Ask Slashdot: Best Biometric Authentication System?

kwelch007 writes I run a network for a company that does manufacturing primarily in a clean-room. We have many systems in place that track countless aspects of every step. However, we do not have systems in place to identify the specific user performing the step. I could do this easily, but asking users to input their AD login every time they perform a task is a time-waster (we have "shared" workstations throughout.) My question is, what technologies are people actually using successfully for rapid authentication? I've thought about fingerprint scanners, but they don't work because in the CR we have to wear gloves. So, I'm thinking either face-recognition or retinal scans...but am open to other ideas if they are commercially viable.

RFID/card scanner

Don't you all already badges or dongles or something along those lines?

Re:RFID/card scanner

[Albanach]

An AC first post hits the nail on the head. I'd have thought RFID would be faster, less intrusive and possibly more reliable. Pretty sure it would be cheaper to implement too.

Unless you're worried about people using someone else's card to authenticate, this seems like the smart solution. Still, I can't believe you haven't thought about this, so maybe there's some reason you feel RFID wouldn't be suitable.

Re:RFID/card scanner

[hawguy]

Don't you all already badges or dongles or something along those lines?

Hard to get any faster and more convenient than this -- if they don't want to make employees scan their badges, put an RFID reader in the chair and keep the badge in the back pocket and it's automatic and instant every time they sit down at a workstation.

Unless they have a specific need for biometrics, there's no point in using it.

Re:RFID/card scanner

[Kohath]

If you really need security for some reason, use it to match the person to the badge at the clean room entrance. That will keep someone from using a stolen badge.

Re:RFID/card scanner

[TubeSteak]

RFID bracelets are fairly cheap.
If a little thought is put into the readers' placement, authentication should require minimal/no interruption of the workflow.

Re:RFID/card scanner

[mlts]

Biometrics might be useful for a lock inside an already secure company, but there are so many existing solutions which work well with AD that cobbling up something can be pointless:

1: Why not just use regular AD authentication at the core, move the 2FA to the edges? I've seen this done using either Cisco software for VPNs, Citrix, or other means. This way, to authenticate from machine to machine (especially if UNIX machines use AD and there isn't a way to add anything), it doesn't take that much. Plus, this saves cash by limiting the need for devices to users who need access from the edge.

2: If 2FA is needed, then why not use CAC/PIV-like cards? Since the US government uses them everywhere, the software for them is available.

3: If 2FA is needed on the cheap, there might be a way to use the Google Authenticator (part of OAuth as above). I have that in place on ESXi machines and other items. However, this means that one has to have a device showing the numbers with them at all times. I also use OAuth and Google's app for Linux VMs that are Internet facing as a backup if I don't have the local machine's SSH key in the remote VM's authorized keys file.

Personally, I'd just use 2FA on the edges or on the machines which need that security. Fewer hassles, and cheaper.

Re:RFID/card scanner

[davester666]

cattle tag on the ear should also work well. readily available and not that expense. software already available for tracking movement and what milking station they are in. what more do you need?

Re:RFID/card scanner

[mlts]

If I were deploying an infrastructure, I'd go with a basic layered approach. The sensitive stuff either gets put behind RDP or Citrix (with 2FA to log onto those servers), the edge VPNs definitely get 2FA, and average machines get "plain old" AD logins with passwords changed on a normal schedule like every 30-60 days [1].

Of course, network topology, and devices play a large part in this. This way, a guy in receiving who gets malware on his machine will not affect the computers in finance or development. Endpoint management also helps, but one doesn't know if an attack is going to go through a compromised Web browser, physical access, a disgruntled employee, or a backdoor in the main firewalling routers that allows an attacker full access from the Internet.

Wise use of 2FA does help, but as with all security products, it isn't a magic bullet.

[1]: Only real difference I'd have is that all user accounts would have expiration dates in AD going 6-12 months out, and that an audit every month or so would pop up ones about to expire so the accounts can be either re-validated or left to expire until explicitly needed again. This way, an admin that left quietly where people forgot about won't always have access, as it will end up getting pulled automatically.

Re:RFID/card scanner

[Jane+Q.+Public]

An AC first post hits the nail on the head.

And AC first post -- and the first responder to the post -- appear to have been hit on the heat by a very heavy nail.

RFID, chips, cards, etc. have the SAME "problem" as IP addresses: they don't identify the PERSON, they just identify the identification. If someone else is holding the identification, all bets are off.

Entire movies have been made about this. I mean, come on.

None

I work in a class 10 clean room with shared workstations as well. Manual log-in to every workstation is the norm. Biometrics are not only infeasible in such a cleanroom environment, they are more trouble than they are worth, and also not likely to be as secure as you hope (or as reliable).

Re:A probing question

[daremonai]

I don't know if incontinence here was a Freudian slip or not, but it sure was an accurate one.

