Re: Security of Windows fingerprint reader

["Hart, Mark Smylie" <mshart () UIUC EDU>]

That's right - there are some devices out there that are TRUE biometric
devices...this is not one of them.

The Microsoft Fingerprint Scanner is essentially a mechanism for storing
macros that will enter a username and password for you.

To my knowledge, there is no true encryption enabled with this device
and Microsoft actually recommends that you NOT use it in a 'sensitive
data' scenario.

"The Fingerprint Reader should not be used for protecting sensitive data
such as financial information or for accessing corporate networks."

While this is a potentially useful tool, the faith that an average
end-user may place in this technology may cause more problems in the
long run than it fixes.

That said, you're probably not going to be able to buy a piece of
hardware that can maintain a password list for you AND provide
encryption at a sub-$50 price point.  There are other devices out there
that will do that, but they cost real money.  Then again, they're less
likely to be fooled by a gummy bear or a bag of water like people have
claimed is possible.

I'll go ahead and climb off the soap box for now.

Mark Smylie Hart
Network Security Officer
University of Illinois at Urbana-Champaign
T - 217.333.4676
E - mshart () uiuc edu

-----------------------------[PGP KEY INFO]-----------------------------
bits/keyid                                                1024D/E73BD405
fingerprint            95E0 4BE2 C958 51ED 48C4 A2BD FDB5 E188 E73B D405
------------------------------------------------------------------------

Ken Shaurette wrote:
> Some of these integrated devices such as for laptops allow replacement or setting up security such as the fingerprint 
> is necessary for BIOS startup.  Some of these devices along with software provide encryption of files on the hard 
> drive.
>
> As Mark points out in general most of the solutions only provide local replacement of passwords to access the laptop. 
>  In many cases they do not prevent someone from pulling the hard drive on a stolen or lost laptop and putting it in a 
> similar device or in a standalone hard drive shell in order to access the data on it.  I have not tested whether data 
> encrypted by a fingerprint solution in that case will remain safe, but I assume how safe would be dependent on the 
> solution.
>
> A solution such as Utimaco's encryption that allows complete HD encryption becomes a very secure way to go when 
> protecting the data, but again as Mark points out key management is critical, passwords under the keyboard still 
> eliminate the value of any solution dependent on them.  Losing the passwords is another side problem with that.
>
> Educated and competent users, along with multiple layers of security still is about the only way to adequately reduce 
> the risk.   How much security is enough?  Anyone could make a million dollars if they had the right answer to that 
> question or to the question;  What is reasonable?
>
> Ken
>
> Ken M. Shaurette, CISSP, CISA, CISM
> Information Security Solutions Manager
> MPC Security Solutions Group, www.mpcscorp.com
> (262) 523-3300 x60486
> ------------------------------------------------------------
>
> October is CyberSecurity Month - Awareness does not end when the day is done!!
> ------------------------------------------------------------
>
>
>
> -----Original Message-----
> From: Hart, Mark Smylie [mailto:mshart () UIUC EDU]
> Sent: Tuesday, June 07, 2005 10:03 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security of Windows fingerprint reader
>
>
> These devices will allow you to login to Windows, but only if the computer is in a workgroup...this feature is 
> disabled for domain logins.
>
> That may not have much of an impact on you, but one thing that concerned me about the one glowing brilliantly next to 
> my keyboard is that it won't work with Firefox.
>
> I don't touch the fingerprint reader anymore because of that ($35- down the drain).
>
> It works in IE just fine, but some of the security measures it uses are kind of sketchy.  In the registry it keeps 
> track of usernames and passwords.  I can't really fault the password hashing because it's not clear to me on how to 
> de-code it...but the usernames are kept in there and if you view that key, you can see the username in clear text.
> (HKLM\Software\DigitalPersona\DB\Data\IdList\#\User)
>
> Also, in the Documents and Settings folder you can see the applications/pages for which a password has been stored 
> (look for shortcut.ini).  You can't see the password, but from the registry you'd have a username and from here you'd 
> get the application/site name.
>
> Also, on some pages if I only stored a password and not a username, it would paste my password into the username 
> field in clear text!! - probably because the username field was the first available field for data entry.
>
> These issues and others have led us to NOT recommend this to users, and to explain to them that this is a password 
> management utility...not a security device.  In that regard it can be quite useful, especially to staff who may have 
> umpteen passwords that all have different length/complexity requirements...this will make life very much easier, but 
> this is not a security device (nor would I consider it a very secure
> device) - just a useful tool.
>
> If you can wrap your head around it that way, you may ultimately be much better off.
>
>
> Mark Smylie Hart
> Network Security Officer
> University of Illinois at Urbana-Champaign
> T - 217.333.4676
> E - mshart () uiuc edu
>
> -----------------------------[PGP KEY INFO]-----------------------------
> bits/keyid                                                1024D/E73BD405
> fingerprint            95E0 4BE2 C958 51ED 48C4 A2BD FDB5 E188 E73B D405
> ------------------------------------------------------------------------
>
> Tristan RHODES wrote:
>
> > There are inexpensive fingerprint readers made by Microsoft which
> > allow a user to log into Windows using their fingerprint.
> >
> > How secure are these?
> >
> > If someone has physical access to the computer, are they still able to
> > boot into an alternative OS and insert a new password hash?  Or do
> > these devices have something that prevents this?  Is encrypting the
> > filesystem
> > (EFS) required to protect your data?
> >
> > Thanks,
> >
> > Tristan Rhodes