Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Successful Alternatives To Password Authentication?

Cliff posted more than 7 years ago | from the seeking-different-ways-to-login dept.

188

DonaldP asks: "Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? I see different stuff out there but short of actually evaluating each one, it's hard to get a good idea of what the scene is like, what is crap and what actually delivers. Does anyone have experience with such systems, or can suggest other suitable solutions?"

"Some existing solutions (smartcards, etc) have their own quirks. Most notably, they trigger a login, or a logout event (plug it in to log in, remove to log out). Frankly, that just takes too long. Access granting needs to be quick and easy, because it will be frequent (and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs). The machines I want to deploy on are domain-connected systems, basically serving kiosk roles in a warehouse. Usage is frequent, usage of a system is shared, and access needs to be quick and easy.

A 'Holy Grail' would be something like you see on the point-of-sale terminals in the food industry. Waitrons swipe or wave their card to access the (shared) terminal, quickly punch in or look up what they need, and they're out of there until next time.

The specific technology used (iris scanner, fingerprint scanner, smartcard, keycard, RFID, etc) isn't particularly important. I want to roll out something easier for the floor people to manage than the typical standard username/password authentication method, that provides:

- FAST locking/unlocking the screen (or fast login/logout action).
- Allows multiple 'keys' to be used for one system (many individual users, one computer).
- An event log (or equivalent) to identify which key unlocked/locked the system and when.
- the ability to disable individual keys in the event of loss, theft, etc.


The few products that I have found range from so-so to vapor-seeming. PSL would probably hit all the bases but it looks like vapor. The documentation link isn't there, the FAQ is blank, and the 'Reviews' and 'News' pages are empty. The RF-based one for WirelessDefender seems slick but it doesn't look like the hardware would accommodate multiple users for a single unit."
In addition to recommendations and suggestions, if you've tried biometric authentication and have horror stories of stuff that *didn't* work, feel free to share those too, if you would."

cancel ×

188 comments

lick my hairy chode (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16799880)

alternuhtive complet3

Three strikes your out! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16799882)

""Have any of you successfully deployed a key, token, or biometric-based access control for Windows machines to replace (or enhance) the typical login/logout authentication process (even image-recognition schemes would be considered)? "

The shotgun pointed at your head, three tries your out login method works wonders.

Yup. (3, Funny)

Indy Media Watch (823624) | more than 7 years ago | (#16799896)

Biometric Bacon Authentication [slashdot.org] .

Nooooooooo! (0)

Anonymous Coward | more than 7 years ago | (#16800398)

You just gave me this horrible vision of someone combining KittenAuth [kittenauth.com] with that dog for those Bacon Bits that always goes "Bacon! Bacon! Gotta find the bacon!!!" Spammers don't know it's not bacon!

Damn commercials, all this time and it's still rotting my brain!

Tag Trolling (1)

Mateo_LeFou (859634) | more than 7 years ago | (#16801216)

I enjoyed attaching "itsatrap" to this one.

I know i know! (0, Troll)

Nemetroid (883968) | more than 7 years ago | (#16799910)

Retinal scanning, directly from the future!

Smart Card + RSA key (2, Interesting)

Average_Joe_Sixpack (534373) | more than 7 years ago | (#16799926)

Still anyone with physical access to the system can pull the HDD and have at it later.

I use a similar sysem (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16800054)

It is called a Smart Cock system. I whip out my 9 inch rock hard cock and stick it in the BioSensor which measures girth and length and digitally samples the shape of the head of my trouser snake. It uses a 7 point system to compare to the stored sample. And then I pull it out of the BioSensor and fuck your girlfriend in the dumper.

Re:I use a similar sysem (0, Flamebait)

Average_Joe_Sixpack (534373) | more than 7 years ago | (#16800104)

And then I pull it out of the BioSensor and fuck your girlfriend in the dumper.

Ha you fool! ... I don't have a girlfriend so your system is worthless!

Re:I use a similar sysem (-1, Flamebait)

goofyheadedpunk (807517) | more than 7 years ago | (#16801262)

The system probably has a failsafe on that last step: your Mom.

(Holy shit, I just made my first "Your Mom!" joke on /. Man, I need to get a life.)

The most secured system... (0)

creimer (824291) | more than 7 years ago | (#16799934)

Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems.

Re:The most secured system... (1)

CrazyJim1 (809850) | more than 7 years ago | (#16799962)

The thought terrified me of being locked in a room with a PC without internet. It reminds me too much of 15 years ago *shudder*.

