Re: Security of Windows fingerprint reader

["Hart, Mark Smylie" <mshart () UIUC EDU>]

These devices will allow you to login to Windows, but only if the
computer is in a workgroup...this feature is disabled for domain logins.

That may not have much of an impact on you, but one thing that concerned
me about the one glowing brilliantly next to my keyboard is that it
won't work with Firefox.

I don't touch the fingerprint reader anymore because of that ($35- down
the drain).

It works in IE just fine, but some of the security measures it uses are
kind of sketchy.  In the registry it keeps track of usernames and
passwords.  I can't really fault the password hashing because it's not
clear to me on how to de-code it...but the usernames are kept in there
and if you view that key, you can see the username in clear text.
(HKLM\Software\DigitalPersona\DB\Data\IdList\#\User)

Also, in the Documents and Settings folder you can see the
applications/pages for which a password has been stored (look for
shortcut.ini).  You can't see the password, but from the registry you'd
have a username and from here you'd get the application/site name.

Also, on some pages if I only stored a password and not a username, it
would paste my password into the username field in clear text!! -
probably because the username field was the first available field for
data entry.

These issues and others have led us to NOT recommend this to users, and
to explain to them that this is a password management utility...not a
security device.  In that regard it can be quite useful, especially to
staff who may have umpteen passwords that all have different
length/complexity requirements...this will make life very much easier,
but this is not a security device (nor would I consider it a very secure
device) - just a useful tool.

If you can wrap your head around it that way, you may ultimately be much
better off.


Mark Smylie Hart
Network Security Officer
University of Illinois at Urbana-Champaign
T - 217.333.4676
E - mshart () uiuc edu

-----------------------------[PGP KEY INFO]-----------------------------
bits/keyid                                                1024D/E73BD405
fingerprint            95E0 4BE2 C958 51ED 48C4 A2BD FDB5 E188 E73B D405
------------------------------------------------------------------------

Tristan RHODES wrote:
> There are inexpensive fingerprint readers made by Microsoft which allow
> a user to log into Windows using their fingerprint.
>
> How secure are these?
>
> If someone has physical access to the computer, are they still able to
> boot into an alternative OS and insert a new password hash?  Or do these
> devices have something that prevents this?  Is encrypting the filesystem
> (EFS) required to protect your data?
>
> Thanks,
>
> Tristan Rhodes