Slashdot Mirror
Ask Slashdot: Best Biometric Authentication System?
kwelch007 writes I run a network for a company that does manufacturing primarily in a clean-room. We have many systems in place that track countless aspects of every step. However, we do not have systems in place to identify the specific user performing the step. I could do this easily, but asking users to input their AD login every time they perform a task is a time-waster (we have "shared" workstations throughout.) My question is, what technologies are people actually using successfully for rapid authentication? I've thought about fingerprint scanners, but they don't work because in the CR we have to wear gloves. So, I'm thinking either face-recognition or retinal scans...but am open to other ideas if they are commercially viable.
Don't you all already badges or dongles or something along those lines?
I work in a class 10 clean room with shared workstations as well. Manual log-in to every workstation is the norm. Biometrics are not only infeasible in such a cleanroom environment, they are more trouble than they are worth, and also not likely to be as secure as you hope (or as reliable).
Why does it need to be bio-metric? How about scanning a fob or access card?
A blood sample and DNA analysis is most accurate. Now, what is your definition of "best"?
If, for example, you want to incontinence users the most, you could devise biometric authentication based on anal probing. If you want to inconvenience the least, some form of gait analysis would work, but with a significant number of false positives.
Biometric certainly ISN'T a time saver. They tend to be slow to process and take more time than most authentication options. Surely you have proximity cards or smart cards, they are a far easier, faster option if all you are after is a fast easy authentication method.
If you're just trying to *identify* a user then a simple RFID, barcode scanner or QR reader would be fine. I assume the staff have ID cards so just incorporate it with that.
For any steps that specifically require security authentication then you use a password as well.
Just buy a point-of-sale camera system that department stores use. They keep weeks of video from dozens of cameras available for review. Requires 0 overhead in the common case when no audit is required. It is really easy to find out who did what given a time and camera ID. Use humans for your facial recognition, they're actually really good at it.
A kinect sensor could be hooked up to a computer and do a decent job of telling one user from another. You don't need a large open space if you simply want to identify who is working where.
http://Anveto.com - Web Design, SEO, Marketing, Analytics & Security
I've been sitting on this idea for authentification using seat mounted sphincter scans.
Go ahead and make your jokes, but ..
Go ahead and make your jokes, butt ..
It little behooves the best of us to comment on the rest of us.
> So, I'm thinking either face-recognition or retinal scans...
Waayyyy too complicated and expensive and Charlie's Angels-ish. If all you're trying to do is identify which user performed which step, RFID is your friend. Have an RFID sensor integrated into the workstation, and require the user to "sign" their work with their badge before they can commit.
Look at people going to work every day using RFID badges. If you want something faster than logging in with A/D credentials (which would have been my first suggestion), swiping a badge is pretty much as fast as you're going to find.
Now, if people using each other's credentials is a concern, or security in general, then you're looking at using A/D credentials plus a badge ("something you know, and something you have"). I personally wouldn't go with biometrics until they've gotten cheaper and more foolproof. Maybe never.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
If you have to meet something like 21 CFR part 11 you better start explaining why you want to implant proximity rfid in your employees's hands.
If you are serious though - a usb OTP+keypad unlocking a X509 certificate on same (chip & pin EMV)
Can this discussion about the supposed virtues of biometric identification / authentication please die? /system/, because the property can not be changed!
Biometric properties are like usernames. Not like passwords. They don't "authenticate" anybody; your fingerprints e.g. can be found all over the world, right in the open.
And on top of that they are BAD usernames, because they can not be changed. Once your biometric identity has been compromised, you have to give up to whole identification / authentication
For instance, at any given time, about 2% of the population cannot be authenticated by fingerprints (people with various conditions that result in very thin skin tend to have no prints; occupational reasons: bricklayers; people with fingerprints that don't generate decent features for the recognizers, which look for whorls and gaps and points; people with cuts and disfigurement)
It is also incredibly easy to make fake fingers that will false positive the system. No, you don't need to cut the finger off the person: you can do it from almost any latent print, or even if you know the template that's being matched, you can generate an artificial fingerprint that "hashes" to the same feature vector.
