Re: Accessing PC and Network with Fingerprint readers
- From: alun@xxxxxxxxxxxxx (Alun Jones)
- Date: Mon, 30 Jan 2006 02:43:27 GMT
In article <erLAx25FGHA.3944@xxxxxxxxxxxxxxxxxxxx>, "Jesper [MSFT]"
<jesperjo@xxxxxxxxxxxxxxxxxxxx> wrote:
>There are some third-party units that provide network logon, like Digital
>Persona's devices. You can get requirements on the devices directly from
>Digital Persona (http://www.digitalpersona.com). As for remote login and use
>by multiple users it is something you should investigate with them.
Digital Persona appear to be the company responsible for at least the software
in the Microsoft Fingerprint Reader. I'd be careful before using something
like the MS Fingerprint Reader to access the domain or anything so secure and
important as that.
The MS Fingerprint Reader is a convenience feature, not a security one. I
plan on playing with some Silly-Putty or Play-Doh to see just how easy it is
to mess with some time in the next few weeks. I'm busy with another Security
Toy right now (the Wireless PC Lock).
>Generally, we do not consider that fingerprint readers do not provide
>sufficient security at this time to be used in enterprises. There are
>various issues with fingerprints, but the overriding one has been all the
>ways they have been foiled in the past, such as gummi bears, removable
>fingerprints, freon, etc. Further, a fingerprint is an identifier, not an
>authentication token. There is a subtle difference, and in some cases it is
>not that relevant, but what it means is that should the system somehow get
>compromised what you need to revoke is an identity, not an authentication
>token. Understandably, revoking fingerprints poses certain OSHA challenges.
There are other issues too - every so often, I paint lead figures, and step
number one is to shave the flashing off the edges. Such activity involves a
sharp knife and a blood sacrifice. I doubt that my fingerprint scans the same
after such weekends.
Other considerations are people whose jobs wear their fingerprints away -
furniture makers, for instance, very often will not register on fingerprint
scans.
Then there's the issue of there being little if any published research as to
the uniqueness of fingerprints. They are pretty much assumed to be unique,
and attempts to research the issue are rebuffed, apparently for fear that we
may find that fingerprints are not the unique identifier they are believed to
be.
I've listed a few other issues in an article on my blog at
http://msmvps.com/blogs/alunj/archive/2005/11/22/76444.aspx
What a fingerprint is best for is exclusionary identification - in other
words, identifying that you are _not_ the person under consideration. Not
really all that good for a logon.
>If you want a multi-factor authentication solution a better one is usually
>smart cards. The infrastructure for smart cards is built into the operating
>system already. All you need are some cards and readers and if you go with a
>solution like the Safenet IKey (http://www.safenet-inc.com/) you do not need
>the readers either.
>
>A third option is a one-time password approach like those from Verisign
>(http://www.verisign.com/products-services/security-services/unified-authentica
>tion/index.html)
>or RSA (http://www.rsasecurity.com). Those require no additional hardware,
>but do require software updates to all systems involved, which smart cards
>may not need.
SecurID is another such device that has been around for some considerable time
- I remember using it on a Unix system about ten years ago.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@xxxxxxxxxx
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
.
- References:
- Re: Accessing PC and Network with Fingerprint readers
- From: Jesper [MSFT]
- Re: Accessing PC and Network with Fingerprint readers
- Prev by Date: Re: Port 21 open during nmap scans of Domain Controllers & Member Servers
- Next by Date: Re: ewido malware software
- Previous by thread: Re: Accessing PC and Network with Fingerprint readers
- Next by thread: Re: Event Viewer : Security
- Index(es):
Relevant Pages
|
