Slashdot Mirror
Successful Alternatives To Password Authentication?
DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?"
"Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.
A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.
The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:
- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.
The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit." In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."
A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.
The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:
- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.
The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit." In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."
Biometric Bacon Authentication.
Indy Media Watch-Proctologist of the Internet
Still anyone with physical access to the system can pull the HDD and have at it later.
Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems.
I recently looked at this one smart card technology that has an integrated thumb-print reader on the card! It is called the "Super Smart Card", well sure, why not? http://e-smart.com/products_ssc.html
Would be the ideal method.
In the early 1980's, I worked for an eingineering company that tried an alternative.
After you entered your username, the logon program would look up your employee payroll records and ask you a random question from them. If you answered correctly, you would get logged on.
Sometimes it was easy. For example, it might ask your street address. You'd have to answer exactly as in the record, but that wasn't too difficult.
Often, the only way you could log in was to have a copy of your employee payroll records in front of you. For example, do you know to the penny how much withholding has been deducted from your pay this year? Or how much your total take home was last year?
The experiment didn't last too long before it went back to username / password.
If you haven't seen the episode of MythBusters with biometrics, it will scare you to death. Finger biometrics, anyway, are easily defeated and for such reason should be avoided without some other shared mechanism. A better approach is to use something like retna recognition which is harder to fake out, or combine finger scanning with something else such as a code that isn't biometric. But at the end of the day, you also have to ask, "How secure does this need to be?" to help weigh your options.
As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.
Digital Persona's Kiosk fingerprint reader package is exactly what you need.
I deployed the Workstation Pro package at my last job. It works great, and has group policy ADM templates to aid in setup and deployment.
-ted
Or it was a few years ago... Star Trek Voice Print
In order to reduce costs, we put a question like "Are you authorized to view this very confidential information?". In order to curb abuse we also have a sentence that says "We audit all activity.", which is a module I'm currently trying to complete.
We haven't had any issues as far as we are aware.
The problem with fingerprint readers is there has been a lot of junk put out there. Anything that uses an optical sensor is a joke. Most of the capacitive ones are useless as well.
We recently deployed an application using an RF-based fingerprint reader. It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.
The software is very simple and very fast. You can either use their database (encrypted) or your own for storing templates.
We decided that this was the only way to avoid compromising existing user/password security for systems already in place. If we had even the possibility of the same passwords being used, our system would have to be provably at least as secure as whatever they were currently using. A very difficult and wide-open standard to be measured against. Therefore, no passwords at all.
Mythbusters on fingerprint hacking, here thanks to Gootube.
To do list for Windows
and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs
This is true of WindowsXP, but not Vista. There are tricks to make Fast User Switching work in XP, you might want to check into them, although I wouldn't recommend them and would enforce a user policy that would just force the users to log off.(Make sure the policy is not just on the machines, but an employee manual policy as well, so that users log off when they are done.) You might also put in plans for Vista in any planned upgrades for your systems if this is important to your organization to allow the multi-user access method in a domain environment.
Stay away from fingerprint biometric (and variations) for true security, even though they are nice that the user doesn't have to cary a card or device with them. You can easily circumvent them by lifting a fingerprint of the user from a glass for example and using it to gain access to their login.
One technology that holds has a ligh level of security is tablet or signature sign on devices. The user signs their name. This is hard to defeat for most of the advanced devices, as they not only do a recognition of the input, but also compute the stroke pressure, speed, etc. So it makes it virtually impossible even for someone that can copy signatures to circumvent as they don't use the same pressure, speed, angle, etc as the real person. This is using the cool parts of Ink technology in that it is not just the image created, but all the other stored information making the signature very unique.
However, for true security go with a Smart Card solution. It does require the users to carry a card or device with them - look at Cell phones and other devices that are implementing this technology, that way users don't have to carry a card. There is a reason Casinos and Gold Mines use this technology, and if the user loses the card you can easily disable the card from the central domain and replace it with a new card for the user. These devices are also nice in that many non-computer devices use them, and employees can also use the same card for access to doors, phones, and other types of security and access throughout the building. So if you need other levels of access or security later on in your organization the same device can be used for authenication away from the computer.
Do some research and start with the main sites on security. They will have plenty of solutions and suggestions for helping with your login and security. Even go to MS's website and look up smart cards and biometrics since you are using Windows workstations.
Good Luck.
And then I pull it out of the BioSensor and fuck your girlfriend in the dumper.
... I don't have a girlfriend so your system is worthless!
Ha you fool!
Yes we have deployed a great alternative to password based authentication at work. We have done this by deploying RSA SecurID for Windows. This is completely free so long as you already have an RSA Authentication Manager (ACE/Server) infrastructure. This allows us to use our passcode (your PIN) + tokencode (your changing code). We also require them to use their Windows password in addition to this. You can enable "Windows Password Integration" which will remember for you, so the users never have to remember their password. However, due to certain levels of sensitivity we opt not to do this. In theory someone on that admins the Unix ACE/Server we run could set a temporary or emegency passcode/password in place of a token and bypass the whole process. Requiring both is a bit more secure.
In any event using RSA works well. Getting tokens and all that is not free obviously, but if your environment already uses them.. this is easy to deploy. Sure it can be a PITA if your tokencode changes while you're typing or if you lock your workstation/unlock it frequently (meaning you have to wait for a tokencode change) but it does a great job and provides a nice two-factor solution.
If you don't give us enough details...
I've used SECURID tokens and they work, but they're slower than regular login/logout methods.
Are you trying to lock access to the desktop or is the desktop being used as a dumb terminal to some random application?
