Successful Alternatives To Password Authentication?

DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?" "Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.

A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.

The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:

- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.


The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit." In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."

Fingerprint login

[cdrguru]

The problem with fingerprint readers is there has been a lot of junk put out there. Anything that uses an optical sensor is a joke. Most of the capacitive ones are useless as well.

We recently deployed an application using an RF-based fingerprint reader. It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.

The software is very simple and very fast. You can either use their database (encrypted) or your own for storing templates.

We decided that this was the only way to avoid compromising existing user/password security for systems already in place. If we had even the possibility of the same passwords being used, our system would have to be provably at least as secure as whatever they were currently using. A very difficult and wide-open standard to be measured against. Therefore, no passwords at all.

The video

[pablodiazgutierrez]

Mythbusters on fingerprint hacking, here thanks to Gootube.

Suggestions

[TheNetAvenger]

and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs

This is true of WindowsXP, but not Vista. There are tricks to make Fast User Switching work in XP, you might want to check into them, although I wouldn't recommend them and would enforce a user policy that would just force the users to log off.(Make sure the policy is not just on the machines, but an employee manual policy as well, so that users log off when they are done.) You might also put in plans for Vista in any planned upgrades for your systems if this is important to your organization to allow the multi-user access method in a domain environment.

Stay away from fingerprint biometric (and variations) for true security, even though they are nice that the user doesn't have to cary a card or device with them. You can easily circumvent them by lifting a fingerprint of the user from a glass for example and using it to gain access to their login.

One technology that holds has a ligh level of security is tablet or signature sign on devices. The user signs their name. This is hard to defeat for most of the advanced devices, as they not only do a recognition of the input, but also compute the stroke pressure, speed, etc. So it makes it virtually impossible even for someone that can copy signatures to circumvent as they don't use the same pressure, speed, angle, etc as the real person. This is using the cool parts of Ink technology in that it is not just the image created, but all the other stored information making the signature very unique.

However, for true security go with a Smart Card solution. It does require the users to carry a card or device with them - look at Cell phones and other devices that are implementing this technology, that way users don't have to carry a card. There is a reason Casinos and Gold Mines use this technology, and if the user loses the card you can easily disable the card from the central domain and replace it with a new card for the user. These devices are also nice in that many non-computer devices use them, and employees can also use the same card for access to doors, phones, and other types of security and access throughout the building. So if you need other levels of access or security later on in your organization the same device can be used for authenication away from the computer.

Do some research and start with the main sites on security. They will have plenty of solutions and suggestions for helping with your login and security. Even go to MS's website and look up smart cards and biometrics since you are using Windows workstations.

Good Luck.

Remove passwords

We tried a very radical idea. The comittee of naysayers and control freaks tore their hair and banged desks to try and stop us from doing it.
After 6 months I can happily say, it worked, the move is vindicated and the frightened little control freaks had to eat their words
and admit it is pure genius.:)

We removed all our passwords.

Obviously this doesn't suit everyone. We are a smallish organisation with less than 50. The idea that everybody could actually
be trusted inside the organisation was central, as was the fact that most are not very computer minded and basically quite thick
when it comes to remembering passwords. The point being that if anyone inside the organisation could *NOT* be trusted then we were
screwed anyway, passwords or not. The move coincided with a massive revamp of network structure, a very restrictive new
firewall and password free ACL, basically cutting the intranet off from the outside except for a few key workstations that need general WAN access,
everything else is VPN. So now you can just walk up to any console, type your login name and get access. We can still log who does
what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
can use anybody elses login if the wish. In 6 months I haven't seen anybody do that, because there is no need to. Sunlight is a great disinfectant.
Obviously this would not work in a paranoid organisation where everybody is at each others throats, or it would radically change everything if
you did try it.

Sometimes you have to take a step back to see the wood for the trees.

DNA

[nurb432]

After you sell your soul to work for us, we require a drop of blood each morning to be able to access the building and then again to access your pc.

its effective, but we have noticed a rise in healthcare costs.

Re:The most secured system...

[LiquidCoooled]

if a computer crashes in a locked room and nobody is around to see it fail, does it have a blue screen.

Why not ID badges?

[vertinox]

It has always occurred to me we might as well use our badges to log in since if someone has access to our security badge, they can get into the office anyways and use a USB or a boot CD to get to our hard drives anyways.

I suppose we would then only have to worry about our coworkers stealing our badges to do nefarious stuff as our own so perhaps we could combine it with thumb print scanner and maybe a pin number.

Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.

Seriously, unless you are working in a government agency, I don't see anymore security you are going to get out of a badge through and a thumb print.