Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Successful Alternatives To Password Authentication? 188 188

DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?"
"Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.

A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.

The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:

- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.

The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit."
In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."
This discussion has been archived. No new comments can be posted.

Successful Alternatives To Password Authentication?

Comments Filter:
  • Smart Card + RSA key (Score:2, Interesting)

    by Average_Joe_Sixpack (534373) on Friday November 10, 2006 @06:59PM (#16799926)
    Still anyone with physical access to the system can pull the HDD and have at it later.
  • Smart cards (Score:2, Interesting)

    by mammoth_2k (859792) on Friday November 10, 2006 @07:01PM (#16799958)
    I recently looked at this one smart card technology that has an integrated thumb-print reader on the card! It is called the "Super Smart Card", well sure, why not? http://e-smart.com/products_ssc.html [e-smart.com]
  • by eric76 (679787) on Friday November 10, 2006 @07:04PM (#16799978)
    In the early 1980's, I worked for an eingineering company that tried an alternative.

    After you entered your username, the logon program would look up your employee payroll records and ask you a random question from them. If you answered correctly, you would get logged on.

    Sometimes it was easy. For example, it might ask your street address. You'd have to answer exactly as in the record, but that wasn't too difficult.

    Often, the only way you could log in was to have a copy of your employee payroll records in front of you. For example, do you know to the penny how much withholding has been deducted from your pay this year? Or how much your total take home was last year?

    The experiment didn't last too long before it went back to username / password.
  • Fingerprint login (Score:5, Interesting)

    by cdrguru (88047) on Friday November 10, 2006 @07:13PM (#16800068) Homepage
    The problem with fingerprint readers is there has been a lot of junk put out there. Anything that uses an optical sensor is a joke. Most of the capacitive ones are useless as well.

    We recently deployed an application using an RF-based fingerprint reader. It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.

    The software is very simple and very fast. You can either use their database (encrypted) or your own for storing templates.

    We decided that this was the only way to avoid compromising existing user/password security for systems already in place. If we had even the possibility of the same passwords being used, our system would have to be provably at least as secure as whatever they were currently using. A very difficult and wide-open standard to be measured against. Therefore, no passwords at all.
  • SunRay Thin Clients (Score:3, Interesting)

    by thanasakis (225405) on Friday November 10, 2006 @07:31PM (#16800278)
    Although the article specifically states that this is a windows solution, I think it's worth noting that sunray [sun.com] works exactly like this. You put the smartcard, your previous desktop session is instantly restored, you do what you want to do, you pull out the card. Your desktop session is preserved and is terminal independent.

    As for the lack of windows applications, it is actually possible [sun.com] to do it even on sunrays , although admitedly it is not particularly suitable for the small scale that the article submitter implies.

    Anyway, you might take a look at those two links, and if you must absolutely use PCs (sunrays are more suitable for the job the article is outlining), take a look at citrix also [citrix.com]. I don't know whether they do smartcards though.

  • Passwords (Score:2, Interesting)

    by ghuntington (1016215) on Saturday November 11, 2006 @01:10AM (#16802814)
    I've deployed many different types of authentication. Before you get too involved selecting technology here what you need to do:
    1. Do a risk analysis: Categorize your risk to high, medium and low using business risk, security risk and information risk
    2. In an enterprise setting, you then need to deploy some type of single sign on package. In the package you then need to create a set of authentication strengths. Things like passwords and proximity badges are for low risk applications (the reason being they are easily bypassed, thwarted, obtained through fraudulent means etc). For medium risk you should then use something like a uid/password coupled with a digital certificate or SecureID token. For high risk, you should use something like a biometric plus a digital cert plus a uid/password.
    3. Even with these methods, your enterprise security can be broken. Therefore, in order to protect your enterprise crown jewels, you should also deploy something called transaction authentication. Even if you log on using the strong authentication successfully, the authentication transaction software checks the hardware configuration of your computer, the ip address, you geolocation, time of day and historical user profile to validate that you are who you are purporting to be.

    In your warehouse, a proximity badge will perform best. Users just have to be in close proximity to the reader. HOWEVER, be warned that this is not a secure level of authentication since the badge can be carried by someone other than the person you issued it to. Therefore, for those applications in the warehouse that are higher risk, you should try and segregate them to stronger authentication.

    Another choice in a warehouse scenario is to use voice authentication. This can be relatively cheaply deployed. It has some good performance specs relative to biometric authentication.

    On my website, www.authenticationworld.com, I have referenced the performance of different biometrics.

    Be warned however that the use of biometrics has drawbacks:
    1. Some of them can be fudged depending on the technology you purchase
    2. There are a lot of false positives with some of the biometrics
    3. They can be expensive to deploy.

    I have lots of resources on different authentication mechanisms on my website as well as a blog on authentication.

  • by AYeomans (322504) <ajv&yeomans,org,uk> on Saturday November 11, 2006 @08:33AM (#16804432)
    Get people to use their own credit cards in a swipe reader (or smartcard reader for those not in USA!). All the system needs is a unique number, it doesn't need to process that number. (Details - store an irreversible crypto hash of the card data.)

    Don't know many people who would respond to "Hey Joe, I need your credit card?"

If it's not in the computer, it doesn't exist.