If the latter then can you just lock down the desktop and modify the application?
I'm thinking that this is for something like a time card system, where people walk up, sign in/out and walk off. Given that you're saying speed is of the essence then it seems that that is likely. Have you considered a commercial offering? I am sure that most of the vendors have some sort of solution to uniquely identify particular individuals.
Magnetic stripe card containing a private key and a passphrase (pin?) known by the employee would work.
If you need to grant them full access to the windows PC then why are you worrying about security in the first place...:-)
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
On some Windoze machines, I just install tweakui. Then you can enter the password into a GUI form in the tweakui applet on the control panel, and voila you don't need to enter it again.
Another alternative on some versions of Windows is just to click the 'cancel' dialogue button each time, or better yet, just leave the password blank the first time you log on the newly installed system. This works for Windows 9x and Me, and is a great alternative to password authentication.
These methods are very secure if used on stand alone machines or machines or machines that are not on world-connected networks. You just lock the door on the room or building they're located in.
If I may inject something here, it's that authentication strength should be appropriate to the data and resources being protected.
For many of us (admins, etc) we need strong authentication. But there are special situations where the data and access being protected are either not particularly sensitive, or other safeguards are in place.
Some closed networks with non-sensitive data might very well benefit from authentications that we as techies consider "weak". The overall risk from an exposure/breach frankly just might not be very high.
That being said, as a horror story I can tell you I tried something similar about 4-5 years ago with fingerprint readers. Ugh. Not only did fingerprints not get reliably read on the best of days, but the software was bad too - there was just no way to integrate completely. Perhaps that stuff's matured somewhat by now.
e.g.
r minal.html
http://www.udel.edu/topics/os/unix/sunray/aboutTe
Deleted
We tried a very radical idea. The comittee of naysayers and control freaks tore their hair and banged desks to try and stop us from doing it.
After 6 months I can happily say, it worked, the move is vindicated and the frightened little control freaks had to eat their words
and admit it is pure genius.:)
We removed all our passwords.
Obviously this doesn't suit everyone. We are a smallish organisation with less than 50. The idea that everybody could actually
be trusted inside the organisation was central, as was the fact that most are not very computer minded and basically quite thick
when it comes to remembering passwords. The point being that if anyone inside the organisation could *NOT* be trusted then we were
screwed anyway, passwords or not. The move coincided with a massive revamp of network structure, a very restrictive new
firewall and password free ACL, basically cutting the intranet off from the outside except for a few key workstations that need general WAN access,
everything else is VPN. So now you can just walk up to any console, type your login name and get access. We can still log who does
what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
can use anybody elses login if the wish. In 6 months I haven't seen anybody do that, because there is no need to. Sunlight is a great disinfectant.
Obviously this would not work in a paranoid organisation where everybody is at each others throats, or it would radically change everything if
you did try it.
Sometimes you have to take a step back to see the wood for the trees.
After you sell your soul to work for us, we require a drop of blood each morning to be able to access the building and then again to access your pc.
its effective, but we have noticed a rise in healthcare costs.
---- Booth was a patriot ----
After all, he seems to be responsible for half the data-theft and hard-disk stealing that goes on. Murderising him would reduce the chance of your data being stolen by half.
There are fingerprint and ocular authentication devices out there, but I wouldn't want to give anyone a reason to remove my finger (or my eye for that matter).
Many people use a usb drive with an RSA key or a smart card. Windows implemented bitlocker in vista (ultimate and corporate editions) which is basically file system encryption that can be authenticated with a password and/or external key.
The most straight forward and easy option in my opinion is to use a passphrase (something much longer than a password). A password or phrase with 25 - 45 characters would surely give you great security against brute forcing etc.
This all depends on what kind of security you need. If you use a good password, then it is probably not the weakest link in your security. If the information you are trying to protect on the hard drive can be easily taken out of the computer (physically), then you may want to look into file system encryption or steganography (if you want plausable deniability).
Although the article specifically states that this is a windows solution, I think it's worth noting that sunray works exactly like this. You put the smartcard, your previous desktop session is instantly restored, you do what you want to do, you pull out the card. Your desktop session is preserved and is terminal independent.
As for the lack of windows applications, it is actually possible to do it even on sunrays , although admitedly it is not particularly suitable for the small scale that the article submitter implies.
Anyway, you might take a look at those two links, and if you must absolutely use PCs (sunrays are more suitable for the job the article is outlining), take a look at citrix also. I don't know whether they do smartcards though.
Why not passwords?
If passwords dont work for you then you need to tell us why not otherwise we cant help you.
They work well for most of us, and if it ain't broke, dont fix it.
Retina scans, 007 and RFID might look cool, but what advantages will they offer you?
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
You really didn't tell us the whole question I fear.
...
- How long is the typical access period?
- how many accesses are required per person per day/period?
- is the system networked?
- how many users?
- are they all located in teh same room/warehouse or spread across the world?
- is centralized authentication required; is there a high turnover rate for workers?
- Do the users need access to a general PC or just 1 specific application?
- Web App or thick client?
- Users can only be connected from a single PC at a time?
Ok, I'll assume you only have a few locations with 10 folks sharing a single networked system running 1 application with only 1 active connection/login at a time.
With these assumptions, why not give each user a located USB drive they can wear around their neck or wrist. They hold an x.509 cert and a PIN that the application checks. The cert contains the identity and public version. The PIN does a little to prevent sharing of the USB drives. CF could be used. Floppy disks could be used or a smart card. Be certain the same device lets the workers in and out of the building and into the toilets. If they don't bring it to work, they lose a day's pay and get written up.
What is the worth of what you are protecting?