Most biometric schemes relying on motion (gait analysis, mouse movement, keyboard dynamics) have accuracies of about 80% (10% false reject, 10% false accept), although for any given person, some modalities work a lot better and others are really bad. Maybe you've got a very distinctive gait, but not a particularly distinctive touchpad swipe. Gait analysis, for instance, is sensitive to the type of shoes the person is wearing (heel height, flats, sandals), and, of course, injuries (stubbed toes, twisted ankles, blisters) throw it off.
Retinal scans (which actually look at the blood vessel pattern) is quite good, but you have to peer into the scanner.
I'd suggest some form of RFID, in a two stage process. Use a two factor authentication for an initial login and then just interrogate the RFID to make sure the same person is still in the vicinity and hasn't left. A standard FIPS-140 PIV-2 badge would probably work ok: it has the on card crypto chip to help with TFA, and has the RFID responder. There's tons of suppliers of cards, readers, etc.
You could also, of course, tattoo a bar or QR code along with human readable tracking number onto your employees faces or other easily visible position and use conventional video processing for automated recognition, and human backup can use the numbers. You'll need to periodically change the codes, of course, to avoid spoofing.
Or, implant an RFID transponder: they're widely used in the livestock industry: milking parlors, slaughterhouses, etc.
I saw some video about hand scanner that uses your vein mapping. This is good because you dont need to touch it, and it'd be hard to replicate.
But does it work through gloves?
How concerned are you about taking the responsibility of authenticating "I am me" away from the individuals? If you can trust them with that information, then the RFID bracelets that a lot of barstaff use seems like it would be perfect. Swipe your arm past the scanner whenever you need to say "this is me" -- works great unless you are worried about people swapping them.
I saw some video about hand scanner that uses your vein mapping. This is good because you dont need to touch it, and it'd be hard to replicate.
But does it work through gloves?
Yes. You simply place your hand in the 3T MRI cavity, wait 45 minutes for the scan to complete, and voila, instant authentication!
Biometric authentication is flawed, because your credentials are not secret, and they cannot be revoked. If an attacker manage to clone for instance your fingertip, you cannot change it, you need to change the authentication system.
Biometric may be reasonably used as a second factor, for instance for unlocking a smart card
Typical engineer, overcomplicating the shit out of a simple problem. Give each guy a 4-digit PIN and have them hammer it in to the workstation to gain access.
The Apple Pay implementation of NFC would work, though because of the gloves you would have to use the passcode option, not the fingerprint.
Welcome back Mr. Soandso. Nice weather tonight isn't it?
I don't agree with any kind of single Auth mechanism even inside the network, except for personal workstations. A single keylogger on a compromised machine can ruin your business pretty quickly this way, and it has happen(s|ed) often enough that people should know better by now. Maybe 1FA on your workstation, but any server access should be 2FA all the time regardless of your location and connection type. At least as important, if you are using 1FA for a workstation the LDAP infrastructure should be completely separate from your server's LDAP infrastructure.
That said, I would only use Biometrics as a 3rd factor unless you are dumping millions into the technology, monitoring, and maintenance. Even in Government work you won't find too much for biometric authentication. Retina scans can be spoofed with a photo, fingerprints can be lifted and spoofed (not enough data points to be accurate) even with some very expensive hardware, etc... "Normal" security is a strong password (with some strict rules) plus RSA like tokens. Even high end security uses controlled equipment in a secure location with at least 3 different lock mechanisms on the door as the primary control. Once inside, you will still normally find 2 factor Auth (depending on the classification).
Biometrics has a cool factor, but not a very good authentication system without pumping lots of money into it.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Dear me, you must have missed "THREEE-DEEE PRINTERS IN SPAAAAAAAAACE" that was posted... um, yesterday.
Il n'y a pas de Planet B.
Although I tend to agree with the general consensus that RFID or even QR codes would be a simpler way to identify (not authenticate) people, there is one important nuance being missed in all the criticism of biometric.
