How Secure Is Microsoft's Fingerprint Reader? 72
Moos3d asks: "I recently found out about this Microsoft Fingerprint Reader at the library and ever since then I have been fascinated by using something like this for my own PC. How secure is this compared to using multiple 10+ character long passwords? Some people I've talked to seem to think it isn't safe at all and some people seem to think it is only safe for casual use. I only plan to use it for online forums and other applications that don't require great measures of security so it seems to be perfect for me, but how secure do you think it really is?"
Very secure (Score:5, Funny)
http://www.theregister.co.uk/2002/05/16/gummi_bea
Re:Very secure (Score:1)
Re:Very secure (Score:1)
Re:Very secure (Score:2)
Re:Very secure (Score:2)
Also, on the question of "how good is it?". That depends on whose fingerprint software is being used. If the software is in-house Microsoft stuff then it is probably first generation and not very accurate. What this does is raise both the false-positive and the false-negative rate, meaning it is more likely to let
How do you plan to use it? (Score:4, Insightful)
How it is secure depends on how you plan to implement it. Security is not about buing some gizmo, security is a complex project from ground up/design to implementation and also the hardest part - human element.
So this device alone cannot be proclaimed safe or unsafe - it depends on how you will use it.
I don't really track this specific hardware. I just commented about merit of your question in general.
Re:How do you plan to use it? (Score:1)
Re:How do you plan to use it? (Score:2)
This marketing buzz-shit about these readers is stupid. Of course such devices may increase security when properly use
Re:How do you plan to use it? (Score:5, Informative)
hey don't support this (at least majority of forums I know
Having looked at the linked product, it appears that the thumbprint device unlocks a cache of stored passwords on the host PC, and the cache then transfers the (text) user name and password to the input fields of the websites. So the websites would not have to be compatible with the thumbprint device per se; it just has to allow autocompleted user/pass info. And most do.
That being the case, is this much more secure than a password protected password cache, ala Apple's Keychain? Probably not. I wonder if the thumbrprint reader even bothers to encrypt the print between the reader and the host PC; if not, with a USB sniffer like a keylogging device you're no more secure.
But let's say that the reader does encrypt the print--maybe it does. Do you think it's easier to get my print (glass, gummy bear, etc) or to read my mind for my password? And as another poster pointed out--I can change my password and therefore limit my vulnerability window to whatever temporal limit I choose. OTOH, if my thumb is compromised then I only get one more chance.
Re:How do you plan to use it? (Score:2)
I mean that the passwords are still still transfered unencrypted over untrusted network (the Internet, most of forum sites (question and
Not very (Score:3, Informative)
A place where it works (Score:5, Insightful)
I'm not sure how easy they are to fool, but in the hospital, where people wouldn't be at the terminals unless they were a recognised user anyway, they're perfect.
Re:A place where it works (Score:4, Informative)
The nurses would otherwise be typing in passwords about 300 times a day, as the computers lock whenever someone isn't standing at them
They really use thumbprint scanners? What if the nurse has gloves on/a cut/some liquid on their finger? What if the scanner is dirty or scratched? That seems like a strange thing to do.
Probably more likely is that they use Common Access Cards [army.mil] which would be just as secure as a thumbprint, but would also allow one to decertify the existing cards and force a periodic new key to be issued, say every few months--thereby expiring any exploitation of the previous code.
Re:A place where it works (Score:2)
Re:A place where it works (Score:2)
Re:A place where it works (Score:2)
Given how few nurses are using a computer while doing a sterile procedure on a patient, I doubt gloves would be an issue. Cuts aren't a problem, as you just use another finger, and they make this nifty invention called a "paper towel" for liquids.
just plain wrong (Score:2)
Re:just plain wrong (Score:2)
bollocks (Score:2)
Huh? (Score:4, Funny)
Lemme get this straight. You're asking how secure a Microsoft product is on Slashdot?
Let me answer with a question. How smart do I think you are?
A fingerprint is just a password... (Score:5, Informative)
... but one that can't be changed and gets left lying around on a regular basis, but also can't (easily) be lost.
Against a casual attacker (all most of us really have to worry about), it's perhaps slightly more secure than the average password and it's much more convenient.
Against a sophisticated attacker, a fingerprint alone is much weaker than any password, unless you have a habit of writing your password on everything you touch. Yes, all of the fingerprint scanners claim to offer liveness verification, but in practice every time someone has seriously tested the claims, they've fallen down.
If you need really high security, a password is better than a fingerprint, but it's even better to use both. Of course, if you need really high security, you shouldn't be using a standard PC with a common operating system, and I'm not just talking about Windows. Everyday PCs are wide open to an attacker that has physical access to them, regardless of what OS you're running. A TCPA-enabled OS would be slightly better, but not much since the TCPA standards don't require any tamper resistance on the TPM, so a clueful attacker with physical access will almost certainly pwn your machine anyway.
IMO, and this is closely related to my day job, for low security and high convenience, go with a fingerprint. For moderate security, use either a good password or a combination of password/fingerprint or password/smart card or fingerprint/smart card. If you need high security, hire someone to help you figure out how to do it right.
Re:A fingerprint is just a password... (Score:2)
It's not really a password at all. Pressing your finger does not generate a repeatable or unique key. When you enroll in a fingerprint system you give it several prints, and from these it pulls a large number of identifiable points into a template. Some systems use line vectors, others minutia (where lines stop, start, bifricate) constellations.
All very true, but really not relevant. Sure, you can't effectively use a fingerprint, either livescan or template, to generate a repeatable hash, which means th
Re:A fingerprint is just a password... (Score:2)
Why do you assume it is only one finger? what if you are able to use any number of your 10 fingers and in any order... i know i know.. that means the "finger print key" still can be brute forced open.. but it is more than a 1 finger key...
Because that would be extremely inconvenient and would generally be less secure against a serious attacker than a password. Even if you use a pattern of 10 finger scans, using any of your 10 fingers, that is a search space (10^10) equivalent to a 7-character alphanume
Very Unsecure (Score:3, Informative)
There's also the fact that it sends and stores the fingerprint info, mainly unencrypted, on the local hard drive so that it can match it. If you can get that information and which points need to match, it's relatively easy to make a fake that will match.
Re:Very Unsecure (Score:1)
Re:Very Unsecure (Score:2)
Not very... (Score:4, Informative)
This is the Digital Persona http://www.digitalpersona.com/ [digitalpersona.com] fingerprint scanner, rebranded by Microsoft. I actually use some of their older sensors at home, they're fairly cheap and easy to use.
How secure are they? Not very - these are the same sensors that can be bypassed with highly advanced Nasa Gummi Bear Technology. Yeah, get some latent prints, extrude them with superglue and a couple other items, then pour melted gummi bears into the mold to make a cool new fingerprint that can bypass the sensor.
That being a given, they are pretty damn cool, and extremely convenient. You just come over to your Wintendo XP system, put your finger on the sensor and you are in. You can whip up authentication for websites and applications in no time (although I haven't figured out yet how to get it to authenticate me into World of Warcraft). It really is a "password database" system, unlocked with a fingerprint.
BTW, if you decide to buy these go with Microsoft's sensors - Digital Persona is notoriously stingy with application upgrades. Not that it matters, the supplied software still works with my newest WinXP perfectly, but I feel kinda weird running the 1.0.3 version of a product now in 2.x. MS has traditionally been pretty good about providing updated software for their hardware.
The way I look at it, it can keep people (friends, girlfriend, visitors) away from your Windows box without requiring you to enter a password every time you come back to it:
Now you can press windows-L, get up, get a coke, come back, give the pc the finger (preferrably middle
Not only that, but it will even allow for Fast User Switching just by putting in someone else's finger. Bonus!
-Jack Ash
Don't mean to troll, but... (Score:4, Insightful)
I think I once read something about Bill Gates saying his business model was to first promise something great, second, get the money, third, deliver it, and fourth, worry about the bugs and fixes later. We all know, though, that once you've sold something, the support from almost anywhere is not as focused as their efforts to produce the next thing they can sell, which is often the upgrade to fix the problems in the earlier version.
It is not possible (Score:3, Insightful)
Re:It is not possible (Score:2)
And yes, I'm sure when Linux is much more common place, we'll see problems there, too, but when that happe
Just as secure as any other (Score:3, Informative)
Re:Just as secure as any other (Score:3, Interesting)
Schneier also follows up with a 2002 Crypto-gram blurb [schneier.com], noting Matsumoto's excellent work with the gelatin-finger.