What is the cost for each failed access in $$$? Convert lost time and lost opportunity into $$$.
What happens if the main system that performs the authentication fails and nobody has access?
What happens if you distribute the authentication and someone steals the computer/drive?
RFID and finger prints are a joke from a security standpoint. not worth your time.
There are many more questions to ask
SPECTRE was able to defeat retinal scanning in 1983.
In the land of the blind, the one-eyed man is usually crucified.
According to KVM over ethernet, yes.
Man, you really need that seminar!
This guy probably has what you are looking for.
His application runs a little on the secure side, but he's got it integrated nicely into ActiveDirectory.
He's a programmer more than a marketing guy, so his site's a little rough around the edges. Cards/Application works beautifully for me though.
http://www.snakecard.com/
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
It has always occurred to me we might as well use our badges to log in since if someone has access to our security badge, they can get into the office anyways and use a USB or a boot CD to get to our hard drives anyways.
I suppose we would then only have to worry about our coworkers stealing our badges to do nefarious stuff as our own so perhaps we could combine it with thumb print scanner and maybe a pin number.
Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.
Seriously, unless you are working in a government agency, I don't see anymore security you are going to get out of a badge through and a thumb print.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
You just gave me this horrible vision of someone combining KittenAuth with that dog for those Bacon Bits that always goes "Bacon! Bacon! Gotta find the bacon!!!" Spammers don't know it's not bacon!
Damn commercials, all this time and it's still rotting my brain!
We use SmartCards on 70,000 Windows XP machines. Smart Card Removal behavior is something you can set. Anything from "do nothing", "lock screen", etc. Anyway, they don't cause a logoff unless you wanted them to.
Be aware that all of the alternate auth systems I have seen so far (including Smart Card) have lots of caveats. Some want to load a custom GINA. Resist this (read: NO, don't load that GINA). Most don't work right for multi-domain scenarios (where you are in domain 1, and want to connect or maybe map a drive to domain 2 which is an untrusted domain).
Anyway, be ready for things like a "self service" site to reset PINs and lots of user training for what to do when their web browser or email client all of a sudden asks for a "user ID and password" and won't accept a token, card, etc.
Smartcard - works great, works under windows,Solaris,OSX,linux,bsd. proven and used by many corperations.
SecurID - Works great, same as above. Costs money every month for service, significantly higher security than the smartcard or other systems.
Do not look at laser with remaining good eye.
.. We use colonic mapping. It's a pain when i leave my colon at home though, and i have to borrow my friends just to get into the canteen for a coffee.
God Be Gone
Okay, let's say you get all your biometric info stored somewhere for secure access to something. Inevitably, some site that has your info stored will be hacked (this will always happen), and your biometric information is now out there in the wild. Enterprising hacker can then submit *that* biometric info to sites AS YOU to gain access.
How is this different from passwords, you say?
You can change your damned compromised passwords! Once your biometric info gets out there, you're compromised for LIFE.
My advice is to avoid all instances of biometric 'security'. Forever.
Novell NMAS framework is a mudular authentication schema. You can have multifactor (password, bio, token, smartcard, etc.etc) authentification and/or identification. Lots of device allows you to have an NMAS sequence. I've setup some setup like this, for hospitals, which requires quick login/logout. You can easily in integrate that with Windows. Support for other platform are also available.
Mess with the best, die like the rest
If you don't have the money, typing with a keyboard that's UNDER the desk (but you have to be able to type without looking at your hands... and using lots of shift characters in passwords is almost as good. And change your passwords every month! Can you type without moving your mouth?
I have no clue as to why you would need to use biometric. If you set password policies to have users create complex passwords, plus have a lock out policy after three unsuccessful tries, there is no need for biometric. Sure there is the coolness factor, but that does not make all the extra effort to maintain the system worth it. The simple fact is that if someone has physical access to a computer any type of security can be broken. Besides BM can be cracked by lifting the finger prints. Just set some common sense rules down and I doubt that you will ever have a problem.
Mac OS X supports "fast user switching" with any type of authentication because the authentication daemon is separate from the process.
Furthermore, RFID (RSA) tags, keycard, iris scanning - see what you can AFFORD. You're probably not the NSA so you can't just spend any type of money. Good iris or fingerprint scanners (which are not easily fooled) are quite expensive if you need them for each terminal.
Custom electronics and digital signage for your business: www.evcircuits.com
I wish I could claim this as mine, but someone else came up with it first. 8/
To have security be complete, you need three things:
1) What you have
2) What you are
3) What you know
In a simple case, this could be accomplished by using:
1) A SecureID fob
2) Your finger print
3) A PIN number
Together, it makes trying to impersonate a user dang-near impossible.
Of course, insert your own favorite 1,2,3's. 8)
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
I'm not being a smart-ass. In classrooms and other environments, restricted physical access to a bank of machines with a common, limited-rights user works well enough. It's implicitly what goes on in homes around the world, minus the "limited-rights" part.
I wouldn't do that in most offices though.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Why bother? We use post-it note authentication. I can go to just about anyone's desk and find their login/password written on a post-it note. I also know for a fact that many people here keep a post-it note with their passcodes attached to their credit/debit cards.
There are NO stupid questions, but there are a LOT of inquisitive idiots. - despair.com
Unfortunately, for the person who asked this, options are limited for items which work with most applications without forcing GINA replacement.
Until something better comes out, your best bet is to bite the bullet, and go SecurID. Its not 100% secure, and its not fast, but it does require "something owned and something known" to log in.
Their key security property is uniqueness, not secrecy.