Re:The most secured system... (1)

Bing Tsher E (943915) | more than 7 years ago | (#16800202)

You can also be locked in a room with a Windows machine with Hummingbird Exceed installed on it. It is on the same non-world-routed network as a multi-hosted Unix box. Then you run your Web apps on the Unix box. The non-routed network can be very locked down.

There are non-commercial solutions where you don't have to buy Exceed, too. I find them somewhat kludgey. YMMV.

Re:The most secured system... (1)

LiquidCoooled (634315) | more than 7 years ago | (#16800256)

Hey, 15 years ago I got a lot more work done without the damned internet getting in the way!

Re:The most secured system... (2, Funny)

creimer (824291) | more than 7 years ago | (#16800550)

Back then I was switching floppies between physical Drive A and virtual Drive B to save data.

Re:The most secured system... (0)

Anonymous Coward | more than 7 years ago | (#16800020)

> Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems. ... which is only secure until I insert my USB key to .

Sure, it'd be a matter of
1) virus on removable media (1) infects "secure" machine
2) virus infects next removable media (2) with random text from secure machine as payload (along with itself)
3) virus infects next machine it comes across, with botnet instructions allowing it to spam that random text along with advertisements for pr0n or "hot stock tips".

Surely by now you've gotten random "spam filter poisoning" emails?

Re:The most secured system... (2, Informative)

Mr. Underbridge (666784) | more than 7 years ago | (#16800800)

> Is a Windows computer without network access in a locked room. I heard the NSA and/or CIA has a few of these highly secured systems. ... which is only secure until I insert my USB key to . Sure, it'd be a matter of 1) virus on removable media (1) infects "secure" machine 2) virus infects next removable media (2) with random text from secure machine as payload (along with itself) 3) virus infects next machine it comes across, with botnet instructions allowing it to spam that random text along with advertisements for pr0n or "hot stock tips".

Oh, believe me, there's pretty good safeguards against things like that. At higher classification levels, "removable media" don't exist. USB keys are banned. For the most part, this is for information compartmenalization, but computer security is an issue too.

Re:The most secured system... (1)

Vainglorious Coward (267452) | more than 7 years ago | (#16800032)

Is a Windows computer without network access in a locked room

Nonsense. A computer with a different OS in the same room would be more secure.

Re:The most secured system... (2, Insightful)

Bing Tsher E (943915) | more than 7 years ago | (#16800258)

True. A machine with MS-DOS on it, for instance. doesn't even have the 'hooks' to be networked, without extra binaries being added. And since it's very simple, it's easy to know that there aren't any rogue processes running in the background. Just keep a logic analyzer connected to it's buss and keep an eye on what's going on.

My TRS-80 Model 100 is even MORE secure, as the EPROM or non-volatile memory would have to be hacked for rogue software to be running on it. Or something bad with BASIC.

And my SYM-1 is even better. With only a 6502 processor, and 4K of static RAM, an intruder would have to sneak in, enter his trojan on the hex keypad, and be certain you didn't cycle power before next using the system.

Re:The most secured system... (2, Funny)

BorgCopyeditor (590345) | more than 7 years ago | (#16801054)

I think my Wellington Bear calculator is even more secure, at least, before it was hybridized with my Trapper Keeper.

Re:The most secured system... (1)

Loconut1389 (455297) | more than 7 years ago | (#16801398)

I had a virus once that hid itself in memory- the only way you could find it was if mem /c or whatever was a few kb short- so that's not entirely true.

Re:The most secured system... (4, Funny)

LiquidCoooled (634315) | more than 7 years ago | (#16800288)

if a computer crashes in a locked room and nobody is around to see it fail, does it have a blue screen.

True Story (1)

LunaticTippy (872397) | more than 7 years ago | (#16800362)

According to KVM over ethernet, yes.

Re:The most secured system... (1)

jd3nn1s (613014) | more than 7 years ago | (#16800300)

Nonsense, You saw it on Mission Impossible :)

Re:The most secured system... (1)

Ant P. (974313) | more than 7 years ago | (#16800726)

I heard the NSA created this little thing called "SELinux".

Re:The most secured system... (1)

jotok (728554) | more than 7 years ago | (#16801072)

Pfft, my roommate has one of those since he can't get his Linksys appliance to work and won't let me in to troubleshoot it!

Smart cards (2, Interesting)

mammoth_2k (859792) | more than 7 years ago | (#16799958)

I recently looked at this one smart card technology that has an integrated thumb-print reader on the card! It is called the "Super Smart Card", well sure, why not? http://e-smart.com/products_ssc.html [e-smart.com]

Re:Smart cards (1)

wkk2 (808881) | more than 7 years ago | (#16801032)

Does anyone sell small quantities of onetime password tokens that are compatible with the OATH standard and allow the shared secret to be loaded? Every token I have looked at required the use of a custom server and all kinds of licensing.