Skroob... (Score:3, Funny)
More secure than the combination on my luggage...
Missing the point (Score:3, Interesting)
When even the editor offers a "LOL! Mirco$oft 1s teh sux!" response (in the from-the line, no less!) I wouldn't expect too much from the rest of the readership, virtually none of whom have ever seen the thing, let alone used it.
Anyway, you're missing the point about complex, frequently changed passwords. The question isn't whether they're stronger than Batman or just stronger than Aquaman, it's whether their nuisance factor poses an actual risk.
not (Score:2)
fingerprint is worst (Score:5, Informative)
Re:fingerprint is worst (Score:1)
Well, technically, an average person would have 9 changes left.
Re:fingerprint is worst (Score:3)
Finger-losing accidents are way more common than freakish nature odddities of hands with more than 10 fingers. Therefore, the average person has less than 10 fingers.
Re:fingerprint is worst (Score:2)
The mean number of fingers would be below 10, but the mode and median number of fingers would still be 10.
Average types:
http://en.wikipedia.org/wiki/Average
Re:fingerprint is worst (Score:1)
Very convienient (Score:2)
But it takes considerable effort - not an job for an average Joe.
Using the reader is very convienient way to logon to the computer.
I have different logons for different people in my family with varing privleges.
I actually brought the reader because of my 4 year old niece who likes to play games.
She has her own account so that she doesn't end up messing with my personal files or preferences.
Re:Very convienient (Score:1)
Using biometrics as a single factor at home locally for a child too young to type well to log on to a PC without keyboard interaction
Well, let's put it this way: That's probably about the only good use-case scenario for a device like that mentioned in these posts. Especially since kids love playing and touching things
The example of single factor bio in the hospital-- still about conven
MS says..."not very" (Score:3, Interesting)
Easy bypass... (Score:3, Insightful)
I've seen it in movies. What's to stop someone from using this technique?
Re:Easy bypass... (Score:2)
Re:Easy bypass... (Score:2)
If the only to steal a car is to chop off the owners hand then there will soon be a lot bigger demands on keyboards for one handed people.
Security??? (Score:1)
Ask Microsoft (Score:3, Informative)
Um. Isn't "sensitive data" the reason that pages are password-protected in the first place?
So apparently the Microsoft Fingerprint reader is so insecure that even Microsoft can't recommend using it. Now that's scary.
Re:Ask Microsoft (Score:2)
In the same vein, you wouldn't store the Hope Diamond in a padlocked box at home, but it works just fine for the title to your car.
Re:Ask Microsoft (Score:2)
Hell yes I would. If you saw my house you would never in a million year think the Hope Diamond was anywhere near it, never mind inside. Security through obscurity? Perhaps. But, sometimes it works.
Re:Ask Microsoft (Score:2)
Review.. (Score:2, Flamebait)
Pfft.
I'd rather just use a password manageme
Not Very, IMHO (Score:2)
Microsoft? Secure!?
</needed_bash>
But seriously, I'm not sure how a thumbprint reader would be that secure. It's pretty obvious that Microsoft isn't using professional-quality fingerprint security hardware, so if someone has a similar enough print, they can probably get in. On the other hand, if your attacker doesn't have a similar print, then they're pretty much screwed.
So I guess a lot of it's luck.
- dshaw
Promo for RoboForm (Score:2)
Most important, it has a portable version that will let you carry it around on a USB drive. You pop the USB drive into a computer and you have access to all your passwords.
It has a master password which you can use to selectively protect your login information and o
Not for sensitive data (Score:2)
The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activitie
I believe there are basically two ways to do biometric devices like this. The first is for the device to basically measure something and send the measurements to the computer. For example, a fingerprint rea
All Your Fingers ... (Score:2)
Yikes (Score:2)
Wipe off the surface when you're done. It's possible to "breathe" on the reader with some models and have the condensation on the oil pattern be enough to trigger a "read" and you therefore impersonate the last person to use the reader.
MS doesnt recomend it itself (Score:1)
"The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities."
nT (Score:1)