A password (in theory) identifies you because you're the only one who knows it. That identification property can be lost in a heartbeat to a phishing scam.
Biometrics need a different set of precautions. Recording and replaying the biometric information isn't an issue if there's a trustworthy path from the sensor to the database and a security guard who will challenge anybody who holds a severed finger up to the reader.
You've been using biometrics for identification your entire life. You recognize family and coworkers by facial geometry in person and by voice over the phone. There's no need to "revoke" a face if someone takes a photograph of it.
I enjoyed attaching "itsatrap" to this one.
My turnips listen for the soft cry of your love
It's called a crowbar.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Does your company design, manufacture and market hacky sacks?
Without authentication, you can pretty much write off accounting. What happens when Chuck logs into Bill's workstation with Bill's username and deletes the secret recipe for the ultra-soft hemp yarn used for your product? Looks like Bill is out of a job.
What happens when you decide you want to take credit card orders instead of using a system of bartering? AAA (authentication, authorization and accounting) is required by VISA PCI.
"Every time you eat a steak, a hippie's hacky sack goes down the gutter." -- Patton Oswalt
For added convenience compared to passwords, but similar levels of security, the fingerprint reader built into current Thinkpad laptops works very nicely.
... it's not true public key crypto, and it is quite pricey at c. $130 a user, but it works with a normal keyboard, defends against replay and can be integrated into anything.
For a bit of added security without too much grief over drivers and special hardware, RSA SecurID is the gold standard
I would hate to be the first one to say "try *nix" instead of Microsnot, but... I have seen Sun-Ray employed in a retail environment using ID cards, and was very impressed. The staff walk up to any terminal, insert the smart card, and instantly have their (previously disconnected, but still live) session re-established. As soon as they removed their cards, the session was disconected pending resumption at any other terminal. No login, no restarting applications, etc. It was beautiful. On the downside, it does take bandwidth, and you may need to use a Sun server, which your app may not support. OTOH the may now support Terminal Services. Start here; HTH: http://www.sun.com/software/index.jsp?cat=Desktop& tab=3&subcat=Sun%20Ray%20Clients
A pox on web designers who feel that window.innerWidth == screen.availWidth
Any idea how many laptops are stolen with id badges in the side pockets?
Besides that, I it is stupid to make company data accessible by sticking a usb stick in a client. There _are_ ways of securing data - remote drive/homedir + encrypted local cache on client. Not exactly rocket science either.
One of the best solutions that is both scalable and standards based is biometrics over Trusted Platform module. As a disclaimer, I am the ceo of acompany that supplies dell's, gateway's, and Intel motherboard solutions but other vendors offer the same. Here is how it works. You use your biometric only locally to unlock the certificates that are held on the embedded TPM. This can easily support multiple users and provides very strong authentication as the actual domain authetication is using PKI. These details are invisible to the user who only needs to swipe or use a backup PIN number. If you couple this solution with industry standard 802.1x you get a standards based approach that will grow with the organization and will not become obsolete. If you have purchased Laptops in the past year they most likely already have the TPM in them as it has been shipping across all Business PCs for the last 6 - 12 months. For more information on this technology contact your OEM and or their TPM software vendor.
My experience with the biometrics daily as part of login are okay. It is very good if you are consistantly positioned in front of the PC (like sitting at your desk) not so good if you are doing a presentation on a conference table and are at a bad angle to swipe. I would say about 2% of the time I fail 3 tries and have to resort to a pin number to authenticate.
If you have win 2003 server and active directory then you already own all the parts to set this up. You need a PC with a TPM and either integrated or seperate biometrics.
Good luck
Steven Sprague
CEO
Wave Systems Corp.
Your right there are several solutions on the market and right now Microsoft is making a large move into the token market. If your interested in talking about some different solutions check out our website www.actcom.org ... feel free to contact us (numbers on the website) and ask for IT ...
Good Luck!
Users login once. When they pull their cards, their sessions detach from the Sun Rays, but keep running on the terminal server. When they put their cards back in, they get their Windows desktops again, with everything still running.
Presto, you get session portability, password-free (after the first time) login, centralized hardware, and no vunerable data on the desktop.
That said, as a sysadmin I'd kill kittens if they told me that my users were going to just plug in a smartcard to get access. Passwords are tedious, but they keep the lucky moron who finds a lost smartcard out of the system.
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
Why on earth would anyone trust a programmer or engineer to NOT burn my retina (oops sorry about that!) or even purposly (You are NOT allowed to view the terrorist list! Take that !)
If you put them there I won't go in!
From how you describe the app, I'm not sure that a windows login-logout really matches what you need. Does each person really need all their apps bounced, environment reset, etc.?
If it's a warehouse kisok, I'll guess that it's going to be constantly running "Inventory Master 9.51" or something like that, and not used for general office computing. Does whatever bit of software you're running have screen lock/unlock with loging built in? If the software is homebrew, can you add that? You'll get much quicker responses with that than a full login/logout. Also, if the app is doing this itself, figuring out what happened from the log files will be a lot easeier than if you have to correlate Windows event logs with application data logs.
If the answer is yes, you're probably a lot better off going with that. Now, all you have to do is find a way to tie it to something besides the keyboard. I'll make another guess, that since this is a warehouse machine, it already has a bar code reader. Most of those readers can be configered to send the barcode as keystrokes, just as if the corresponding digits were typed in at the keyboard.
With that, just assign your users long random digit sequences as login names and passwords. Give each one a card with a barcode of those digits. As long as the app's user management does what you need, you're done.
How do you revoke someone's fingerprint? Issue them a new one in case of identity fraud? Token + PW is the best way: something you have and something you know, proves that you are you.