A thing you have and a thing you know (1)

ajohn505 (1007097) | more than 7 years ago | (#16799970)

Would be the ideal method.

This one didn't work so well (3, Interesting)

eric76 (679787) | more than 7 years ago | (#16799978)

In the early 1980's, I worked for an eingineering company that tried an alternative.

After you entered your username, the logon program would look up your employee payroll records and ask you a random question from them. If you answered correctly, you would get logged on.

Sometimes it was easy. For example, it might ask your street address. You'd have to answer exactly as in the record, but that wasn't too difficult.

Often, the only way you could log in was to have a copy of your employee payroll records in front of you. For example, do you know to the penny how much withholding has been deducted from your pay this year? Or how much your total take home was last year?

The experiment didn't last too long before it went back to username / password.

Re:This one didn't work so well (1)

Llywelyn (531070) | more than 7 years ago | (#16800228)

We had a system at one point that if you couldn't remember your password it would ask you several security questions.

The problem? I was asked when I met my spouse. This is an interesting question since I'm unmarried. o_O

Re:This one didn't work so well (1)

neuro.slug (628600) | more than 7 years ago | (#16800718)

That reminds me of this stupid system our IS department set up. It required you to enter answers to five or six challenge questions (in case you forgot your password), but the answers had to be at least five characters. Of course, this kind of sucks when your mother's maiden name is four and your favorite color are both four-letter words.

Re:This one didn't work so well (2, Funny)

stuff and such (980278) | more than 7 years ago | (#16801076)

The best automated form I have ever had to fill out went:
Q: where were you born
A: ohio
error, must be 5 characters
So I'm probably the only person born in multiple states at the same time, "ohios"

Re:This one didn't work so well (1)

ergean (582285) | more than 7 years ago | (#16801096)

My favourite colour is blue ... no, yellow!

Re:This one didn't work so well (1)

2sheds (78194) | more than 7 years ago | (#16801474)

But what is the air speed velocity of an unladen swallow?

Re:This one didn't work so well (2, Informative)

Anonymous Coward | more than 7 years ago | (#16801540)

When I last worked in a government job, also in the early 80's, we had magnetic cards that we had to swipe at public dumb terminals before entering in our user id and password. (Yes, this was before everyone had a computer at their desk.) The user id's were easy to guess, as they were something like ADMIN001, ADMIN002, etc.

The passwords were 12 alphanumeric characters, were system assigned, and were changed monthly. They were more than a tad difficult to remember, even for those with doctorates with reasonably decent memories. The passwords used mostly the uncommon letters, and in odd patterns. The guy in charge of IT was happy with the security. Who could guess a password of "qz18t97p0f8b"? (He reasoned.)

I tried to get the guy to use less secure passwords, something that people could remember without having to have it on a piece of paper to carry around, as those papers were left, at times, at a terminal. He said, no, that was what was needed. I told him in my division, and probably others, employees left on their desks, or in an unlocked the top center desk drawer, the swipe cards with the "secure" passwords written on them. He said he'd consider we needed the security, period.

About 2 months later, I logged on as my boss and told the IT guy to call my boss, because I(my boss) was considering firing him for his inability to keep the system secure.

The next day, after speaking with my boss, who was none to happy that someone had been able to send an email as him) we got to make up our own 12 character passwords. This kept the night cleaning crew from being able to look up and/or change data on thousands of people. Sometimes people just don't think through all the implications of security, and don't want to know where it's broken.

You FAIL it. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16799998)

coMre team. They [goat.cx]

Biometrics & problems (3, Informative)

dbialac (320955) | more than 7 years ago | (#16800000)

If you haven't seen the episode of MythBusters with biometrics, it will scare you to death. Finger biometrics, anyway, are easily defeated and for such reason should be avoided without some other shared mechanism. A better approach is to use something like retna recognition which is harder to fake out, or combine finger scanning with something else such as a code that isn't biometric. But at the end of the day, you also have to ask, "How secure does this need to be?" to help weigh your options.

As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.

The video (4, Informative)

pablodiazgutierrez (756813) | more than 7 years ago | (#16800070)

Mythbusters on fingerprint hacking, here thanks to Gootube [youtube.com] .

Re:Biometrics & problems (0, Offtopic)

TheNetAvenger (624455) | more than 7 years ago | (#16800156)

As for login times, you're not going to be able to do much about them. It's simply the nature of Windows and most other login/logoff systems.


