Almost every mobile computer that is currently shipping has a Fingerprint Reader on it.  How convenient...  I've had a lot of customers get excited about the convenience of no more passwords when they think that a finger will do.  Well personally, I give those Fingerprint Readers the finger!.  Honestly, Fingerprint Readers are pretty secure for normal things, but anything you really want to secure, a strong password is still the best.

There is plenty of documentation on the Internet about the lack of Fingerprint reader security, but for a typical consumer machine, it's probably good enough.  Today I did a search on the Internet to see what I could find.  Of course Live.com is my search tool of choice, one of the first items it presented was "Gummy Fingers" Fool Fingerprint Readers http://www.extremetech.com/article2/0,1558,13730,00.asp.   Of course, the person that came up with this idea was a Japanese mathematician! I never trusted those "math guys"... Their logic and all of that!  In college I took a math class The fundamentals of Math.  I thought hey, I understand that one + one = 2, that's fundamental... Right?  I needed to raise my GPA, so I decided to give it a try.  Holy Crap was that a rough class!  That's when I decided to never again trust those math guys.   I digress, back to the topic at hand...

This mathematician took a mold of a finger, used the same material gummy bears are made of, and created a mold of a gummy finger.  Now I wonder how many tries it took him to get it right... Did he eat his mistakes???  I agree that molding a gummy finger is considerable effort for someone to expend, but it's a low effort, low tech way to defeat a high tech solution.  Reminds me of NASA creating pens that could write in zero gravity.  The Russians, they just used pencils!  I subscribe to the Keep It Simple Stupid mentality, so gummy fingers are a pretty reasonable solution to me.  The Register http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ added some additional detail to his research. 

Microsoft's corporate policy states that we cannot store our corporate credentials on our laptops.  Finger print readers ask for, and then store, your credentials on your local machine.  [This is really the root of the concern.  If all of your credentials are stored on the same machine, eventually your credentials will be compromised.  It's only a matter of time.  The "time" factor could be 2 days or 2 hundred years.  It just depends on your level of encryption and the attackers level of skill and dedication.]  The authentication process:  When you swipe your finger on the fingerprint reader, the fingerprint reader enters your domain credentials for you.  We've done a good job of opening up the authentication API, this makes it easier for developers to develop alternate authentication methods, but we need to solve the problem of the credentials being stored locally. 

Two factor authentication is a super way to meet this need.  A number of companies have moved to two factor authentication, Microsoft made the move over 6 years ago.  We all carry smart cards; it functions like a typical proximity card that allows me to open our security doors, but it also includes a "chip" that contains my Microsoft certificate.  Whenever I have to connect remotely to the Microsoft network, I have to have my smart card inserted in my machine, and then I have to enter a PIN to allow access to the certificate on the smart card.  Not only do you need the smart card, but a PIN as well.  It all comes down to requiring 1.) What you have; The smart card, and 2.0  What you know; the PIN.  Without both items, you're not connecting to our network.  The PIN is required because the certificate on the smart card is encrypted with the PIN.  Without it, the smart card is just a gold thingy stuck to the back of your ID card.

Now if you really want to protect the data on your computer, let's talk BitLocker.  I'll save that discussion for another time.

Until next time!

Rob