I have had the MS fingerprint readers for quite a while now and have found them to be great convenience devices. These consumer units were produced in conjunction with DigitalPersona but are aimed at helping us deal with a challenge we face more and more as time goes by - too many digital identities... As a consumer, I have all of these services available to me, Internet Banking, online retailing, web based mail services etc, hey I can even book courses with the City of Mississauga in which I live! Therefore remembering all of those details for each identity is a challenge. The temptation is to use the same passwords, make them unforgetable and of course to never change them. Of course I don't do this, but how many of us do?
As a security professional this is a nightmare scenario. Now expand this to your network and you have a whole new ball game. Okay it is the age old balance of Security Vs Functionality / Usability, but let's face it if we can make our lives simpler then we usually will do. Also bare in mind that according to CERT a huge percentage (80%) of Security attacks they investigate are password related... Many of the versions fingerprint software store the databases of fingerprints and credentials on the local machine (which is where most of the attacks are directed). These databases are encrypted, but for how long? The challenge is of course managing this in a network. According to Gartner and many others, managing the user lifecycle costs businesses a great deal of money. So being able to allow users to log in with the fingerprint rather than managing those passwords may seem like an ideal solution. Then why is it more companies don't use this technology?
I have been evaluating the Digital Persona business solution (as they have been kind enough to send me one to play with - hint hint to any other maufacturers out there!). This provides an expansion to the AD Schema to connect the dots of user account to finger print and provides centralised storage and management. By the way, if you don't want to or can't extend the AD schema, there is facility to use ADAM. Yes, the solution means we can log on just by using our fingers to a network. Therefore there are no passwords for users to forget, therefore saving us time, money and hassle.
I would argue that this scenario is great (and works) but is only a PART of the overall password solution. Ultimately there is still a password involved, some setup (learning of the users' fingerprints etc), management - it is a database after all and extra hardware / software, but is well worth investigating as another tool in the armoury.
As I evaluate this solution more, I will post up my thoughts. If you have your own experiences and thoughts, please feel free to share them with us...
There's a few points missing from this blog. (I know, I'm so critical).
- In this situation, you are replacing single factor authentication, with another single factor. Security is only really improved if you involve a second factor.
- This really isn't any better than protecting your collection of passwords with a single password.
- Passwords can be changed. Your minutiae is for life.
A great presentation on biometric attacks is online at
Having said all that, I dig the DigitalPersona product, particularily their kiosk product as a very user-friendly single-factor authentication system. And really, security that is used, is better than the very best security that no one bothers with. Making it easy for users is a step in the right direction.
That is why I said the biometrics is perhaps only part of the solution :) You are correctly surmising that your security system is only as strong as the weakest link. You are also correct in that revoking a finger print is not the easist thing to do, but is less likely to be compromised in reality than a password that can be written down or spoken. My preference is for a multi factor authentication approach where possible, going beyond the 'something you know'...