I have had the MS fingerprint readers for quite a while now and have found them to be great convenience devices. These consumer units were produced in conjunction with DigitalPersona but are aimed at helping us deal with a challenge we face more and more as time goes by - too many digital identities... As a consumer, I have all of these services available to me, Internet Banking, online retailing, web based mail services etc, hey I can even book courses with the City of Mississauga in which I live! Therefore remembering all of those details for each identity is a challenge. The temptation is to use the same passwords, make them unforgetable and of course to never change them. Of course I don't do this, but how many of us do?
As a security professional this is a nightmare scenario. Now expand this to your network and you have a whole new ball game. Okay it is the age old balance of Security Vs Functionality / Usability, but let's face it if we can make our lives simpler then we usually will do. Also bare in mind that according to CERT a huge percentage (80%) of Security attacks they investigate are password related... Many of the versions fingerprint software store the databases of fingerprints and credentials on the local machine (which is where most of the attacks are directed). These databases are encrypted, but for how long? The challenge is of course managing this in a network. According to Gartner and many others, managing the user lifecycle costs businesses a great deal of money. So being able to allow users to log in with the fingerprint rather than managing those passwords may seem like an ideal solution. Then why is it more companies don't use this technology?
I have been evaluating the Digital Persona business solution (as they have been kind enough to send me one to play with - hint hint to any other maufacturers out there!). This provides an expansion to the AD Schema to connect the dots of user account to finger print and provides centralised storage and management. By the way, if you don't want to or can't extend the AD schema, there is facility to use ADAM. Yes, the solution means we can log on just by using our fingers to a network. Therefore there are no passwords for users to forget, therefore saving us time, money and hassle.
I would argue that this scenario is great (and works) but is only a PART of the overall password solution. Ultimately there is still a password involved, some setup (learning of the users' fingerprints etc), management - it is a database after all and extra hardware / software, but is well worth investigating as another tool in the armoury.
As I evaluate this solution more, I will post up my thoughts. If you have your own experiences and thoughts, please feel free to share them with us...