My favorite quote on this was from a StarTrek:TNG, when someone locks himself into a room with Data and pulls a gun on him. Data's response: "I assume that handprint scanner will open the door whether you are conscious or not."
I want to delete my account but Slashdot doesn't allow it.
my voice is my passport, verify." Two iiiiinnnncccchhhheeesss ppeeeeerrrr sssseeeeccccccccccooonnndddd.....
Enterprise Single Sign-On is what you're after. It's long been the holy grail of enterprise security vendors, and it's still not quite perfect...but the Tivoli solution's Kiosk Adapter integrates with extended authentication mechanisms from many vendors (smartcards, biometrics, etc), doesn't require a GINA replacement, and provides fast user switching in domain environments. You can also define session lockout and shutdown behavior on a per-application basis.
;)
Disclaimer: Yes, I work for IBM/Tivoli...take that as you will. While that means I know what our solutions are capable of, it also means I have an interest in their success. But I'm an SE, so don't ask me about costs...
Have you seen the "new" laptops with built in Fingerprint scanners?
You have? Good. First let us talk about "Windows Security" and the F8 key.
Ok, you find a computer and you want to check out the users pr0n to see if it's worth copying on to your thumbdrive. But, DRAT!, there is a password. Not to worry! Turn off the computer and turn it back on, start tapping F8 and go to safemode... What's this a new user shows up called "Administrator"?? Let's go in there. Look no password on this accout because 99.9% of Windows users don't know it exists. Control Panel, User Accounts, what I can remove anybodys password no questions asked? Sweet. Ok, reboot, AHHHHH look at all this pr0n.
Ok, now lets pretend this is a laptop with finger print scanner. Turn on and oops my finger print doesn't match! Imagine that. Ok restart and hit Mr. F8.
Yes, Windows is very secure.
Of course maybe they do have a password on the Administrator account but I do know they probably have a CD-rom drive. That takes about 30 seconds to remove all the passwords an all the Windows account after searching Google for 'NT Password Crack ISO'
What's real security? I guess use your cell phone as your main computer and never let it leave your sight.
If you dig around in Mac OS X you will find a complete keycard access system, which supports at leat two different systems. You will also find large logos for army, navy, air force, marines, NOAA, coast guard, FBI, and a few other US govt agencies. I assume there is a small pack or kit or something that you run that enables all these dormant features. (if anyone knows how to turn them on please let us know)
I work for the Department of Redundancy Department.
The reason Microsoft does not recommend using their fingerprint reader to secure business data because the data stream between microsoft's reader and the PC is not encrypted. This makes the device vulnerable to a "replay" attack. Even so, a replay attack requires local access to the machine to capture the USB data streams.
A detailed analysis of this can be found here.
This security feature was removed due to an agreement between Digital Persona and Microsoft.
If you want business grade security, you must pay up for the Digital Persona product. Both sets of readers are remarkably resistant to "fake" fingerprints placed on the sensor.
Virtualize enough Windows workstations for each user account, running a VNC server. Each real workstation is actually a dumb terminal (or locked down Windows desktop) with only a VNC client loaded. Instead of having to wait on logon/logoff, they merely connect to their own session via VNC. Quick, easy, cheap... and user authentication becomes trivial.
..we use something you describe on a SMT assembly line. A generic network login is used on each PC (SMT-1, SMT-2) and users have a unique login for the application. A swipe card is used to access the application.
The generic network login takes away the long process of network login/logout and users do not require an individual network login if they are only using one application.
My keytag doesn't open the door to the factory anymore so I can't go see what the application is called. It interfaces with Syteline 7 to pull material shortages reports etc.
"The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy."
Sounds like this guy needs a quick system for employees to check some info. It DOESN'T sound like the submitter is working in a nuclear plant, a bank vault, or any other highly secure facility.
Check http://www.snapfiles.com/get/naturallogin.html/ out. It's a shareware program ($30 to buy) that uses USB flash drives and inserting them into a USB port automatically logs them into the windows system. Sounds like it will work with the existing windows login scheme.
Retina scanning, RSA keys, and fingerprinting sound cool, but they're probably overkill, and overly expensive. They have their place; but I'm inferring that the submitter doesn't need to be THAT secure.
I worked at Lowe's (the home improvement warehouse) and we had to make shelf tags, check stock for customers, order products for customers, run registers, and clock in/clock out. We did it all with one system with an employee number and social security for password. It would have been easier and cooler if I didn't have to give out my SSN every time I checked stock on an item for a customer.
DNA sequences change eventually.
I use it on my tablet. It replaces the windows login with a little app that makes you swipe your finger and logs in for you. They have a corporate version too, it might be what you are looking for. Check it out, works great for me :) Apparently it supports all sorts of identification too.
Har?
Directly off the website @ http://www.id-confirm.com/products.html The company's id-Confirm SecureLink System, provides a foolproof, privacy-sensitive way for business, government and private citizens to prevent identity theft and financial fraud with technology that is ready-to-use and simple to deploy. The system provides the industry's highest level of security using multi-factor authentication deployed in a handheld device that's half the size of a small cell phone. The patent-pending id-Confirm SecureLink System includes all the software, hardware and services required for immediate deployment in an integrated, end-to-end solution. Launched in April 2006, the id-Confirm SecureLink System is a portable, end-to-end, wireless biometric solution to fraud and identity theft, offering the ultimate in high-tech security at the touch of a finger.
Is the one that uses the telephone book(yellow pages) to authenticate that you are actually standing in front of the machine. You see, this system would randomly pick a name out of the phone book (most common was John Smith) and you had to enter the correct telephone number to gain access to the system.