Windows2K, XP, Vista (And even all the older variations of NT) have time restricted and control login and usage policies. This is something that an administrator can easily set in the domain or authenication server or even a local machine policy. This is something that is very easy to set, even on a home computer for Kids let alone a domain where you can flip a switch all the systems obey.

Sometimes people scare me when they are so out of touch with basic technology that any credible IT person would know.

Re:Biometrics & problems (1)

GNU(slash)Nickname (761984) | more than 7 years ago | (#16800326)

I'm pretty sure the poster meant the length of time it takes to complete the login/logout cycle.

Sometimes people scare me when they are so out of touch...

Yeah, I know what you mean. Like when they comment on someone's answer when they clearly didn't read or understand the original question.

Re:Biometrics & problems (1)

xlsior (524145) | more than 7 years ago | (#16800354)

Windows2K, XP, Vista (And even all the older variations of NT) have time restricted and control login and usage policies. This is something that an administrator can easily set in the domain or authenication server or even a local machine policy. This is something that is very easy to set, even on a home computer for Kids let alone a domain where you can flip a switch all the systems obey.

That's not the issue at hand here -- the original poster was referring to the amount of time it takes to log on with certain schemes, and not talking about restricting logon/logoff to a certain times of day

Re:Biometrics & problems (1)

TheNetAvenger (624455) | more than 7 years ago | (#16801672)

Whoops... Notably I was not even on the same tracks, let alone the same train.

Thanks for pointing this out.

Re:Biometrics & problems (1)

Khabok (940349) | more than 7 years ago | (#16801420)

Where do we draw that line as to what validates biometrics? Does possession of a physical key qualify, as in the Super Smart Card? What if your chair had a load-cell in it, so you had to be within five pounds of the correct body weight?

Memorizing a password is not perfect either, ya know. Security is always best-effort. [thinkgeek.com]

Maybe we should quit agonizing over this question so much. Here's a thought: use a small highly-secure server for every x workstations. If you need something, have the local server get it from the farm and keep it there. Keep the workstations under Deep Freeze and require that those resources be access remotely, via something nice and secure like good-old password validation. Therefor, low-security tasks can be managed from the workstations using fast and easy biometric login, medium-security tasks can be done using the local server as a network drive with a text password, and high-security tasks are done via the local server, either through something like SSH or even keyed physical access.

Anybody like that idea?

Digital Persona works very well. (3, Informative)

zerofoo (262795) | more than 7 years ago | (#16800002)

Digital Persona's Kiosk fingerprint reader package [digitalpersona.com] is exactly what you need.

I deployed the Workstation Pro package at my last job. It works great, and has group policy ADM templates to aid in setup and deployment.

-ted

Re:Digital Persona works very well. (1)

Dersaidin (954402) | more than 7 years ago | (#16800978)

Have you gone to any effort to try and break it?

Re:Digital Persona works very well. (0)

Anonymous Coward | more than 7 years ago | (#16801560)

Yes, even their sensor with 'false finger detection' can easily be spoofed if you desire. That's why Microsoft OEMs it and clearly on their website, they recommend not using it as the device and the implementation are not secure:

Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks. [microsoft.com]

This is only a device of convenience, and Microsoft markets Digital Persona technology as nothing more than something to help you forget passwords.

Voice Authentication is the wave of the future. (1)

lordkobold (303773) | more than 7 years ago | (#16800010)

Or it was a few years ago... Star Trek Voice Print [cybertown.com]

Re:Voice Authentication is the wave of the future. (0)

Anonymous Coward | more than 7 years ago | (#16800896)

And tape recorders are wonderful too!
So are pocket MP3 recorders.

Something you know and something anyone nearby can have? That doesn't quite cut it now, does it?

Honor System (2, Funny)

Anonymous Coward | more than 7 years ago | (#16800056)

In order to reduce costs, we put a question like "Are you authorized to view this very confidential information?". In order to curb abuse we also have a sentence that says "We audit all activity.", which is a module I'm currently trying to complete.

We haven't had any issues as far as we are aware.

Fingerprint login (5, Interesting)

cdrguru (88047) | more than 7 years ago | (#16800068)

The problem with fingerprint readers is there has been a lot of junk put out there. Anything that uses an optical sensor is a joke. Most of the capacitive ones are useless as well.

We recently deployed an application using an RF-based fingerprint reader. It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.

The software is very simple and very fast. You can either use their database (encrypted) or your own for storing templates.

We decided that this was the only way to avoid compromising existing user/password security for systems already in place. If we had even the possibility of the same passwords being used, our system would have to be provably at least as secure as whatever they were currently using. A very difficult and wide-open standard to be measured against. Therefore, no passwords at all.

