Slashdot Mirror
Successful Alternatives To Password Authentication?
DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?"
"Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.
A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.
The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:
- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.
The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit." In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."
A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.
The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:
- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.
The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit." In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."
Biometric Bacon Authentication.
Indy Media Watch-Proctologist of the Internet
Still anyone with physical access to the system can pull the HDD and have at it later.
I recently looked at this one smart card technology that has an integrated thumb-print reader on the card! It is called the "Super Smart Card", well sure, why not? http://e-smart.com/products_ssc.html
In the early 1980's, I worked for an eingineering company that tried an alternative.
After you entered your username, the logon program would look up your employee payroll records and ask you a random question from them. If you answered correctly, you would get logged on.
Sometimes it was easy. For example, it might ask your street address. You'd have to answer exactly as in the record, but that wasn't too difficult.
Often, the only way you could log in was to have a copy of your employee payroll records in front of you. For example, do you know to the penny how much withholding has been deducted from your pay this year? Or how much your total take home was last year?
The experiment didn't last too long before it went back to username / password.
If you haven't seen the episode of MythBusters with biometrics, it will scare you to death. Finger biometrics, anyway, are easily defeated and for such reason should be avoided without some other shared mechanism. A better approach is to use something like retna recognition which is harder to fake out, or combine finger scanning with something else such as a code that isn't biometric. But at the end of the day, you also have to ask, "How secure does this need to be?" to help weigh your options.
As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.
Digital Persona's Kiosk fingerprint reader package is exactly what you need.
I deployed the Workstation Pro package at my last job. It works great, and has group policy ADM templates to aid in setup and deployment.
-ted
In order to reduce costs, we put a question like "Are you authorized to view this very confidential information?". In order to curb abuse we also have a sentence that says "We audit all activity.", which is a module I'm currently trying to complete.
We haven't had any issues as far as we are aware.
The problem with fingerprint readers is there has been a lot of junk put out there. Anything that uses an optical sensor is a joke. Most of the capacitive ones are useless as well.
We recently deployed an application using an RF-based fingerprint reader. It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.
The software is very simple and very fast. You can either use their database (encrypted) or your own for storing templates.
We decided that this was the only way to avoid compromising existing user/password security for systems already in place. If we had even the possibility of the same passwords being used, our system would have to be provably at least as secure as whatever they were currently using. A very difficult and wide-open standard to be measured against. Therefore, no passwords at all.
Mythbusters on fingerprint hacking, here thanks to Gootube.
To do list for Windows
and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs
This is true of WindowsXP, but not Vista. There are tricks to make Fast User Switching work in XP, you might want to check into them, although I wouldn't recommend them and would enforce a user policy that would just force the users to log off.(Make sure the policy is not just on the machines, but an employee manual policy as well, so that users log off when they are done.) You might also put in plans for Vista in any planned upgrades for your systems if this is important to your organization to allow the multi-user access method in a domain environment.
Stay away from fingerprint biometric (and variations) for true security, even though they are nice that the user doesn't have to cary a card or device with them. You can easily circumvent them by lifting a fingerprint of the user from a glass for example and using it to gain access to their login.
One technology that holds has a ligh level of security is tablet or signature sign on devices. The user signs their name. This is hard to defeat for most of the advanced devices, as they not only do a recognition of the input, but also compute the stroke pressure, speed, etc. So it makes it virtually impossible even for someone that can copy signatures to circumvent as they don't use the same pressure, speed, angle, etc as the real person. This is using the cool parts of Ink technology in that it is not just the image created, but all the other stored information making the signature very unique.
However, for true security go with a Smart Card solution. It does require the users to carry a card or device with them - look at Cell phones and other devices that are implementing this technology, that way users don't have to carry a card. There is a reason Casinos and Gold Mines use this technology, and if the user loses the card you can easily disable the card from the central domain and replace it with a new card for the user. These devices are also nice in that many non-computer devices use them, and employees can also use the same card for access to doors, phones, and other types of security and access throughout the building. So if you need other levels of access or security later on in your organization the same device can be used for authenication away from the computer.