Fortunately the yellow pages would be next to the keyboard for easy reference. I just don't know why people couldn't put in the correct phone number. The failed access log would be full in a matter of minutes. We also lost a lot of telephone books too.
"Don't Forget to Salt the Fries"
I've deployed many different types of authentication. Before you get too involved selecting technology here what you need to do:
1. Do a risk analysis: Categorize your risk to high, medium and low using business risk, security risk and information risk
2. In an enterprise setting, you then need to deploy some type of single sign on package. In the package you then need to create a set of authentication strengths. Things like passwords and proximity badges are for low risk applications (the reason being they are easily bypassed, thwarted, obtained through fraudulent means etc). For medium risk you should then use something like a uid/password coupled with a digital certificate or SecureID token. For high risk, you should use something like a biometric plus a digital cert plus a uid/password.
3. Even with these methods, your enterprise security can be broken. Therefore, in order to protect your enterprise crown jewels, you should also deploy something called transaction authentication. Even if you log on using the strong authentication successfully, the authentication transaction software checks the hardware configuration of your computer, the ip address, you geolocation, time of day and historical user profile to validate that you are who you are purporting to be.
In your warehouse, a proximity badge will perform best. Users just have to be in close proximity to the reader. HOWEVER, be warned that this is not a secure level of authentication since the badge can be carried by someone other than the person you issued it to. Therefore, for those applications in the warehouse that are higher risk, you should try and segregate them to stronger authentication.
Another choice in a warehouse scenario is to use voice authentication. This can be relatively cheaply deployed. It has some good performance specs relative to biometric authentication.
On my website, www.authenticationworld.com, I have referenced the performance of different biometrics.
Be warned however that the use of biometrics has drawbacks:
1. Some of them can be fudged depending on the technology you purchase
2. There are a lot of false positives with some of the biometrics
3. They can be expensive to deploy.
I have lots of resources on different authentication mechanisms on my website as well as a blog on authentication.
There are many other features, so you'll probably be interested in giving it a try. I suggest you to try to obtain the latest beta, rather than the current release; one of the features it offers is a reminder which prevents users from forgetting their keys.
Have you tried this little gem?. RIM makes a BlackBerry smartcard reader. Basically unlocks your PC when you get near it, locks when you leave. Just carry the little smartcard-sized device on your belt / in your pocket.
I been testing and evaluation Digital Persona biometric readers for single sign on and am now leaning towards Passlogix vGO SSO. Check them out!
(Holy shit, I just made my first "Your Mom!" joke
No you didn't. Jokes are funny.
Somewhere on the Internet I read a article on fingerprints being used in place of the password. Oh sheesh. They said we would have people missing fingers because some jerks would be after important data etc. I can see it now... A conversation of sorts of some poor soul telling his Security department they have to change security strategies because he only has three fingers left!
No - you have some kind of key. I get into work with a physical key - if that is stolen the theif still needs an alarm code. With your device you need both it and the number or password to activate it to get to all the other passwords - a theif can't just use it. With purely biometric authetication for the lazy a theif can get my password from my cold dead hand or a fingerprint left behind somewhere. If it is a combination of things it may as well be a swipe card and a number or password instead of a fingerprint and a password. I really do not want to work in a job where I have to enter the premises naked - so a swipecard or physical key of some kind is not a big issue.
Yes, my guard stood hard when abstract threats
Too noble to neglect
Deceived me into thinking
I had something to protect*** Bob Dylan. "My back Pages."
ANY form of security is a pain in the ass. Given that hardly anything in this industry works quite right, it's a safe bet that anything new or or complicated has a high probability of being a bundle of grief. I wouldn't go near biometrics unless you have some really stringent and unusual requirements ... but that's just me. Most IT people are less pain-adverse and seem to enjoy beating themselves up. (What could possibly go wrong with biometrics? How about the stupid hardware only recognizes your boss on alternate Tuedays? Or some days, it doesn't recognize YOU? The possibilities for embarassing/annoying problems are just about boundless. -- maybe you better keep manual login around as an alternative.)
So, the first question is -- Do you really have anything to protect? And is protecting it going to be cost effective?
If the answer is yes, I suppose you might be able to do something not too painful with USB flash memory. Put the user's ID data and software that enables whatever the hell it is that you want to do on the flash drive, Employee wants to use the machine. He or she plugs the flash drive in. Have the employees lock their flash drives up when they leave the building so you don't have hundreds of them lost. You can probably make that work -- even under Windows. But it probably will not be especially easy nor especially cheap and will have hidden costs. It'd probably have fewer of the latter under Linux.
I suppose you might also be able to automatically log Windows on to one general user on boot and bring up a shell that had it's own primitive (but fast) login logic to give users access to whatever the heck it is that they need access to.
BTW, if you can back off to Windows 9 and can use an old version of Netware for the server, multi user will be pretty much broken. Nothing fancy will work, but your users may be able to login in a not too painful amount of time and you'll be able to use Netware access controls to determine which files they can access and alter.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
I use IBM T60 with built-in fingerprint scanner (the swipe-your-finger type), and it works just fine, I can login in one second, no need to type anything. I imagine that these things can be also attached to standard desktop PCs. For fast logout, just place a big "LOGOUT" icon on the desktop, and have it start the logout command (I forgot what to type, but there is something like this). Windows can log anything in its Event Log, login/logout too. The only downside is that the user has to register his/her fingerprints in the system, and he/she actually has to have a little patience to learn how to swipe the finger properly (maybe other types of scanners are more foolproof, but the one I know is a bit picky about the way you place and drag your finger).
touching certain points on a touchscreen in sequence
or what not to login to a computer.
