Fingerprint readers

[mayest]

Our IT department has recently gotten pretty strict with our password policies, so I've got a bunch of passwords that have to be changed regularly, and they have to be "strong" passwords. I can use RoboForm for the Web-based stuff, but it doesn't appear to work for regular applications.

So, my question is: Do USB fingerprint readers work well, and do they work with regular applications that are not used in a browser? Also, can any of them be used when booting into XP at login? I am on a network domain, so I need something that can deal with that. Apparently, the Microsoft fingerprint reader won't work on domains.

 

[corkyg]

One I know works just about as you describe as a "want," - the Sony Puppy 810 FIU. I use it on my laptop - it is required for loading XP Pro - and can also be used for specific programs.

It is fairly expensive, however, but is really sensitive. If I don't hold my finger exactly right, it gives me a "No!" You can use a strong passwrod as an alternative.

 

[zig3695]

they are usually completely insecure. i recommend using a usb key as a physical means of encrypted ID, check out http://keepass.info

once you get keepass working you wont understand how you used online accounts without it.

 

[WackyDan]

Leveraged properly, Fingerprint readers(FPR) are secure. Problem is most organizations let their users use them in convenience mode and not forced two factor authentication.

To properly manage FPR's in a large IT environment you need to implement something that gives you central authority over the FPR and the layers of authentication you want to achieve. Softex Inc has a great product for this.

I don;t like token based usb because the user will store the key with the system. Smart cards are really the best token based authentication but are a bear to set up.

 

[mayest]

Thanks for the replies.

CorkyG, I'll have to look into that Sony reader some more. It does seem expensive, but it looks like it would do what I want. Thanks for pointing it out.

zig3695, I took a look at Keepass, but it seems to be a much more complicated to use version of RoboForm. It might be more secure, I don't know, but their forums make it sound like a real pain to use.

WackyDan, that Softex Omnipass looks like a good solution. I didn't see anything about the cost, but I'll try to have our IT folks look into it. Right now, they seem to think that requiring many passwords is the solution. I think that they are just making our systems more difficult to use and ultimately people will just write down their passwords.

Thanks again to all of you. You've given me some good ideas.

 

[WackyDan]

Mayest... Cost depends on how many licenses you require... the more the cheaper.

Best way to go down the FPR road is to buy systems with the scanner built in... Most business laptops offer that today and some business desktops can be outfitted with a keyboard with one built in as an option at time of purchase. Lenovo does this... not sure about HP/DEll.

More passwords is not the answer and will result in users logging them somwhere for safe keeping...as well you will have much higher cost of associated with password resets.

FPR allows you to replace just about any password for Power on, OS login, app login, and web login with a single two factor password/finger swipe. The other good thing to look at is if the FPR software you are looking at can layer over the top of the Windows Log in GINA.... makes someone cracking the password with a boot device much less likely.

I'll add one more thing. combine the use of two factor authentication with drive enccryption, and you will sleep better at night.... While Softex has some basic file/folder encryption, full volume encryption does offer the best protection in case of theft *provided you use two factor authentication for the drive encryption products boot kernal. PointSec, Safe Boot, and Utimaco are the leaders.... Utimaco being my favorite. All three are enterprise class product that are still easy to implement in smaller infrastructures.

 

[mayest]

Thanks. I'm going to print this out. I've got a meeting with our IT VP next Friday and I'll show it to her.