Re: Biometrics and AD
From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: Wed, 7 Sep 2005 19:13:43 +0200
I can agree with this. I would go with some recommendations to use
biometrics for _identification_ only (e.g. instead of me writing in
username -- computer figures it out from my fingerprint and e.g. doesn’t
give me any other option to provide PC with username) but not use biometrics
for authentication (e.g. for authentication you could still use e.g. smart
card or one time password or ...)...
There are also other issues to consider. What will you do if someone manages
to forge my fingerprints (this is quite possible specially with a lower
priced solutions and we leave our fingerprints just about everywhere – even
on smart cards ;-) -- ) -- how will you now allow me to access company
network? It will be pretty hard for me to change my fingers :-)... while it
is pretty easy to change password and even username!
Just some thoughts on the subject that should usually get an answer before
you decide to implement any biometric solution.
-- Mike Microsoft MVP - Windows Security "Jason Viers" <email@example.com> wrote in message news:OBPUs47sFHA.3040@TK2MSFTNGP14.phx.gbl... > Ted Zieglar wrote: >> Sorry to stick my nose in here, but the subject of biometrics is so >> interesting to me. >> >> I believe that currently Microsoft doesn't recommend biometric logon for >> applications needing a high level of security. Can you see this happening >> in >> the future, or does Microsoft have to wait for the hardware to advance? > > The main problem I see with fingerprint biometrics is it's very easily > fooled, using only materials from a hobby store and an item that has a > valid user's fingerprint on it. > > http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci833464,00.html > > ---------------- > > I haven't investigated biometric authentication much, but it seems there's > another problem for all biometric authentication methods - permanence of > keys. Let's say that retinal scans is much more difficult to duplicate, > so my company implements that. Someone really wants to get in, so they > jump through some amazing hoops, spend a couple grand, and manage to make > a fake duplicate retina of our CEO. > > In the normal password or smartcard world, it'd be no problem -- just give > them a new password and/or smartcard. But the CEO only has one retina, > and it's been permanently compromised. That method of verifying the CEO > no longer works, and there's nothing we can do about it. > > The fact that I only have one set of biometric data points, which are > duplicable, makes me worried about anyone using them to authenticate me. > > I can see biometrics being used in conjunction with smartcards and/or > passwords as another fence for intruders to hurdle, but not as a > standalone method for authentication. > > Jason