A point a lot of people seem to miss in any discussion of authorization is the nature of a password: it requires you to actively remember it (provided you don't write it down or something similar to degrade its security). If you are not around to remember it or unable to consciously do so, the lock stays shut.
Using biometrics might still require some action on your part (put the thumb on the reader, look into the reader, etc.) but the password is always the same. You may be unaware of what it is being used for -exactly-. This risk is non-existent with passwords, if you pick your passwords carefully. You have to consciously select the password you memorized for this particular application and if you do it well, the password won't unlock anything else.
I'm not saying passwords are the end-all of security, but they do have this aspect whereas most other solutions that are being considered because of their increase safety in terms of creating copies or simply 'cracking the code' don't.
Virtually impossible? Had a sales call to demonstrate PDA security using a signature. The sales guy signed the screen and it unlocked. I had been studying how fast he did it, so when he passed it to me, I used roughly the same timings. And it unlocked. End of demo.
It's actually easier to observe signature timings than it is to shoulder-surf typing a password.
The simple problem is that with many biometric technologies, if you turn the false negative level so it rarely stops *you* logging in correctly, it's not too difficult for an attacker to also log in, without taking too many goes.
Andrew Yeomans
Get people to use their own credit cards in a swipe reader (or smartcard reader for those not in USA!). All the system needs is a unique number, it doesn't need to process that number. (Details - store an irreversible crypto hash of the card data.)
Don't know many people who would respond to "Hey Joe, I need your credit card?"
Andrew Yeomans
It was my main gripe about Thinkpads, no Windows key. Normally all you need to do is +L and the screen locks in XP..
Insert
One-time passwords fix a lot of the problems with simple passwords, but generally require hardware or printouts.
People have toyed with pass-algorithms, where the response to a challenge is computed by a human without assistance. I have written a half-baked proposal to obfuscate these challenges and responses using some of the techniques used in baseball signals. See
http://www.cheswick.com/ches/papers/auth.pdf
Perhaps you can figure out how to make this idea workable.
ches
In a previous life, I had a smart-card for a badge, which I shoved in a sunray x-terminal or a laptop as the"thing I had", and typed a password as the "thing I knew", after which I got my current session back.
If I needed to so somewhere else, I unplugged the card and my session was saved. When I got there, I plugged back in again, typed my password to the screen-saver and picked up exactly where I left off.
I was very pleased with this scheme: it saved me hours of frustration with AD kludgery and the string of crypto-keyfobs I now have to cart around.
--dave
davecb@spamcop.net
Sun had some good sense when they made it, its been the industry standard for all these years and I hear that RSA has pam modules for all their security devices. Sigh, when will Microsoft get to this fact that using standards might actually help the customers?
Microsoft: "You've got questions. We've got dancing paperclips."
If you have to stick it in a socket, it doesn't meet ADA requirements. RFID cards are fine, but most of them are much less secure than something like a chipcard.
Actually, the Digital Persona's Encryption can be bypassed by switching a single bit, so no need to hack the encryption method itself:
1 /breaking-encryption-the-easy-way/
http://www.reactivated.net/weblog/archives/2006/0
To change the firmware in windows and make any device insecure, just reverse the bit data and set the byte to 0. The below makes the 'insecure' device 'secure'
if starting from scratch.
1 - unzip MS software. (DP_PM_xxxxx, avail from Microsoft).
2 - in *driver*, modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
3 - modify bit at 0xE9B7 from a 0 to a 1. save it.
4- plug your MSFR in, and it should ask for drivers. point it to the stuff you unzipped/modified.
if you already have it installed.
1 - unplug your MSFP.
2 - goto windows/system32/
3 - modify the *dpD0Bx01.dll* file (should be around 80kb) in a hex editor.
4 - modify bit at 0xE9B7 from a 0 to a 1. save it.
5 - plug the MSFP back it.
NOTE: Once you flip that one bit, the MS software will NOT work anymore. You can use GrFinger to verify that the image from the fingerprint ready is now encrypted. (before - fingerprint is visible; after - fingerprint is "noise")
Found MyPW ( http://www.mypw.com/ ) a couple weeks ago they offer a way to use One Time Password tokens for only a buck a month per user via simple API that I got working in an hour.
I worked for a small biometric company that focused on using face recognition to replace the standard username/password login method on Windows.
We wrote everything ourselves - the core face recognition code, the GINA replacement and login method, we even created our own camera. It worked, too, in that it would actually capture an image, compare it to images on file, and if the face recognition algorithm matched the images within a certain tolerance, you were logged in. However, we found that the entire process was VERY susceptable to changes in the ambient light. Although we were able to control all aspects of the camera to capture a decent image, it could take up to 1 to 2 minutes for the whole process to complete in some cases, especially when there was a lot of backlight or frontlight in the image.
http://www.ensuretech.com/products/demo/demo.html
I've seen this used in a local hospital, but I'm not sure how it has worked out. The one user I talked to (our nurse) indicated that they really liked the system.
My company has been looking for something very much like what you're asking for. We haven't decided on a solution yet, but we saw a video of HealthCast from the RF IDeas website, and it looks like just what we want. Here an article about it:
/ colorado-hospital-uses-prox-cards-single-signon-an d-sonar-to-secure-patient-records-and-meet-hipaa/? issue=aHR0cDovL3d3dy5jb250YWN0bGVzc25ld3MuY29tL2xp YnJhcnkvMjAwNS8wNS8wMi9jb250YWN0bGVzc25ld3MtZW1hZ2 F6aW5
http://www.contactlessnews.com/library/2005/04/28
You might check on some hosptial technology sites, as many seem to have good solutions to these issues.