Do some research and start with the main sites on security. They will have plenty of solutions and suggestions for helping with your login and security. Even go to MS's website and look up smart cards and biometrics since you are using Windows workstations.
Good Luck.
If you don't give us enough details...
I've used SECURID tokens and they work, but they're slower than regular login/logout methods.
Are you trying to lock access to the desktop or is the desktop being used as a dumb terminal to some random application?
If the latter then can you just lock down the desktop and modify the application?
I'm thinking that this is for something like a time card system, where people walk up, sign in/out and walk off. Given that you're saying speed is of the essence then it seems that that is likely. Have you considered a commercial offering? I am sure that most of the vendors have some sort of solution to uniquely identify particular individuals.
Magnetic stripe card containing a private key and a passphrase (pin?) known by the employee would work.
If you need to grant them full access to the windows PC then why are you worrying about security in the first place...:-)
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
We tried a very radical idea. The comittee of naysayers and control freaks tore their hair and banged desks to try and stop us from doing it.
After 6 months I can happily say, it worked, the move is vindicated and the frightened little control freaks had to eat their words
and admit it is pure genius.:)
We removed all our passwords.
Obviously this doesn't suit everyone. We are a smallish organisation with less than 50. The idea that everybody could actually
be trusted inside the organisation was central, as was the fact that most are not very computer minded and basically quite thick
when it comes to remembering passwords. The point being that if anyone inside the organisation could *NOT* be trusted then we were
screwed anyway, passwords or not. The move coincided with a massive revamp of network structure, a very restrictive new
firewall and password free ACL, basically cutting the intranet off from the outside except for a few key workstations that need general WAN access,
everything else is VPN. So now you can just walk up to any console, type your login name and get access. We can still log who does
what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
can use anybody elses login if the wish. In 6 months I haven't seen anybody do that, because there is no need to. Sunlight is a great disinfectant.
Obviously this would not work in a paranoid organisation where everybody is at each others throats, or it would radically change everything if
you did try it.
Sometimes you have to take a step back to see the wood for the trees.
After you sell your soul to work for us, we require a drop of blood each morning to be able to access the building and then again to access your pc.
its effective, but we have noticed a rise in healthcare costs.
---- Booth was a patriot ----
True. A machine with MS-DOS on it, for instance. doesn't even have the 'hooks' to be networked, without extra binaries being added. And since it's very simple, it's easy to know that there aren't any rogue processes running in the background. Just keep a logic analyzer connected to it's buss and keep an eye on what's going on.
My TRS-80 Model 100 is even MORE secure, as the EPROM or non-volatile memory would have to be hacked for rogue software to be running on it. Or something bad with BASIC.
And my SYM-1 is even better. With only a 6502 processor, and 4K of static RAM, an intruder would have to sneak in, enter his trojan on the hex keypad, and be certain you didn't cycle power before next using the system.
Although the article specifically states that this is a windows solution, I think it's worth noting that sunray works exactly like this. You put the smartcard, your previous desktop session is instantly restored, you do what you want to do, you pull out the card. Your desktop session is preserved and is terminal independent.
As for the lack of windows applications, it is actually possible to do it even on sunrays , although admitedly it is not particularly suitable for the small scale that the article submitter implies.
Anyway, you might take a look at those two links, and if you must absolutely use PCs (sunrays are more suitable for the job the article is outlining), take a look at citrix also. I don't know whether they do smartcards though.
if a computer crashes in a locked room and nobody is around to see it fail, does it have a blue screen.
liqbase
This guy probably has what you are looking for.
His application runs a little on the secure side, but he's got it integrated nicely into ActiveDirectory.
He's a programmer more than a marketing guy, so his site's a little rough around the edges. Cards/Application works beautifully for me though.
http://www.snakecard.com/
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
It has always occurred to me we might as well use our badges to log in since if someone has access to our security badge, they can get into the office anyways and use a USB or a boot CD to get to our hard drives anyways.
I suppose we would then only have to worry about our coworkers stealing our badges to do nefarious stuff as our own so perhaps we could combine it with thumb print scanner and maybe a pin number.
Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.
Seriously, unless you are working in a government agency, I don't see anymore security you are going to get out of a badge through and a thumb print.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
We use SmartCards on 70,000 Windows XP machines. Smart Card Removal behavior is something you can set. Anything from "do nothing", "lock screen", etc. Anyway, they don't cause a logoff unless you wanted them to.
Be aware that all of the alternate auth systems I have seen so far (including Smart Card) have lots of caveats. Some want to load a custom GINA. Resist this (read: NO, don't load that GINA). Most don't work right for multi-domain scenarios (where you are in domain 1, and want to connect or maybe map a drive to domain 2 which is an untrusted domain).
Anyway, be ready for things like a "self service" site to reset PINs and lots of user training for what to do when their web browser or email client all of a sudden asks for a "user ID and password" and won't accept a token, card, etc.
.. We use colonic mapping. It's a pain when i leave my colon at home though, and i have to borrow my friends just to get into the canteen for a coffee.
God Be Gone
Okay, let's say you get all your biometric info stored somewhere for secure access to something. Inevitably, some site that has your info stored will be hacked (this will always happen), and your biometric information is now out there in the wild. Enterprising hacker can then submit *that* biometric info to sites AS YOU to gain access.
How is this different from passwords, you say?
You can change your damned compromised passwords! Once your biometric info gets out there, you're compromised for LIFE.
My advice is to avoid all instances of biometric 'security'. Forever.
Back then I was switching floppies between physical Drive A and virtual Drive B to save data.
> Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems. ... which is only secure until I insert my USB key to .
Sure, it'd be a matter of
1) virus on removable media (1) infects "secure" machine
2) virus infects next removable media (2) with random text from secure machine as payload (along with itself)
3) virus infects next machine it comes across, with botnet instructions allowing it to spam that random text along with advertisements for pr0n or "hot stock tips".
Oh, believe me, there's pretty good safeguards against things like that. At higher classification levels, "removable media" don't exist. USB keys are banned. For the most part, this is for information compartmenalization, but computer security is an issue too.
I'm not being a smart-ass. In classrooms and other environments, restricted physical access to a bank of machines with a common, limited-rights user works well enough. It's implicitly what goes on in homes around the world, minus the "limited-rights" part.
I wouldn't do that in most offices though.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I think my Wellington Bear calculator is even more secure, at least, before it was hybridized with my Trapper Keeper.
Shop as usual. And avoid panic buying.
I would hate to be the first one to say "try *nix" instead of Microsnot, but... I have seen Sun-Ray employed in a retail environment using ID cards, and was very impressed. The staff walk up to any terminal, insert the smart card, and instantly have their (previously disconnected, but still live) session re-established. As soon as they removed their cards, the session was disconected pending resumption at any other terminal. No login, no restarting applications, etc. It was beautiful. On the downside, it does take bandwidth, and you may need to use a Sun server, which your app may not support. OTOH the may now support Terminal Services. Start here; HTH: http://www.sun.com/software/index.jsp?cat=Desktop& tab=3&subcat=Sun%20Ray%20Clients
A pox on web designers who feel that window.innerWidth == screen.availWidth
The reason Microsoft does not recommend using their fingerprint reader to secure business data because the data stream between microsoft's reader and the PC is not encrypted. This makes the device vulnerable to a "replay" attack. Even so, a replay attack requires local access to the machine to capture the USB data streams.
A detailed analysis of this can be found here.
This security feature was removed due to an agreement between Digital Persona and Microsoft.
If you want business grade security, you must pay up for the Digital Persona product. Both sets of readers are remarkably resistant to "fake" fingerprints placed on the sensor.
"The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy."
Sounds like this guy needs a quick system for employees to check some info. It DOESN'T sound like the submitter is working in a nuclear plant, a bank vault, or any other highly secure facility.
Check http://www.snapfiles.com/get/naturallogin.html/ out. It's a shareware program ($30 to buy) that uses USB flash drives and inserting them into a USB port automatically logs them into the windows system. Sounds like it will work with the existing windows login scheme.