Cameras

[randall77]

Just buy a point-of-sale camera system that department stores use. They keep weeks of video from dozens of cameras available for review. Requires 0 overhead in the common case when no audit is required. It is really easy to find out who did what given a time and camera ID. Use humans for your facial recognition, they're actually really good at it.

Kinect

[uberbrainchild8437]

A kinect sensor could be hooked up to a computer and do a decent job of telling one user from another. You don't need a large open space if you simply want to identify who is working where.

too complicated

[roc97007]

> So, I'm thinking either face-recognition or retinal scans...

Waayyyy too complicated and expensive and Charlie's Angels-ish. If all you're trying to do is identify which user performed which step, RFID is your friend. Have an RFID sensor integrated into the workstation, and require the user to "sign" their work with their badge before they can commit.

Look at people going to work every day using RFID badges. If you want something faster than logging in with A/D credentials (which would have been my first suggestion), swiping a badge is pretty much as fast as you're going to find.

Now, if people using each other's credentials is a concern, or security in general, then you're looking at using A/D credentials plus a badge ("something you know, and something you have"). I personally wouldn't go with biometrics until they've gotten cheaper and more foolproof. Maybe never.

None!

[Vlijmen+Fileer]

Can this discussion about the supposed virtues of biometric identification / authentication please die?
Biometric properties are like usernames. Not like passwords. They don't "authenticate" anybody; your fingerprints e.g. can be found all over the world, right in the open.
And on top of that they are BAD usernames, because they can not be changed. Once your biometric identity has been compromised, you have to give up to whole identification / authentication /system/, because the property can not be changed!

Re:Hand vein scanner`

[stoploss]

I saw some video about hand scanner that uses your vein mapping. This is good because you dont need to touch it, and it'd be hard to replicate.

But does it work through gloves?

Yes. You simply place your hand in the 3T MRI cavity, wait 45 minutes for the scan to complete, and voila, instant authentication!

Biometric authentication is flawed

[manu0601]

Biometric authentication is flawed, because your credentials are not secret, and they cannot be revoked. If an attacker manage to clone for instance your fingertip, you cannot change it, you need to change the authentication system.

Biometric may be reasonably used as a second factor, for instance for unlocking a smart card

WTF

Typical engineer, overcomplicating the shit out of a simple problem. Give each guy a 4-digit PIN and have them hammer it in to the workstation to gain access.

Best biometric? A doorman with good memory.

[Culture20]

Welcome back Mr. Soandso. Nice weather tonight isn't it?

Who wants this? You?

[vinn]

Having spent a lot of time around such things, I have to ask, who's project is this? Who wants this? Just you?

If your boss or the CEO is asking for this - great. Go do it. That's your job. (The RFID comments seem in the right ballpark.)

If a mid-level manager or you is taking this on as a pet project, then you need to do some soul searching. This doesn't seem to have much immediate benefit to the bottom line of the company. This doesn't drive revenue creation and it doesn't drive product development. Almost every time I hear someone say, "We need to track X", I rarely ever hear someone else say, "Get me the statistics on X". Tracking shit is easy, crunching the numbers to calculate metrics isn't. If this is simply compliance tracking, listen to the guy who says to install cameras and then dump it to a crapload of drives. If there's an audit, hand over the video and let the auditors sort it out.

There is a whole lot of not-your-job in here and very little hero making to be done.

vein scan is THE biometric

[markdavis]

Deep vein scan (typically of the palm) is the only biometric that I would find acceptable from a privacy standpoint. It can't be "stolen" or "lifted", it is not visible from a reasonable distance, it can't be easily scanned without the user's consent. It requires being "alive". It is reliable and simple to acquire. I have used it and seen it in action... very impressive.

Fingerprints are horribly abused and left everywhere and can't be read through gloves. Easily copied and fooled.

DNA is extremely expensive, extremely slow, has severe privacy implications, and is left everywhere.

Facial recognition is not extremely accurate, is often slow, and is the WORST biometric from a privacy standpoint.

Retina scan is complex and probably the most expensive besides DNA.

Finger spread biometric is inaccurate and insecure (can be obtained from a distance via

None. Use a biometric as a username only

[popoutman]

Why do people constantly think to use biometrics as passwords, instead of as usernames? The fuzzy nature of digitising a biometric makes the system fall between two stools - few false negatives at the expense of many false positives or the reverse. In practice this means that you either need to scan a few times to get a good id, or run the risk of scanning as someone else. Given that you cannot change a biometric, why on earth would you use it as a single factor authentication system. It's far far better to scan a biometric then use a PIN as you can change a PIN... If you use a biometric as a single factor, you have not gained anything over the use of e.g. only a PIN, and you must allow for the possibility of false positives (equivalent of entering someone else's PIN).