Good alternatives to password authentication have been around in the UNIX world for a long time. You can use certificates, keys, one-time-passwords, and so on. Since no one is trying to lock you in to a particular solution, you can often mix and match them to suit your particular needs.
I've been using ssh keys quite successfully, and we're currently implementing a VPN setup using authpf. We're using ssh keys + passwords for this. If a machine is stolen; it's not a big deal. The theif has the key but not the password. Passwords are useless unless you have the key. So authentication is essentially tied to a machine and a user in this case. It's not foolproof, but it works well enough for our needs.
You might want to consider running your Windows apps within a virtualization environment, so that you can take advantage of some of the existing authentication solutions out there for other host OSes. Can't do Fast User Switching on a Windows box? Not a problem. Just switch between VMs. Don't know if this would be as fast as you want, but if you're smart enough, it'll be a lot cheaper.
1. Since it scans a map of the numerous veins *inside* your hand, it is difficult, if not impossible, to fool with many of the techniques commonly used for weak fingerprint scanners.
2. The public doesn't seem to have the stigma associated with fingerprint scanning with biometrics. People associate fingerprints with privacy invasion and "big brother" but they don't seem to realize that newer biometric technologies (retinal scans, veins, etc.) are effectively the exact same thing.
I should have posted in the proper thread, but I'm lazy--to the person that suggested that a compromise of your biometric information is permanent, please review how biometric authentication technologies work. Unless you have my finger, compromising one database hash of my finger isn't going to do you a damn bit of good anywhere else, unless you happen to find another application that uses the exact same encryption algorithms, and even then the software would have to be really crappy to allow use of a pre-existing software hash, and not input directly from the associated biometric device.
It's not clear what you're going to be switching users within. You seem to be hung up on switching a windows user. But, in a kiosk scenario, you are almost certainly switching users within a specific application, which probably ought to have its own notion of user space. User switching in most applications is WAY faster than switching a user logon session at the Windows level. Just as an example, take PeopleSoft, which has its own security structure, but runs as an application (or rather a large set of interconnected applications) on many host operating systems, including Windows. You can switch PeopleSoft users just as quickly as you want because the windows profile has no bearing on the PeopleSoft user.
So, the question is... what is your reasoning for switching users at a Windows level? Further, if you don't have to do that, what authentication mechanisms does the application you are presenting support (i.e. is it extensible at all?)? Finally, does the application itself have a user profile mechnism that is light enough to switch efficiently?
Mark J. Cecil -- Senior UNIX Engineer
New Orleans, Louisiana
http://notrealswift.blogspot.com
Oh, and about your tagline:
A slashdotter who builds his own computer is, uh... somebody with a phillips screwdriver who knows how to plug together taiwanese circuit boards and fit them in a case properly.
And there is no such thing as a jedi warrior, or a light sabre. Bad thing to compare *anything* from real life to.
Your core point in the tagline holds, kinda. All kinds of people who've never built a single electronic device from raw parts have this attitude that they're 'hardware whizzes' because they wield a wicked phillips screwdriver. They probably couldn't simplify a boolean equation into the least number of TTL gates if their life depended on it. They've probably never burned a bit of code they wrote into an EPROM. etc. etc.
You don't think jedis are real, do you?
Virtually impossible? Had a sales call to demonstrate PDA security using a signature. The sales guy signed the screen and it unlocked. I had been studying how fast he did it, so when he passed it to me, I used roughly the same timings. And it unlocked. End of demo.
It's actually easier to observe signature timings than it is to shoulder-surf typing a password.
I think you are comparing Apples and Oranges...
Using code that computes the pressure, angle and speed of the signature can be very complex. Most of the PDA authenications don't have enough computing power, nor do they even monitor pressure or angle or speed when comparing the signature image. With most PDAs you can literally trace a person's signature and unlock the device even if you are bad at mimicking handwriting, so it is a bad baseline for this type of authenication.
Go look up all the data that is stored in Ink technologies, there is more to Ink than just the written image it creates. I think you will be surprised how much data is pulled in for Ink (using MS Ink as an example) and how this can be so personal to a person that it virtually impossible to match their movements, speed, pressure and other aspects that Ink can capture in addition to the final image of the signature.
I also said virtually, as I don't believe anything is completely fool-proof.
Don't know many people who would respond to "Hey Joe, I need your credit card?"
Given the empirically-known reality of human behaviour it is virtually certain that after a period of aclimatization people would happily give each other thier credit cards "for identification purposes only."
If you're familiar with the early Neilsen studies of television-watching behaviour, you'll recall that people with cameras in their living rooms set to record who was watching TV when (in the 1950's) were sometimes filmed having sex, apparently completely oblivious to the camera because it had been there for a while and therefore faded into the background.
In a closed work environment where credit cards were being used for ID people would quickly create a cultural ethic where they'd "forget" the risks, because people hate nothing more than inconvenience. And pretty quickly people would also get low-limit cards strictly for the purposes of ID, and never use them, which would trigger credit-watch calls when they were first used.
From a security point of view, human behaviour can be amazingly perverse.
Blasphemy is a human right. Blasphemophobia kills.
One very large company in Australia i know does use biometric finger prints... the desktops/laptops all have them and you print 2 fingers (in case you loose one? ewww) and can fall-back to passwords.
It works very well and im quite impressed with it myself...
I always wondered, why it is userid and password in two separate fields? Why not "Userid\password", or "userid+password" or something else in same field. I don't see any difference between hitting tab and "\", or "+".