In the most common use cases for biometrics, you're attempting to distinguish this one person vs the other 5 billion people in the world. That's hard. This particular use case is much simpler - we're judt asking it to distinguish betweenthe 50 or so people who work in this clean room. In other words, we know it's one of these 50 people, which of them is it? That's a much easier question, so high accuracy should be easy to achieve with the right settings.
If you can't trust them not to cheat the system, you shouldn't be letting them in the clean room at all.
Having spent a lot of time around such things, I have to ask, who's project is this? Who wants this? Just you?
If your boss or the CEO is asking for this - great. Go do it. That's your job. (The RFID comments seem in the right ballpark.)
If a mid-level manager or you is taking this on as a pet project, then you need to do some soul searching. This doesn't seem to have much immediate benefit to the bottom line of the company. This doesn't drive revenue creation and it doesn't drive product development. Almost every time I hear someone say, "We need to track X", I rarely ever hear someone else say, "Get me the statistics on X". Tracking shit is easy, crunching the numbers to calculate metrics isn't. If this is simply compliance tracking, listen to the guy who says to install cameras and then dump it to a crapload of drives. If there's an audit, hand over the video and let the auditors sort it out.
There is a whole lot of not-your-job in here and very little hero making to be done.
----- obSig
Deep vein scan (typically of the palm) is the only biometric that I would find acceptable from a privacy standpoint. It can't be "stolen" or "lifted", it is not visible from a reasonable distance, it can't be easily scanned without the user's consent. It requires being "alive". It is reliable and simple to acquire. I have used it and seen it in action... very impressive.
Fingerprints are horribly abused and left everywhere and can't be read through gloves. Easily copied and fooled.
DNA is extremely expensive, extremely slow, has severe privacy implications, and is left everywhere.
Facial recognition is not extremely accurate, is often slow, and is the WORST biometric from a privacy standpoint.
Retina scan is complex and probably the most expensive besides DNA.
Finger spread biometric is inaccurate and insecure (can be obtained from a distance via
I doubt you'll find a biometric solution that will work well in that environment. Have you considered NFC tokens such as YubiKey? What about active or passive proximity authentication?
Ok, so retina scans and face recognition don't work well in a clean room because your people should be wearing goggles and a face mask. Also, this is about training, not technology.
I'm assuming you're going beyond the standard card access machines that are already in most clean rooms and are instead trying to track "little" things like wash steps, microscopy review, hot plate use, etc.
Electronic lab notebooks (this used to be a server-workstation kind of thing, but it's tablets now) are great for this. This doesn't need to be very expensive or have custom software. Plus you add the convenience of carrying a clock & timer around with you. If you want to get really fancy, you can have the tablet talk with your computers (I've never seen that done in a lab or clean room, but it's probably out there).
You should be able to get all the info you need right now with your regular clean room notebooks and some transcription. If that's not happening, you're simply not keeping records well enough. That's a training problem. The level of record keeping required for good clean room work is very high. Trying to find a technology solution to remove good note taking practice can encourage sloppy work unless all of your tooling is set up for complete automation (in which case, you wouldn't be asking this question...).
In a clean room, swiping a badge each time is hard. Use RFID in a wrist band. The hand needs to push a button. Put a reader next to the default button so pressing the button authenticates with RFID. For non-default operations requires a RFID swipe. Could the reader be an IoT (Internet of Things) device?
Strong authentication with an RFID device in a clean room environment is easy. Put the RFID wrist band on under the bunny suit. Require the user to authenticate on a computer with their RFID wrist band inside the clean room before anything will work. Two users can not swap wrist bands because they would have to wear them outside the bunny suit which is visually obvious.
A wrist band could work easily any manufacturing environment if the company does not need strong authenticati
Weak authentication is easy. Strong authentication is hard.
At the point of entry to the clean-room, use RFID + biometric (and possibly also PIN or password). That effectively reasserts RFID in possession of the authenticated person upon entry to clean-room. Policy should enforce that RFID is to be on the person from entry to exit of clean-room. Then just use the RFID until they exit the clean-room. If any operations in the clean-room are so crucial as to require additional authentication/audit beyond that, add cameras+recording and/or additional authentication where reasonably called for, but don't overburden every step and authentication within the clean-room - after all that's part of the issue you're trying to solve. RFID should mostly suffice with sufficient controls upon entry and suitable policy and enforcement thereof.
