Steve Riley on Security : biometrics

Mythbusters beat "unbreakable" fingerprint door lock

Steve Riley — Thu, 21 Sep 2006 08:15:00 GMT

My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse, sweat, temperature, and other attributes. First, Adam obtains an impression of a fingerprint already present on the reader and creates a latex copy that he adheres to his own thumb. Initial attempts fail, but when Adam licks the latex, the door opens. Next, Jamie tries a ballistics gel copy of the fingerprint. Sure enough, the door opens right away. Adam remarks that some cheap computer fingerprint reader was actually more difficult to hack than the "unbreakable" door lock! Finally, Adam tries the simplest of all attacks: a photocopy of the authorized fingerprint. No warmth, no pulse, only a lick -- and again, the door opens.

Biometrics is identity, not authentication. Authentication requires a secret of some kind, like a PIN or password. Anything you leave behind, like the fingerprint Adam lifted from the reader, can never be used as a secret, and thus can't be considered authentication.

What do YOU need out of two-factor authentication?

Steve Riley — Fri, 21 Apr 2006 01:37:00 GMT

Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we'll be requiring smartcards for domain logon, too.

We are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other bits in our extranet. I love smartcards, and it's Microsoft's preferred product direction and corporate IT approach. But here we encounter a problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it?

Ideally, my answer would be: too bad. Public workstations are too great a risk. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?

A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."

But just like us, many organizations are starting to become wary of these risks. Two-factor authentication can help to mitigate some, but not all, of them. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous (they will someday -- remember, once upon a time a mouse was a rarity), what's left to choose? (I wish we'd include smartcard readers in every box of Windows we ship, just like we included mice in Office.)

Some form of token card with a one-time password is generally the option, with RSA SecurID being the most popular. Lately I've been reading about VeriSign's Unified Authentication product -- a number of you have mentioned your success with it, and you like that it integrates natively into Active Directly without requiring a separate authentication infrastructure (unlike SecurID, which requires an ACE/Server). I would like to play with this myself someday (hint hint).

I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently? Would you like for Microsoft to develop something, or do you prefer to rely on partners?

Tell me what you think. Our IT department is engaged in a lot of research here; I'd like to know what you've learned in your research and through your experience, too. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!

It's me, and here's my proof: why identity and authentication must remain distinct

Steve Riley — Thu, 16 Feb 2006 20:41:00 GMT

My February Security Management column is posted:

http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx

No matter what kinds of technological or procedural advancements occur, certain principles of computer science will remain -- especially those concerning information security. I’ve noticed lately that, among all the competing claims of security vendors that their latest shiny box will solve all your security woes, a basic understanding of computer science fundamentals is missing. Because good computer science never loses importance, and because knowing the science can help you choose products and develop processes, from time to time I will cover such topics in this column. This month I’d like to explore the concepts of identity, authentication, and authorization, to help you understand their important distinctions, and to help guard you against the increasingly common tendency to combine the first two.