentication.
>
> Jason 


Relevant Pages

  • RE: Biometrics
    ... > Good point in bringing up potential security issues with biometrics. ... > compromised authentication does not allow access. ... Even then I would rule out fingerprint systems. ...
    (Security-Basics)
  • Re: Fingerprint technology vs. password complexity
    ... If you're looking for really secure authentication, ... to biometrics include false positives ... fingerprints and blowing on the sensor to heat the fingerprint oils from the ...
    (microsoft.public.security)
  • Re: Biometrics and AD
    ... Ted Zieglar ... > biometrics for _identification_ only (e.g. instead of me writing in ... > username -- computer figures it out from my fingerprint and e.g. doesn’t ... > for authentication (e.g. for authentication you could still use e.g. smart ...
    (microsoft.public.security)
  • Re: Security procedure question
    ... Yes this is one of the better authentication solution, ... > security of the mobile device. ... So indirectly biometrics ... specifically not keeping the USB device conveniently at hand ...
    (Security-Basics)
  • RE: Biometrics
    ... Good point in bringing up potential security issues with biometrics. ... compromised authentication does not allow access. ... persons' fingerprint and successfully recreate it to log into a system ...
    (Security-Basics)