Can't you just (wirelessly) scan an ID card/badge?
Fujitsu PalmSecure is rather straightforward. Scans your palm veins using IR, which means a reasonable chance to scan through gloves and other material
In all the cleanrooms I have been in face masks have been required. Human breath has a lot of water droplets in it.
How are you going to get a face recognition off someone in clothes like this?
The employees are not allowed to take off their face mask for a scan. Suggesting it would get you laughed at and fired at the places where I worked.
Just use RFID scanners with the access badges they already have or with RFID bracelets like mentioned in other posts. For additional security: have a guard at the door. Once an employee checks in have him verify that it's the right person with a picture on his screen.
Or facial recognition there. Before the face mask goes on.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
No matter the kind of authentication used: if it cannot be linked to your applications (e.g. via SSO), it is useless.
You say you cannot enforce personal login in "shared workstations" (what do you mean by "shared"? I hope you are not sharing user sessions). How would you enforce the use of other methods?
I guess you first should set a clear security policy, then look for an appropriate technology. Which access (physical, OS, application) do you want to authenticate / log, and how? As other commenters pointed out, which security level must be accomplished at each phase / step / location?
Iris recognition is the easiest and most reliable; the reason it's less popular is it was wildly overpriced until the patents on the technology expired a few years ago, but since then a number of players have entered the market and you can actually play with free software that will perform iris recognition via a Webcam, which might be all you need. Retinal scanning feels extremely invasive to users; you generally need people to put their forehead up against a rest and hold still and users typically won't accept it outside of an extremely sensitive environment. In contrast iris scans can be performed from several feet away, very quickly, and generally work through glasses and contacts. Iris recognition typically also works well with people who have a number of different diseases (like diabetes, which can dramatically affect retinal patterns over a very short timeframe) or conditions that affect the eye, unlike retinal scanning, including most of the common conditions that cause blindness (except cataracts). Fingerprint recognition has gotten a bad rap because in general use people don't want to have any false negatives, so operators tune the environment to be less sensitive, leading to lots of false positives (my fingerprints get read as your fingerprints). But it's true that prints can be affected by things like dehydration and the local environment; they can also be simulated if you're sufficiently motivated, but that's made infinitely more difficult if you combine your biometric with a PIN (though it can't be argued that prints are left lying around everywhere, so it's probably not the best biometric you could choose). In addition a surprisingly large number of people -- like maybe two percent -- simply do not have usable fingerprints; it's actually a diagnostic criteria for some medical conditions. (I have actually had a couple of jobs that dealt directly with use of biometrics as a form of authentication).
In general I think the other comments are on the money: Keypad and PIN sounds like the way to go. If you're trying to create something automated, then contactless cards / dongles are the other solution but as others have noted, this isn't bulletproof since without some other factor (something you know or something you are) it's possible for one person to use somebody else's device.
Reading the brain waves of a person may be better, harder to fake at least.
But a smart card with PKI and pin code authentication for every access needed will go a long way. If it's a facility with extreme security measures also add guards at checkpoints and make sure that some accesses requires counter-signed authentication.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Why do people constantly think to use biometrics as passwords, instead of as usernames? The fuzzy nature of digitising a biometric makes the system fall between two stools - few false negatives at the expense of many false positives or the reverse. In practice this means that you either need to scan a few times to get a good id, or run the risk of scanning as someone else. Given that you cannot change a biometric, why on earth would you use it as a single factor authentication system. It's far far better to scan a biometric then use a PIN as you can change a PIN... If you use a biometric as a single factor, you have not gained anything over the use of e.g. only a PIN, and you must allow for the possibility of false positives (equivalent of entering someone else's PIN).
- This sig deliberately left blank. Nothing to see, move along.
For your particular scenario iris recognition seems to be the most viable option. Iris is very fast and accurate and will not require removing gloves etc.
Interesting.... so you would suggest using Voice?