I’ve seen this a lot recently, implemented by folks that I would otherwise respect: IT Departments setting users up with fingerprint-based
Windows domain authentication.
This is a bad idea.
Recently, the topic came up again and was discussed internally amongst some of the techs here at Microsoft.
FINGERPRINTS ARE WEAK KEYS
Although many vendors attempt to refute this, fingerprints are generally weak keys used to protect stronger keys – the Kerberos token used by Active Directory.
The number of data points that are collected by fingerprint scanning devices represent a keyspace that is smaller with lower entropy than Microsoft’s own "strong password" restrictions. In other words, in using a fingerprint for identification, you’d have a solution more vulnerable to brute force attacks than a typewritten password. It should be noted that brute force doesn’t necessarily imply "random password attempts" against the Active Directory: Solutions like hash lookups on pre-cached tables stored on dual layer DVDs are known to rapidly accelerate attacks.
COPYING YOUR IDENTITY – STEALING YOUR FINGERPRINT
A coworker also pointed out that it’s relatively trivial to capture someone’s fingerprint then submit the capture to a fingerprint device as your own login. The whole "CSI-picks-up-the-person’s-fingerprints-from-a-glass-of-water" trick very much works via the fairly well-publicized rubber cement technique:
- EXPLANATION:
http://www.schneier.com/crypto-gram-0205.html#5
http://cryptome.org/gummy.htm - VIDEO: ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg
There aren’t really any known economical ways of preventing this as well. While vendors have moved to a "swipe-and-scan" type of reader in most systems, this is ultimately equally vulnerable as well.
FINGERPRINTS: CONVENIENT FOR CONSUMERS, INSECURE FOR ENTERPRISES
There’s still very much a reason to look at fingerprint identification. Securing things like your online mail account or the password to your blog might be good reasons to have fingerprint authentication for convenience to the consumer.
For Enterprise customers however, there are so many other more secure solutions with relatively equal costs associated with them yet with much more flexible administration. Here’s something to think about:
- Microsoft sells fingerprint identification hardware solutions, and yet…
- Microsoft uses smartcard authentication for every employee.
And by the way, what happens when someone’s been compromised?
…how does the Domain Administrator revoke your finger?
- For a more thorough discussion of the topic, read:
It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct
http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx
kurtsh
Kurt Shintaku's Blog 