Retina scanning, RSA keys, and fingerprinting sound cool, but they're probably overkill, and overly expensive. They have their place; but I'm inferring that the submitter doesn't need to be THAT secure.
I worked at Lowe's (the home improvement warehouse) and we had to make shelf tags, check stock for customers, order products for customers, run registers, and clock in/clock out. We did it all with one system with an employee number and social security for password. It would have been easier and cooler if I didn't have to give out my SSN every time I checked stock on an item for a customer.
I've deployed many different types of authentication. Before you get too involved selecting technology here what you need to do:
1. Do a risk analysis: Categorize your risk to high, medium and low using business risk, security risk and information risk
2. In an enterprise setting, you then need to deploy some type of single sign on package. In the package you then need to create a set of authentication strengths. Things like passwords and proximity badges are for low risk applications (the reason being they are easily bypassed, thwarted, obtained through fraudulent means etc). For medium risk you should then use something like a uid/password coupled with a digital certificate or SecureID token. For high risk, you should use something like a biometric plus a digital cert plus a uid/password.
3. Even with these methods, your enterprise security can be broken. Therefore, in order to protect your enterprise crown jewels, you should also deploy something called transaction authentication. Even if you log on using the strong authentication successfully, the authentication transaction software checks the hardware configuration of your computer, the ip address, you geolocation, time of day and historical user profile to validate that you are who you are purporting to be.
In your warehouse, a proximity badge will perform best. Users just have to be in close proximity to the reader. HOWEVER, be warned that this is not a secure level of authentication since the badge can be carried by someone other than the person you issued it to. Therefore, for those applications in the warehouse that are higher risk, you should try and segregate them to stronger authentication.
Another choice in a warehouse scenario is to use voice authentication. This can be relatively cheaply deployed. It has some good performance specs relative to biometric authentication.
On my website, www.authenticationworld.com, I have referenced the performance of different biometrics.
Be warned however that the use of biometrics has drawbacks:
1. Some of them can be fudged depending on the technology you purchase
2. There are a lot of false positives with some of the biometrics
3. They can be expensive to deploy.
I have lots of resources on different authentication mechanisms on my website as well as a blog on authentication.
"Logout policy after three unsuccessful tries." What a wonderful idea! The people we hire to use computers are not very good at remembering their passwords, but they are excellent at generating a huge volume of daily throughput at 50 cents a whack once the damn thing starts up. Some moron in IT actually DID set the lockout (to five tries), but our energetically self-starting production drones can slam all the way to lockout in about 30 seconds before it dawns on them that the pointy-haired guy has everybody's password on postit notes in his desk drawer, and they should just ask. Yes, 24 hour lockout! This requires a superviser's attention, who has to call THE COMPANY WIDE HELP DESK, which answers tickets IN THE ORDER THEY ARE RECEIVED from ALL OVER THE GLOBE, before some Recent College Graduate can reset the password before the automatic 24 hour lockout period has expired. In the half hour it takes to track down another workstation, our accomplished drone has tanked $50 of income, and the company slams $200 in parentheses.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
A point a lot of people seem to miss in any discussion of authorization is the nature of a password: it requires you to actively remember it (provided you don't write it down or something similar to degrade its security). If you are not around to remember it or unable to consciously do so, the lock stays shut.
Using biometrics might still require some action on your part (put the thumb on the reader, look into the reader, etc.) but the password is always the same. You may be unaware of what it is being used for -exactly-. This risk is non-existent with passwords, if you pick your passwords carefully. You have to consciously select the password you memorized for this particular application and if you do it well, the password won't unlock anything else.
I'm not saying passwords are the end-all of security, but they do have this aspect whereas most other solutions that are being considered because of their increase safety in terms of creating copies or simply 'cracking the code' don't.
Get people to use their own credit cards in a swipe reader (or smartcard reader for those not in USA!). All the system needs is a unique number, it doesn't need to process that number. (Details - store an irreversible crypto hash of the card data.)
Don't know many people who would respond to "Hey Joe, I need your credit card?"
Andrew Yeomans