Re:Fingerprint login (1)

Zadaz (950521) | more than 7 years ago | (#16801792)

It uses the Authentec chip which is in many readers. It is extremely difficult to fool because it scans below the skin level. Some jello mold finger isn't going to work with this.

Okay, maybe not a jello mold finger, but what about a Bic pen [wired.com] or a magic marker [wired.com] ?

Just because no one has figured it out yet doesn't mean they won't tomorrow, and with stuff from their junk drawer.

Going with only a single authentication and calling yourself "secure" is foolish.

Suggestions (4, Informative)

TheNetAvenger (624455) | more than 7 years ago | (#16800092)

and Fast User Switching doesn't work on machines that are part of a domain, according to Microsoft's docs

This is true of WindowsXP, but not Vista. There are tricks to make Fast User Switching work in XP, you might want to check into them, although I wouldn't recommend them and would enforce a user policy that would just force the users to log off.(Make sure the policy is not just on the machines, but an employee manual policy as well, so that users log off when they are done.) You might also put in plans for Vista in any planned upgrades for your systems if this is important to your organization to allow the multi-user access method in a domain environment.

Stay away from fingerprint biometric (and variations) for true security, even though they are nice that the user doesn't have to cary a card or device with them. You can easily circumvent them by lifting a fingerprint of the user from a glass for example and using it to gain access to their login.

One technology that holds has a ligh level of security is tablet or signature sign on devices. The user signs their name. This is hard to defeat for most of the advanced devices, as they not only do a recognition of the input, but also compute the stroke pressure, speed, etc. So it makes it virtually impossible even for someone that can copy signatures to circumvent as they don't use the same pressure, speed, angle, etc as the real person. This is using the cool parts of Ink technology in that it is not just the image created, but all the other stored information making the signature very unique.

However, for true security go with a Smart Card solution. It does require the users to carry a card or device with them - look at Cell phones and other devices that are implementing this technology, that way users don't have to carry a card. There is a reason Casinos and Gold Mines use this technology, and if the user loses the card you can easily disable the card from the central domain and replace it with a new card for the user. These devices are also nice in that many non-computer devices use them, and employees can also use the same card for access to doors, phones, and other types of security and access throughout the building. So if you need other levels of access or security later on in your organization the same device can be used for authenication away from the computer.

Do some research and start with the main sites on security. They will have plenty of solutions and suggestions for helping with your login and security. Even go to MS's website and look up smart cards and biometrics since you are using Windows workstations.

Good Luck.

RSA SecurID for Windows Works Great (1)

madsheep (984404) | more than 7 years ago | (#16800110)

Yes we have deployed a great alternative to password based authentication at work. We have done this by deploying RSA SecurID for Windows. This is completely free so long as you already have an RSA Authentication Manager (ACE/Server) infrastructure. This allows us to use our passcode (your PIN) + tokencode (your changing code). We also require them to use their Windows password in addition to this. You can enable "Windows Password Integration" which will remember for you, so the users never have to remember their password. However, due to certain levels of sensitivity we opt not to do this. In theory someone on that admins the Unix ACE/Server we run could set a temporary or emegency passcode/password in place of a token and bypass the whole process. Requiring both is a bit more secure.

In any event using RSA works well. Getting tokens and all that is not free obviously, but if your environment already uses them.. this is easy to deploy. Sure it can be a PITA if your tokencode changes while you're typing or if you lock your workstation/unlock it frequently (meaning you have to wait for a tokencode change) but it does a great job and provides a nice two-factor solution.

How can we do your job for you... (2, Insightful)

Zwack (27039) | more than 7 years ago | (#16800122)

If you don't give us enough details...

I've used SECURID tokens and they work, but they're slower than regular login/logout methods.

Are you trying to lock access to the desktop or is the desktop being used as a dumb terminal to some random application?

If the latter then can you just lock down the desktop and modify the application?

I'm thinking that this is for something like a time card system, where people walk up, sign in/out and walk off. Given that you're saying speed is of the essence then it seems that that is likely. Have you considered a commercial offering? I am sure that most of the vendors have some sort of solution to uniquely identify particular individuals.

Magnetic stripe card containing a private key and a passphrase (pin?) known by the employee would work.

If you need to grant them full access to the windows PC then why are you worrying about security in the first place...:-)

Z.

tweakui (1)

Bing Tsher E (943915) | more than 7 years ago | (#16800124)

On some Windoze machines, I just install tweakui. Then you can enter the password into a GUI form in the tweakui applet on the control panel, and voila you don't need to enter it again.

Another alternative on some versions of Windows is just to click the 'cancel' dialogue button each time, or better yet, just leave the password blank the first time you log on the newly installed system. This works for Windows 9x and Me, and is a great alternative to password authentication.

These methods are very secure if used on stand alone machines or machines or machines that are not on world-connected networks. You just lock the door on the room or building they're located in.

Auth strength should match the sensitivity of data (0)

Anonymous Coward | more than 7 years ago | (#16800128)

If I may inject something here, it's that authentication strength should be appropriate to the data and resources being protected.

For many of us (admins, etc) we need strong authentication. But there are special situations where the data and access being protected are either not particularly sensitive, or other safeguards are in place.

Some closed networks with non-sensitive data might very well benefit from authentications that we as techies consider "weak". The overall risk from an exposure/breach frankly just might not be very high.

That being said, as a horror story I can tell you I tried something similar about 4-5 years ago with fingerprint readers. Ugh. Not only did fingerprints not get reliably read on the best of days, but the software was bad too - there was just no way to integrate completely. Perhaps that stuff's matured somewhat by now.

Remove passwords (5, Insightful)

Anonymous Coward | more than 7 years ago | (#16800212)

We tried a very radical idea. The comittee of naysayers and control freaks tore their hair and banged desks to try and stop us from doing it.
After 6 months I can happily say, it worked, the move is vindicated and the frightened little control freaks had to eat their words
and admit it is pure genius.:)

We removed all our passwords.

Obviously this doesn't suit everyone. We are a smallish organisation with less than 50. The idea that everybody could actually
be trusted inside the organisation was central, as was the fact that most are not very computer minded and basically quite thick
when it comes to remembering passwords. The point being that if anyone inside the organisation could *NOT* be trusted then we were
screwed anyway, passwords or not. The move coincided with a massive revamp of network structure, a very restrictive new
firewall and password free ACL, basically cutting the intranet off from the outside except for a few key workstations that need general WAN access,
everything else is VPN. So now you can just walk up to any console, type your login name and get access. We can still log who does
what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
can use anybody elses login if the wish. In 6 months I haven't seen anybody do that, because there is no need to. Sunlight is a great disinfectant.
Obviously this would not work in a paranoid organisation where everybody is at each others throats, or it would radically change everything if
you did try it.

Sometimes you have to take a step back to see the wood for the trees.

Re:Remove passwords (2, Informative)

gregmac (629064) | more than 7 years ago | (#16800454)

So now you can just walk up to any console, type your login name and get access. We can still log who does
what, and casual visitors can't just get access unless they know a valid login name. Because there are no secrets from each other anybody
can use anybody else's login if the wish. In 6 months I haven't seen anybody do that, because there is no need to.


You mean, you haven't seen anyone do it because you 1) have the hope/assumption that everyone is honest, and 2) wouldn't be able to see it if they were semi-smart at all.

What I mean by that, is if the guy getting paid minimum wage out back wants to see what his supervisor makes, he just logs on as someone in accounting or HR (or whoever has access). Since they'd normally need to access accounting data, nothing would look out of the ordinary.

It's a nice bubble to live in, but people (in general) do not remain honest all the time. Things happen.. People get angry, fed up, etc etc. I don't want to come off sounding like a paranoid nut, but there are so many deeper issues with doing a setup like this. If someone does download sensitive data and say, sells it to your competitors, you wouldn't be able to know who did it - since it's likely that the perpetrator would have just logged on to another account. If someone downloads child porn, and the feds come knocking, you wouldn't be able to help them.

I think part of what you're going for can be accomplished using passwords.. as long as you treat them the right way. Make it clear that it's not a matter of mistrust or IT trying to be control freaks.. it's simply a matter of accountability. My guess is you're going to run into major (legal?) problems in the future when some kind of incident happens, especially if you don't take due dilligence, like having passwords.

Re:Remove passwords (1)

dbIII (701233) | more than 7 years ago | (#16801114)

Interesting. You have complete confidence that clients, salesfolk or employees children or the many others that are let into workplaces will not do anything that will make life difficult with your computers? Also logs are good for finding out why the trainwreck happened but they don't prevent it.

I worked in a place where everyone knew everyone else's password which was a bit more disfunctional than you describe above. They were forever playing jokes on each other this way - the place was infested with spyware and you could never be sure who really was sending you an email - all it takes to start is one idiot who cannot be trusted.

As for biometric information - you can take my fingerprints from my cold dead hands! Personally I see it as a flawed technical solution to a social problem to aid the lazy - people want an easy way to log in and do not want to remember a password or passphrase or carry some sort of key.

