Successful Alternatives To Password Authentication?

DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?"

"Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.

A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.

The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:

- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.


The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit."

In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."

Biometrics & problems

[dbialac]

If you haven't seen the episode of MythBusters with biometrics, it will scare you to death. Finger biometrics, anyway, are easily defeated and for such reason should be avoided without some other shared mechanism. A better approach is to use something like retna recognition which is harder to fake out, or combine finger scanning with something else such as a code that isn't biometric. But at the end of the day, you also have to ask, "How secure does this need to be?" to help weigh your options.

As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The video

[pablodiazgutierrez]

Mythbusters on fingerprint hacking, here thanks to Gootube [youtube.com].

Suggestions

[TheNetAvenger]

and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs

This is true of WindowsXP, but not Vista. There are tricks to make Fast User Switching work in XP, you might want to check into them, although I wouldn't recommend them and would enforce a user policy that would just force the users to log off.(Make sure the policy is not just on the machines, but an employee manual policy as well, so that users log off when they are done.) You might also put in plans for Vista in any planned upgrades for your systems if this is important to your organization to allow the multi-user access method in a domain environment.

Stay away from fingerprint biometric (and variations) for true security, even though they are nice that the user doesn't have to cary a card or device with them. You can easily circumvent them by lifting a fingerprint of the user from a glass for example and using it to gain access to their login.

One technology that holds has a ligh level of security is tablet or signature sign on devices. The user signs their name. This is hard to defeat for most of the advanced devices, as they not only do a recognition of the input, but also compute the stroke pressure, speed, etc. So it makes it virtually impossible even for someone that can copy signatures to circumvent as they don't use the same pressure, speed, angle, etc as the real person. This is using the cool parts of Ink technology in that it is not just the image created, but all the other stored information making the signature very unique.

However, for true security go with a Smart Card solution. It does require the users to carry a card or device with them - look at Cell phones and other devices that are implementing this technology, that way users don't have to carry a card. There is a reason Casinos and Gold Mines use this technology, and if the user loses the card you can easily disable the card from the central domain and replace it with a new card for the user. These devices are also nice in that many non-computer devices use them, and employees can also use the same card for access to doors, phones, and other types of security and access throughout the building. So if you need other levels of access or security later on in your organization the same device can be used for authenication away from the computer.

Do some research and start with the main sites on security. They will have plenty of solutions and suggestions for helping with your login and security. Even go to MS's website and look up smart cards and biometrics since you are using Windows workstations.

Good Luck.

SnakeCard

[mpapet]

This guy probably has what you are looking for.

His application runs a little on the secure side, but he's got it integrated nicely into ActiveDirectory.

He's a programmer more than a marketing guy, so his site's a little rough around the edges. Cards/Application works beautifully for me though.

http://www.snakecard.com/ [snakecard.com]

Re:Remove passwords

[gregmac]

So now you can just walk up to any console, type your login name and get access. We can still log who does
what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
can use anybody else's login if the wish. In 6 months I haven't seen anybody do that, because there is no need to.

You mean, you haven't seen anyone do it because you 1) have the hope/assumption that everyone is honest, and 2) wouldn't be able to see it if they were semi-smart at all.

What I mean by that, is if the guy getting paid minimum wage out back wants to see what his supervisor makes, he just logs on as someone in accounting or HR (or whoever has access). Since they'd normally need to access accounting data, nothing would look out of the ordinary.

It's a nice bubble to live in, but people (in general) do not remain honest all the time. Things happen.. People get angry, fed up, etc etc. I don't want to come off sounding like a paranoid nut, but there are so many deeper issues with doing a setup like this. If someone does download sensitive data and say, sells it to your competitors, you wouldn't be able to know who did it - since it's likely that the perpetrator would have just logged on to another account. If someone downloads child porn, and the feds come knocking, you wouldn't be able to help them.

I think part of what you're going for can be accomplished using passwords.. as long as you treat them the right way. Make it clear that it's not a matter of mistrust or IT trying to be control freaks.. it's simply a matter of accountability. My guess is you're going to run into major (legal?) problems in the future when some kind of incident happens, especially if you don't take due dilligence, like having passwords.

Re:The most secured system...

[Mr. Underbridge]

> Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems. ... which is only secure until I insert my USB key to . Sure, it'd be a matter of 1) virus on removable media (1) infects "secure" machine 2) virus infects next removable media (2) with random text from secure machine as payload (along with itself) 3) virus infects next machine it comes across, with botnet instructions allowing it to spam that random text along with advertisements for pr0n or "hot stock tips".

Oh, believe me, there's pretty good safeguards against things like that. At higher classification levels, "removable media" don't exist. USB keys are banned. For the most part, this is for information compartmenalization, but computer security is an issue too.

Re:This one didn't work so well

[Anonymous Coward]

When I last worked in a government job, also in the early 80's, we had magnetic cards that we had to swipe at public dumb terminals before entering in our user id and password. (Yes, this was before everyone had a computer at their desk.) The user id's were easy to guess, as they were something like ADMIN001, ADMIN002, etc.

The passwords were 12 alphanumeric characters, were system assigned, and were changed monthly. They were more than a tad difficult to remember, even for those with doctorates with reasonably decent memories. The passwords used mostly the uncommon letters, and in odd patterns. The guy in charge of IT was happy with the security. Who could guess a password of "qz18t97p0f8b"? (He reasoned.)

I tried to get the guy to use less secure passwords, something that people could remember without having to have it on a piece of paper to carry around, as those papers were left, at times, at a terminal. He said, no, that was what was needed. I told him in my division, and probably others, employees left on their desks, or in an unlocked the top center desk drawer, the swipe cards with the "secure" passwords written on them. He said he'd consider we needed the security, period.

About 2 months later, I logged on as my boss and told the IT guy to call my boss, because I(my boss) was considering firing him for his inability to keep the system secure.

The next day, after speaking with my boss, who was none to happy that someone had been able to send an email as him) we got to make up our own 12 character passwords. This kept the night cleaning crew from being able to look up and/or change data on thousands of people. Sometimes people just don't think through all the implications of security, and don't want to know where it's broken.

Sun-Ray

[0xG]

I would hate to be the first one to say "try *nix" instead of Microsnot, but... I have seen Sun-Ray employed in a retail environment using ID cards, and was very impressed. The staff walk up to any terminal, insert the smart card, and instantly have their (previously disconnected, but still live) session re-established. As soon as they removed their cards, the session was disconected pending resumption at any other terminal. No login, no restarting applications, etc. It was beautiful. On the downside, it does take bandwidth, and you may need to use a Sun server, which your app may not support. OTOH the may now support Terminal Services. Start here; HTH: http://www.sun.com/software/index.jsp?cat=Desktop& tab=3&subcat=Sun%20Ray%20Clients [sun.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion