Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Successful Alternatives To Password Authentication? 188

Posted by Cliff from the seeking-different-ways-to-login dept.
DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?"
"Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.

A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.

The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:

- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.


The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit."
In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."
This discussion has been archived. No new comments can be posted.

Successful Alternatives To Password Authentication? More

Successful Alternatives To Password Authentication?

Comments Filter:

  • Yup. (Score:4, Funny)

    by Indy Media Watch ( 823624 ) on Friday November 10, 2006 @06:56PM (#16799896) Homepage
    Biometric Bacon Authentication [slashdot.org].
  • Still anyone with physical access to the system can pull the HDD and have at it later.
  • Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems.
    • The thought terrified me of being locked in a room with a PC without internet. It reminds me too much of 15 years ago *shudder*.
      • You can also be locked in a room with a Windows machine with Hummingbird Exceed installed on it. It is on the same non-world-routed network as a multi-hosted Unix box. Then you run your Web apps on the Unix box. The non-routed network can be very locked down.

        There are non-commercial solutions where you don't have to buy Exceed, too. I find them somewhat kludgey. YMMV.
      • Hey, 15 years ago I got a lot more work done without the damned internet getting in the way!
    • Is a Windows computer without network access in a locked room

      Nonsense. A computer with a different OS in the same room would be more secure.

      • Re: (Score:2, Insightful)

        by Bing Tsher E ( 943915 )
        True. A machine with MS-DOS on it, for instance. doesn't even have the 'hooks' to be networked, without extra binaries being added. And since it's very simple, it's easy to know that there aren't any rogue processes running in the background. Just keep a logic analyzer connected to it's buss and keep an eye on what's going on.

        My TRS-80 Model 100 is even MORE secure, as the EPROM or non-volatile memory would have to be hacked for rogue software to be running on it. Or something bad with BASIC.

        And my SYM-

        • Re: (Score:3, Funny)

          by BorgCopyeditor ( 590345 )
          I think my Wellington Bear calculator is even more secure, at least, before it was hybridized with my Trapper Keeper.

      • Re:The most secured system... (Score:4, Funny)

        by LiquidCoooled ( 634315 ) on Friday November 10, 2006 @07:33PM (#16800288) Homepage Journal
        if a computer crashes in a locked room and nobody is around to see it fail, does it have a blue screen.

    • Re: (Score:2)

      by Ant P. ( 974313 )
      I heard the NSA created this little thing called "SELinux".

    • Re: (Score:2)

      by jotok ( 728554 )
      Pfft, my roommate has one of those since he can't get his Linksys appliance to work and won't let me in to troubleshoot it!

  • Smart cards (Score:2, Interesting)

    by mammoth_2k ( 859792 )
    I recently looked at this one smart card technology that has an integrated thumb-print reader on the card! It is called the "Super Smart Card", well sure, why not? http://e-smart.com/products_ssc.html [e-smart.com]

  • This one didn't work so well (Score:4, Interesting)

    by eric76 ( 679787 ) on Friday November 10, 2006 @07:04PM (#16799978)
    In the early 1980's, I worked for an eingineering company that tried an alternative.

    After you entered your username, the logon program would look up your employee payroll records and ask you a random question from them. If you answered correctly, you would get logged on.

    Sometimes it was easy. For example, it might ask your street address. You'd have to answer exactly as in the record, but that wasn't too difficult.

    Often, the only way you could log in was to have a copy of your employee payroll records in front of you. For example, do you know to the penny how much withholding has been deducted from your pay this year? Or how much your total take home was last year?

    The experiment didn't last too long before it went back to username / password.
    • We had a system at one point that if you couldn't remember your password it would ask you several security questions.

      The problem? I was asked when I met my spouse. This is an interesting question since I'm unmarried. o_O

      • That reminds me of this stupid system our IS department set up. It required you to enter answers to five or six challenge questions (in case you forgot your password), but the answers had to be at least five characters. Of course, this kind of sucks when your mother's maiden name is four and your favorite color are both four-letter words.

        • Re: (Score:2, Funny)

          by stuff and such ( 980278 )
          The best automated form I have ever had to fill out went:
          Q: where were you born
          A: ohio
          error, must be 5 characters
          So I'm probably the only person born in multiple states at the same time, "ohios"
          • The best automated form I have ever had to fill out went:
            Q: where were you born
            A: ohio
            error, must be 5 characters
            So I'm probably the only person born in multiple states at the same time, "ohios"

            You're probably the only person who puts in overly broad information too. If it asked "In which state were you born?" then your complaint is legitimate. I guess you didn't consider that "Earth" would have satisfied the 5 character requirement.
             

    • Re: (Score:2, Informative)

      by Anonymous Coward
      When I last worked in a government job, also in the early 80's, we had magnetic cards that we had to swipe at public dumb terminals before entering in our user id and password. (Yes, this was before everyone had a computer at their desk.) The user id's were easy to guess, as they were something like ADMIN001, ADMIN002, etc.

      The passwords were 12 alphanumeric characters, were system assigned, and were changed monthly. They were more than a tad difficult to remember, even for those with doctorates with rea

  • Biometrics & problems (Score:3, Informative)

    by dbialac ( 320955 ) on Friday November 10, 2006 @07:06PM (#16800000)
    If you haven't seen the episode of MythBusters with biometrics, it will scare you to death. Finger biometrics, anyway, are easily defeated and for such reason should be avoided without some other shared mechanism. A better approach is to use something like retna recognition which is harder to fake out, or combine finger scanning with something else such as a code that isn't biometric. But at the end of the day, you also have to ask, "How secure does this need to be?" to help weigh your options.

    As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.

    • The video (Score:4, Informative)

      by pablodiazgutierrez ( 756813 ) on Friday November 10, 2006 @07:13PM (#16800070) Homepage
      Mythbusters on fingerprint hacking, here thanks to Gootube [youtube.com].
    • As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.

      Windows2K, XP, Vista (And even all the older variations of NT) have time restricted and control login and usage policies. This is something that an administrator can easily set in the domain or authenication server or even a local machine policy. This is something that is very easy to set, even on a home computer for Kids let alone a domain where you can flip a switch
      • Windows2K, XP, Vista (And even all the older variations of NT) have time restricted and control login and usage policies. This is something that an administrator can easily set in the domain or authenication server or even a local machine policy. This is something that is very easy to set, even on a home computer for Kids let alone a domain where you can flip a switch all the systems obey.

        That's not the issue at hand here -- the original poster was referring to the amount of time it takes to log on with

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Friday November 10, 2006 @07:06PM (#16800002)
    Comment removed based on user account deletion

  • Honor System (Score:2, Funny)

    by Anonymous Coward
    In order to reduce costs, we put a question like "Are you authorized to view this very confidential information?". In order to curb abuse we also have a sentence that says "We audit all activity.", which is a module I'm currently trying to complete.

    We haven't had any issues as far as we are aware.

  • Fingerprint login (Score:5, Interesting)

    by cdrguru ( 88047 ) on Friday November 10, 2006 @07:13PM (#16800068) Homepage
    The problem with fingerprint readers is there has been a lot of junk put out there. Anything that uses an optical sensor is a joke. Most of the capacitive ones are useless as well.

    We recently deployed an application using an RF-based fingerprint reader. It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.

    The software is very simple and very fast. You can either use their database (encrypted) or your own for storing templates.

    We decided that this was the only way to avoid compromising existing user/password security for systems already in place. If we had even the possibility of the same passwords being used, our system would have to be provably at least as secure as whatever they were currently using. A very difficult and wide-open standard to be measured against. Therefore, no passwords at all.

    • Re: (Score:2)

      by Zadaz ( 950521 )

      It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.

      Okay, maybe not a jello mold finger, but what about a Bic pen [wired.com] or a magic marker [wired.com]?

      Just because no one has figured it out yet doesn't mean they won't tomorrow, and with stuff from their junk drawer.

      Going with only a single authentication and calling yourself "secure" is foolish.

      • Re: (Score:2)

        by telbij ( 465356 ) *
        Okay, maybe not a jello mold finger, but what about a Bic pen [wired.com] or a magic marker [wired.com]?


        Not to mention, as we all know from Hollywood, this will just encourage more cutting off of people's fingers.
    • Nonsense. The problem with fingerprint biometrics is that the object being measured has poorly defined and definable measurable characteristics affected by body fluid content, dirt, sweat, ordinary wear and tear on hands, scarring from ordinary work environments, and which noticeably alter over time. Once you've made a system that can consistently identify the same user, you've introduced enough slack to easily match fairly poor fakes. These include the demonstrated "gummy finger" technique of taking a stor

  • Suggestions (Score:5, Informative)

    by TheNetAvenger ( 624455 ) on Friday November 10, 2006 @07:16PM (#16800092)
    and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs

    This is true of WindowsXP, but not Vista. There are tricks to make Fast User Switching work in XP, you might want to check into them, although I wouldn't recommend them and would enforce a user policy that would just force the users to log off.(Make sure the policy is not just on the machines, but an employee manual policy as well, so that users log off when they are done.) You might also put in plans for Vista in any planned upgrades for your systems if this is important to your organization to allow the multi-user access method in a domain environment.

    Stay away from fingerprint biometric (and variations) for true security, even though they are nice that the user doesn't have to cary a card or device with them. You can easily circumvent them by lifting a fingerprint of the user from a glass for example and using it to gain access to their login.

    One technology that holds has a ligh level of security is tablet or signature sign on devices. The user signs their name. This is hard to defeat for most of the advanced devices, as they not only do a recognition of the input, but also compute the stroke pressure, speed, etc. So it makes it virtually impossible even for someone that can copy signatures to circumvent as they don't use the same pressure, speed, angle, etc as the real person. This is using the cool parts of Ink technology in that it is not just the image created, but all the other stored information making the signature very unique.

    However, for true security go with a Smart Card solution. It does require the users to carry a card or device with them - look at Cell phones and other devices that are implementing this technology, that way users don't have to carry a card. There is a reason Casinos and Gold Mines use this technology, and if the user loses the card you can easily disable the card from the central domain and replace it with a new card for the user. These devices are also nice in that many non-computer devices use them, and employees can also use the same card for access to doors, phones, and other types of security and access throughout the building. So if you need other levels of access or security later on in your organization the same device can be used for authenication away from the computer.

    Do some research and start with the main sites on security. They will have plenty of solutions and suggestions for helping with your login and security. Even go to MS's website and look up smart cards and biometrics since you are using Windows workstations.

    Good Luck.
    • Virtually impossible? Had a sales call to demonstrate PDA security using a signature. The sales guy signed the screen and it unlocked. I had been studying how fast he did it, so when he passed it to me, I used roughly the same timings. And it unlocked. End of demo.

      It's actually easier to observe signature timings than it is to shoulder-surf typing a password.

      The simple problem is that with many biometric technologies, if you turn the false negative level so it rarely stops *you* logging in correctly, it's n
      • Virtually impossible? Had a sales call to demonstrate PDA security using a signature. The sales guy signed the screen and it unlocked. I had been studying how fast he did it, so when he passed it to me, I used roughly the same timings. And it unlocked. End of demo.

        It's actually easier to observe signature timings than it is to shoulder-surf typing a password.

        I think you are comparing Apples and Oranges...

        Using code that computes the pressure, angle and speed of the signature can be very complex. Most of th

    • Re: (Score:2)

      by r3m0t ( 626466 )
      Vista is exactly what I thought when I read the post as well. Fast User Switching ftw! Eheh.
    • If you have to stick it in a socket, it doesn't meet ADA requirements. RFID cards are fine, but most of them are much less secure than something like a chipcard.

  • How can we do your job for you... (Score:3, Insightful)

    by Zwack ( 27039 ) on Friday November 10, 2006 @07:18PM (#16800122) Homepage Journal
    If you don't give us enough details...

    I've used SECURID tokens and they work, but they're slower than regular login/logout methods.

    Are you trying to lock access to the desktop or is the desktop being used as a dumb terminal to some random application?

    If the latter then can you just lock down the desktop and modify the application?

    I'm thinking that this is for something like a time card system, where people walk up, sign in/out and walk off. Given that you're saying speed is of the essence then it seems that that is likely. Have you considered a commercial offering? I am sure that most of the vendors have some sort of solution to uniquely identify particular individuals.

    Magnetic stripe card containing a private key and a passphrase (pin?) known by the employee would work.

    If you need to grant them full access to the windows PC then why are you worrying about security in the first place...:-)

    Z.
  • On some Windoze machines, I just install tweakui. Then you can enter the password into a GUI form in the tweakui applet on the control panel, and voila you don't need to enter it again.

    Another alternative on some versions of Windows is just to click the 'cancel' dialogue button each time, or better yet, just leave the password blank the first time you log on the newly installed system. This works for Windows 9x and Me, and is a great alternative to password authentication.

    These methods are very secure if

  • Remove passwords (Score:5, Insightful)

    by Anonymous Coward on Friday November 10, 2006 @07:25PM (#16800212)
    We tried a very radical idea. The comittee of naysayers and control freaks tore their hair and banged desks to try and stop us from doing it.
    After 6 months I can happily say, it worked, the move is vindicated and the frightened little control freaks had to eat their words
    and admit it is pure genius.:)

    We removed all our passwords.

    Obviously this doesn't suit everyone. We are a smallish organisation with less than 50. The idea that everybody could actually
    be trusted inside the organisation was central, as was the fact that most are not very computer minded and basically quite thick
    when it comes to remembering passwords. The point being that if anyone inside the organisation could *NOT* be trusted then we were
    screwed anyway, passwords or not. The move coincided with a massive revamp of network structure, a very restrictive new
    firewall and password free ACL, basically cutting the intranet off from the outside except for a few key workstations that need general WAN access,
    everything else is VPN. So now you can just walk up to any console, type your login name and get access. We can still log who does
    what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
    can use anybody elses login if the wish. In 6 months I haven't seen anybody do that, because there is no need to. Sunlight is a great disinfectant.
    Obviously this would not work in a paranoid organisation where everybody is at each others throats, or it would radically change everything if
    you did try it.

    Sometimes you have to take a step back to see the wood for the trees.

    • Re: (Score:3, Informative)

      by gregmac ( 629064 )
      So now you can just walk up to any console, type your login name and get access. We can still log who does
      what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
      can use anybody else's login if the wish. In 6 months I haven't seen anybody do that, because there is no need to.

      You mean, you haven't seen anyone do it because you 1) have the hope/assumption that everyone is honest, and 2) wouldn't be able to see it if they were sem

      • Make it clear that it's not a matter of mistrust or IT trying to be control freaks.. it's simply a matter of accountability.

        In my experience it's not even that. It's a matter of mis-communication. In almost all cases people screwing up data is completely non-malicious. Keeping sane permissions on stuff doesn't make it all better, but it can help sometimes.

        Nevertheless, every situation is different and if this guy can get away with a trusting environment then more power too him. Trust is a powerful thing,

    • Re: (Score:2)

      by dbIII ( 701233 )
      Interesting. You have complete confidence that clients, salesfolk or employees children or the many others that are let into workplaces will not do anything that will make life difficult with your computers? Also logs are good for finding out why the trainwreck happened but they don't prevent it.

      I worked in a place where everyone knew everyone else's password which was a bit more disfunctional than you describe above. They were forever playing jokes on each other this way - the place was infested with sp

      • No, I can get your fingerprintn from your unwashed coffeecup or the pen I loaned you or your bathroom door on your way out. They're fairly easily lifted with transparent tape.
    • I would guess you have no compliance issues to deal with then. Assuming your a US company that means a privately held, not in the medical field and does not store credit card info (or at least does very little total $ on CC transactions) does not store must anything use full in electronic form (say your tax info) and your HR department uses typewriters could get way with this. I would guess some places like that exist but cant think of any with 60 people, I wonder what the legal dept thinks about it I can
      • I would guess you have no compliance issues to deal with then. Assuming your a US company that means a privately held, not in the medical field and does not store credit card info (or at least does very little total $ on CC transactions) does not store must anything use full in electronic form (say your tax info) and your HR department uses typewriters could get way with this.

        But most Windows 2003 servers I've seen aren't set up to do logging in detail anyway. So, "who accessed what" would be difficult t

        • I think your missing my point, like it or not if you have any compliance requirements or even due diligence to insure things are secure your will need to have passwords to accounts that can access the data and administrate those accounts. When your talking about compliance if your storing CC data password requirements are a whole section of the requirements docs, and so are audit trails. The honor system isn't going to make it to far in court either when somebody sues that there HR data was being sold on

    • Re: (Score:3, Insightful)

      by TheRaven64 ( 641858 )
      Great idea. I did some consulting for a company that had this exact policy. No passwords anywhere - after all, it made life a lot easier for everyone. Until, that is, one of the managers decided to walk off with a copy of the customer database and set up his own, competing, company. Since there was no access control, it was impossible to determine what he had touched and copied or damaged.

      Just because you trust everyone now doesn't mean that you shouldn't, for accountability reasons, maintain adequat

  • DNA (Score:5, Funny)

    by nurb432 ( 527695 ) on Friday November 10, 2006 @07:25PM (#16800214) Homepage Journal
    After you sell your soul to work for us, we require a drop of blood each morning to be able to access the building and then again to access your pc.

    its effective, but we have noticed a rise in healthcare costs.
  • After all, he seems to be responsible for half the data-theft and hard-disk stealing that goes on. Murderising him would reduce the chance of your data being stolen by half.

  • There are fingerprint and ocular authentication devices out there, but I wouldn't want to give anyone a reason to remove my finger (or my eye for that matter).

    Many people use a usb drive with an RSA key or a smart card. Windows implemented bitlocker in vista (ultimate and corporate editions) which is basically file system encryption that can be authenticated with a password and/or external key.

    The most straight forward and easy option in my opinion is to use a passphrase (something much longer than a pa

    • I agree with your sentiment, and additionally things like fingerprints and retinal scans cannot be re-issued if compromised. This isn't a problem yet, but as biometric tokens are more widely used and thus more widely attacked it will become a problem.

  • SunRay Thin Clients (Score:3, Interesting)

    by thanasakis ( 225405 ) on Friday November 10, 2006 @07:31PM (#16800278)
    Although the article specifically states that this is a windows solution, I think it's worth noting that sunray [sun.com] works exactly like this. You put the smartcard, your previous desktop session is instantly restored, you do what you want to do, you pull out the card. Your desktop session is preserved and is terminal independent.

    As for the lack of windows applications, it is actually possible [sun.com] to do it even on sunrays , although admitedly it is not particularly suitable for the small scale that the article submitter implies.

    Anyway, you might take a look at those two links, and if you must absolutely use PCs (sunrays are more suitable for the job the article is outlining), take a look at citrix also [citrix.com]. I don't know whether they do smartcards though.

    • We are doing this right now for just us SA's.

      Citrix gives us the couple of applications we can't replace. Visio and Lotus are really the gotchas.

  • SnakeCard (Score:3, Informative)

    by mpapet ( 761907 ) on Friday November 10, 2006 @07:42PM (#16800374) Homepage
    This guy probably has what you are looking for.

    His application runs a little on the secure side, but he's got it integrated nicely into ActiveDirectory.

    He's a programmer more than a marketing guy, so his site's a little rough around the edges. Cards/Application works beautifully for me though.

    http://www.snakecard.com/ [snakecard.com]

  • Why not ID badges? (Score:5, Insightful)

    by vertinox ( 846076 ) on Friday November 10, 2006 @07:43PM (#16800388)
    It has always occurred to me we might as well use our badges to log in since if someone has access to our security badge, they can get into the office anyways and use a USB or a boot CD to get to our hard drives anyways.

    I suppose we would then only have to worry about our coworkers stealing our badges to do nefarious stuff as our own so perhaps we could combine it with thumb print scanner and maybe a pin number.

    Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.

    Seriously, unless you are working in a government agency, I don't see anymore security you are going to get out of a badge through and a thumb print.

    • Re: (Score:2)

      by Adam9 ( 93947 )
      Many times a network login will get you into the computer and to other networked resources, which a USB or boot CD won't get you.

    • Re:Why not ID badges? (Score:4, Insightful)

      by radtea ( 464814 ) on Friday November 10, 2006 @10:22PM (#16801802)
      Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.

      Or you could say, "Hey Joe, I need your card, can I get it?"

      I once maintained a misson-critical database system for a large physics experiment, which used barcode readers to determine who assembled what parts of the detector. On my first visit to the cleanroom where the actual assembly was taking place I found a piece of wood that had stickers with everyone's barcode printed on, so any old assembly worker could become the supervisor, for example. It turned out that the database had some deep issues that made it practically impossible for the workers to actually do the assembly without lying to it. And because it was all hand-rolled C++ spaghetti that was actually trying to get an adequate solution to an NP-hard problem under some severe constraints it wasn't practical to change it. Nor was it actually necessary, because the workers were really trying to do the right thing, they just couldn't.

      But the experience made me very aware of how easy it is for co-operative workers to fake reality big-time without the system being at all aware of it, and most password/identity schemes are subject to this. Some kind of deep biometrics really does seem to be required, but unless they are very reliable, fast, easy to use and unobtrusive they won't be used. And some, as others have pointed out regarding optical fingerprint readers, are very easy to game.
      • Get people to use their own credit cards in a swipe reader (or smartcard reader for those not in USA!). All the system needs is a unique number, it doesn't need to process that number. (Details - store an irreversible crypto hash of the card data.)

        Don't know many people who would respond to "Hey Joe, I need your credit card?"

        • Re: (Score:2)

          by radtea ( 464814 )
          Don't know many people who would respond to "Hey Joe, I need your credit card?"

          Given the empirically-known reality of human behaviour it is virtually certain that after a period of aclimatization people would happily give each other thier credit cards "for identification purposes only."

          If you're familiar with the early Neilsen studies of television-watching behaviour, you'll recall that people with cameras in their living rooms set to record who was watching TV when (in the 1950's) were sometimes filmed hav
  • We use SmartCards on 70,000 Windows XP machines. Smart Card Removal behavior is something you can set. Anything from "do nothing", "lock screen", etc. Anyway, they don't cause a logoff unless you wanted them to.

    Be aware that all of the alternate auth systems I have seen so far (including Smart Card) have lots of caveats. Some want to load a custom GINA. Resist this (read: NO, don't load that GINA). Most don't work right for multi-domain scenarios (where you are in domain 1, and want to connect or maybe ma
  • Smartcard - works great, works under windows,Solaris,OSX,linux,bsd. proven and used by many corperations.

    SecurID - Works great, same as above. Costs money every month for service, significantly higher security than the smartcard or other systems.

  • At work.. (Score:2, Funny)

    by kbox ( 980541 )
    .. We use colonic mapping. It's a pain when i leave my colon at home though, and i have to borrow my friends just to get into the canteen for a coffee.

  • Biometrics are hazardous to security!!! (Score:3, Insightful)

    by Tumbleweed ( 3706 ) * on Friday November 10, 2006 @07:57PM (#16800536)
    Okay, let's say you get all your biometric info stored somewhere for secure access to something. Inevitably, some site that has your info stored will be hacked (this will always happen), and your biometric information is now out there in the wild. Enterprising hacker can then submit *that* biometric info to sites AS YOU to gain access.

    How is this different from passwords, you say?

    You can change your damned compromised passwords! Once your biometric info gets out there, you're compromised for LIFE.

    My advice is to avoid all instances of biometric 'security'. Forever.
    • Their key security property is uniqueness, not secrecy.

      A password (in theory) identifies you because you're the only one who knows it. That identification property can be lost in a heartbeat to a phishing scam.

      Biometrics need a different set of precautions. Recording and replaying the biometric information isn't an issue if there's a trustworthy path from the sensor to the database and a security guard who will challenge anybody who holds a severed finger up to the reader.

      You've been using biometrics for id

      • Re: (Score:2)

        by radtea ( 464814 )
        Recording and replaying the biometric information isn't an issue if there's a trustworthy path from the sensor to the database and a security guard who will challenge anybody who holds a severed finger up to the reader.

        And since there is never a trustworthy path from the sensor to the database (anything can be hacked) and since it only takes one failure to permanently leak the data, you've made the GP's point nicely: biometrics are not secure. This does not make them useless, but it does mean that they ar
  • Mac OS X supports "fast user switching" with any type of authentication because the authentication daemon is separate from the process.

    Furthermore, RFID (RSA) tags, keycard, iris scanning - see what you can AFFORD. You're probably not the NSA so you can't just spend any type of money. Good iris or fingerprint scanners (which are not easily fooled) are quite expensive if you need them for each terminal.
  • I'm not being a smart-ass. In classrooms and other environments, restricted physical access to a bank of machines with a common, limited-rights user works well enough. It's implicitly what goes on in homes around the world, minus the "limited-rights" part.

    I wouldn't do that in most offices though.
  • For added convenience compared to passwords, but similar levels of security, the fingerprint reader built into current Thinkpad laptops works very nicely.

    For a bit of added security without too much grief over drivers and special hardware, RSA SecurID is the gold standard ... it's not true public key crypto, and it is quite pricey at c. $130 a user, but it works with a normal keyboard, defends against replay and can be integrated into anything.

  • Sun-Ray (Score:2, Informative)

    by 0xG ( 712423 )
    I would hate to be the first one to say "try *nix" instead of Microsnot, but... I have seen Sun-Ray employed in a retail environment using ID cards, and was very impressed. The staff walk up to any terminal, insert the smart card, and instantly have their (previously disconnected, but still live) session re-established. As soon as they removed their cards, the session was disconected pending resumption at any other terminal. No login, no restarting applications, etc. It was beautiful. On the downside, it
  • Sun Rays. You can configure them so that instead of getting a unix login screen, when the user puts in a smartcard they get greeted by a login for a Windows Terminal Server (either through the Windows Connector that now comes with the Sun Ray Server Software, or though RDesktop and some tedious hacking).

    Users login once. When they pull their cards, their sessions detach from the Sun Rays, but keep running on the terminal server. When they put their cards back in, they get their Windows desktops again,

    • Re: (Score:2)

      by gr8dude ( 832945 )
      I'd kill kittens if they told me that my users were going to just plug in a smartcard to get access.

      Smart cards can be PIN-protected. N invalid PINs in a row, and the card is blocked (N is usually three, but it depends on the case). So smart cards are pretty secure, since they make brute-forcing NOT an option.
  • How do you revoke someone's fingerprint? Issue them a new one in case of identity fraud? Token + PW is the best way: something you have and something you know, proves that you are you.

    My favorite quote on this was from a StarTrek:TNG, when someone locks himself into a room with Data and pulls a gun on him. Data's response: "I assume that handprint scanner will open the door whether you are conscious or not."
    • How do you revoke someone's fingerprint? Issue them a new one in case of identity fraud? Token + PW is the best way: something you have and something you know, proves that you are you.

      Tried and true. I was skeptical of the SecurID fob I was given at my current job... but now I see how secure it is and yet still allows me to have the access I need without jumping through a bunch of crap to get there.

      Same door, new key every 30 seconds. Combined with a private pin number, and on some systems a local account (
  • my voice is my passport, verify." Two iiiiinnnncccchhhheeesss ppeeeeerrrr sssseeeeccccccccccooonnndddd.....
  • If you dig around in Mac OS X you will find a complete keycard access system, which supports at leat two different systems. You will also find large logos for army, navy, air force, marines, NOAA, coast guard, FBI, and a few other US govt agencies. I assume there is a small pack or kit or something that you run that enables all these dormant features. (if anyone knows how to turn them on please let us know)

  • overkill? (Score:3, Insightful)

    by greginterrupted ( 1025818 ) on Friday November 10, 2006 @11:59PM (#16802436)
    "The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy."

    Sounds like this guy needs a quick system for employees to check some info. It DOESN'T sound like the submitter is working in a nuclear plant, a bank vault, or any other highly secure facility.

    Check http://www.snapfiles.com/get/naturallogin.html/ [snapfiles.com] out. It's a shareware program ($30 to buy) that uses USB flash drives and inserting them into a USB port automatically logs them into the windows system. Sounds like it will work with the existing windows login scheme.

    Retina scanning, RSA keys, and fingerprinting sound cool, but they're probably overkill, and overly expensive. They have their place; but I'm inferring that the submitter doesn't need to be THAT secure.

    I worked at Lowe's (the home improvement warehouse) and we had to make shelf tags, check stock for customers, order products for customers, run registers, and clock in/clock out. We did it all with one system with an employee number and social security for password. It would have been easier and cooler if I didn't have to give out my SSN every time I checked stock on an item for a customer.

  • Passwords (Score:2, Interesting)

    by ghuntington ( 1016215 )
    I've deployed many different types of authentication. Before you get too involved selecting technology here what you need to do:
    1. Do a risk analysis: Categorize your risk to high, medium and low using business risk, security risk and information risk
    2. In an enterprise setting, you then need to deploy some type of single sign on package. In the package you then need to create a set of authentication strengths. Things like passwords and proximity badges are for low risk applications (the reason being the
  • ***

    Yes, my guard stood hard when abstract threats

    Too noble to neglect

    Deceived me into thinking

    I had something to protect*** Bob Dylan. "My back Pages."

    ANY form of security is a pain in the ass. Given that hardly anything in this industry works quite right, it's a safe bet that anything new or or complicated has a high probability of being a bundle of grief. I wouldn't go near biometrics unless you have some really stringent and unusual requirements ... but that's just me. Most IT people are les

  • A point often missed (Score:3, Insightful)

    by Grismar ( 840501 ) on Saturday November 11, 2006 @07:58AM (#16804274)
    A point a lot of people seem to miss in any discussion of authorization is the nature of a password: it requires you to actively remember it (provided you don't write it down or something similar to degrade its security). If you are not around to remember it or unable to consciously do so, the lock stays shut.

    Using biometrics might still require some action on your part (put the thumb on the reader, look into the reader, etc.) but the password is always the same. You may be unaware of what it is being used for -exactly-. This risk is non-existent with passwords, if you pick your passwords carefully. You have to consciously select the password you memorized for this particular application and if you do it well, the password won't unlock anything else.

    I'm not saying passwords are the end-all of security, but they do have this aspect whereas most other solutions that are being considered because of their increase safety in terms of creating copies or simply 'cracking the code' don't.

  • In a previous life, I had a smart-card for a badge, which I shoved in a sunray x-terminal or a laptop as the"thing I had", and typed a password as the "thing I knew", after which I got my current session back.

    If I needed to so somewhere else, I unplugged the card and my session was saved. When I got there, I plugged back in again, typed my password to the screen-saver and picked up exactly where I left off.

    I was very pleased with this scheme: it saved me hours of frustration with AD kludgery and the

  • You might want to consider using a proximity based authentication solution.

    http://www.ensuretech.com/products/demo/demo.html [ensuretech.com]

    I've seen this used in a local hospital, but I'm not sure how it has worked out. The one user I talked to (our nurse) indicated that they really liked the system.

  • Good alternatives to password authentication have been around in the UNIX world for a long time. You can use certificates, keys, one-time-passwords, and so on. Since no one is trying to lock you in to a particular solution, you can often mix and match them to suit your particular needs.

    I've been using ssh keys quite successfully, and we're currently implementing a VPN setup using authpf. We're using ssh keys + passwords for this. If a machine is stolen; it's not a big deal. The theif has the key but no

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close