Re:Remove passwords (1)

OnlineAlias (828288) | more than 7 years ago | (#16801200)

I sure hope you don't have me as a customer. I would sure hate to have my information tied to a system that has absolutely no integrity. In addition, if you lose one bit of sensitive information, either about an employee or a customer, your company is going to get sued to within an inch of its life, I assure you. If it gets to the media you will not only get sued you will probably go out of business.

I am a long experienced information security officer for a large organization. One thing I have learned is that, by default, everyone thinks that they are a security expert. Your control freaks had no idea why they wanted access controls, and you had no idea the ramifications of removing them. But both sides think they are experts I am sure, and neither have any training on the subject.

I'm not saying anything will ever happen, maybe it won't. But I sure wouldn't want to be you or your organization if it does.

HIPPIES! (1)

bunco (1432) | more than 7 years ago | (#16801536)

Does your company design, manufacture and market hacky sacks?

Without authentication, you can pretty much write off accounting. What happens when Chuck logs into Bill's workstation with Bill's username and deletes the secret recipe for the ultra-soft hemp yarn used for your product? Looks like Bill is out of a job.

What happens when you decide you want to take credit card orders instead of using a system of bartering? AAA (authentication, authorization and accounting) is required by VISA PCI.

"Every time you eat a steak, a hippie's hacky sack goes down the gutter." -- Patton Oswalt

Re:Remove passwords (1)

silas_moeckel (234313) | more than 7 years ago | (#16801552)

I would guess you have no compliance issues to deal with then. Assuming your a US company that means a privately held, not in the medical field and does not store credit card info (or at least does very little total $ on CC transactions) does not store must anything use full in electronic form (say your tax info) and your HR department uses typewriters could get way with this. I would guess some places like that exist but cant think of any with 60 people, I wonder what the legal dept thinks about it I can see there heads exploding when somebody tells them that anybody can access the electronic HR records of anybody else.

Re:Remove passwords (2, Insightful)

TheRaven64 (641858) | more than 7 years ago | (#16801722)

Great idea. I did some consulting for a company that had this exact policy. No passwords anywhere - after all, it made life a lot easier for everyone. Until, that is, one of the managers decided to walk off with a copy of the customer database and set up his own, competing, company. Since there was no access control, it was impossible to determine what he had touched and copied or damaged.

Just because you trust everyone now doesn't mean that you shouldn't, for accountability reasons, maintain adequate activity logs, and if people use each others accounts all the time then you will find it impossible to tie any action to an individual.

DNA (4, Funny)

nurb432 (527695) | more than 7 years ago | (#16800214)

After you sell your soul to work for us, we require a drop of blood each morning to be able to access the building and then again to access your pc.

its effective, but we have noticed a rise in healthcare costs.

Re:DNA (1)

MalHavoc (590724) | more than 7 years ago | (#16801466)

Hey, it worked in Gattaca.

Let''s just pay to get Sam Fisher whacked. (1)

Channard (693317) | more than 7 years ago | (#16800226)

After all, he seems to be responsible for half the data-theft and hard-disk stealing that goes on. Murderising him would reduce the chance of your data being stolen by half.

Authentication Options (1)

information_storage (1025634) | more than 7 years ago | (#16800230)

There are fingerprint and ocular authentication devices out there, but I wouldn't want to give anyone a reason to remove my finger (or my eye for that matter).

Many people use a usb drive with an RSA key or a smart card. Windows implemented bitlocker in vista (ultimate and corporate editions) which is basically file system encryption that can be authenticated with a password and/or external key.

The most straight forward and easy option in my opinion is to use a passphrase (something much longer than a password). A password or phrase with 25 - 45 characters would surely give you great security against brute forcing etc.

This all depends on what kind of security you need. If you use a good password, then it is probably not the weakest link in your security. If the information you are trying to protect on the hard drive can be easily taken out of the computer (physically), then you may want to look into file system encryption or steganography (if you want plausable deniability).

Re:Authentication Options (1)

fred fleenblat (463628) | more than 7 years ago | (#16800332)

I agree with your sentiment, and additionally things like fingerprints and retinal scans cannot be re-issued if compromised. This isn't a problem yet, but as biometric tokens are more widely used and thus more widely attacked it will become a problem.

SunRay Thin Clients (2, Interesting)

thanasakis (225405) | more than 7 years ago | (#16800278)

Although the article specifically states that this is a windows solution, I think it's worth noting that sunray [sun.com] works exactly like this. You put the smartcard, your previous desktop session is instantly restored, you do what you want to do, you pull out the card. Your desktop session is preserved and is terminal independent.

As for the lack of windows applications, it is actually possible [sun.com] to do it even on sunrays , although admitedly it is not particularly suitable for the small scale that the article submitter implies.

Anyway, you might take a look at those two links, and if you must absolutely use PCs (sunrays are more suitable for the job the article is outlining), take a look at citrix also [citrix.com] . I don't know whether they do smartcards though.

Re:SunRay Thin Clients (1)

funwithBSD (245349) | more than 7 years ago | (#16800360)

We are doing this right now for just us SA's.

Citrix gives us the couple of applications we can't replace. Visio and Lotus are really the gotchas.

Why not passwords? (0)

SomethingOrOther (521702) | more than 7 years ago | (#16800292)


Why not passwords?
If passwords dont work for you then you need to tell us why not otherwise we cant help you.

They work well for most of us, and if it ain't broke, dont fix it.
Retina scans, 007 and RFID might look cool, but what advantages will they offer you?

Re:Why not passwords? (0)

Anonymous Coward | more than 7 years ago | (#16800678)

Because they are easily cracked, and they have been for years.

It's too easy for someone to get a hold of your account by cracking the password.

Don't get me started on biometrics either.. fingerprints are 10 static passwords, and they're usually stored in the clear somewhere.

X.509 Certs on USB drives? (0)

Anonymous Coward | more than 7 years ago | (#16800340)

You really didn't tell us the whole question I fear.
- How long is the typical access period?
- how many accesses are required per person per day/period?
- is the system networked?
- how many users?
- are they all located in teh same room/warehouse or spread across the world?
- is centralized authentication required; is there a high turnover rate for workers?
- Do the users need access to a general PC or just 1 specific application?
- Web App or thick client?
- Users can only be connected from a single PC at a time?

Ok, I'll assume you only have a few locations with 10 folks sharing a single networked system running 1 application with only 1 active connection/login at a time.

With these assumptions, why not give each user a located USB drive they can wear around their neck or wrist. They hold an x.509 cert and a PIN that the application checks. The cert contains the identity and public version. The PIN does a little to prevent sharing of the USB drives. CF could be used. Floppy disks could be used or a smart card. Be certain the same device lets the workers in and out of the building and into the toilets. If they don't bring it to work, they lose a day's pay and get written up.

What is the worth of what you are protecting?
What is the cost for each failed access in $$$? Convert lost time and lost opportunity into $$$.
What happens if the main system that performs the authentication fails and nobody has access?
What happens if you distribute the authentication and someone steals the computer/drive?

RFID and finger prints are a joke from a security standpoint. not worth your time.

There are many more questions to ask ...

SnakeCard (2, Informative)

mpapet (761907) | more than 7 years ago | (#16800374)

This guy probably has what you are looking for.

His application runs a little on the secure side, but he's got it integrated nicely into ActiveDirectory.

He's a programmer more than a marketing guy, so his site's a little rough around the edges. Cards/Application works beautifully for me though.

http://www.snakecard.com/ [snakecard.com]

Why not ID badges? (5, Insightful)

vertinox (846076) | more than 7 years ago | (#16800388)

It has always occurred to me we might as well use our badges to log in since if someone has access to our security badge, they can get into the office anyways and use a USB or a boot CD to get to our hard drives anyways.

I suppose we would then only have to worry about our coworkers stealing our badges to do nefarious stuff as our own so perhaps we could combine it with thumb print scanner and maybe a pin number.

Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.

Seriously, unless you are working in a government agency, I don't see anymore security you are going to get out of a badge through and a thumb print.

Re:Why not ID badges? (1)

Adam9 (93947) | more than 7 years ago | (#16801492)

Many times a network login will get you into the computer and to other networked resources, which a USB or boot CD won't get you.

Re:Why not ID badges? Because it is stupid! (1)

donstenk72 (593985) | more than 7 years ago | (#16801718)

Any idea how many laptops are stolen with id badges in the side pockets?

Besides that, I it is stupid to make company data accessible by sticking a usb stick in a client. There _are_ ways of securing data - remote drive/homedir + encrypted local cache on client. Not exactly rocket science either.

Re:Why not ID badges? (3, Insightful)

radtea (464814) | more than 7 years ago | (#16801802)

Still, I guess one could beat the password out of the poor worker, steal his badge, and then cut off his thumb... Or maybe kidnap his kid and blackmail him.

Or you could say, "Hey Joe, I need your card, can I get it?"

I once maintained a misson-critical database system for a large physics experiment, which used barcode readers to determine who assembled what parts of the detector. On my first visit to the cleanroom where the actual assembly was taking place I found a piece of wood that had stickers with everyone's barcode printed on, so any old assembly worker could become the supervisor, for example. It turned out that the database had some deep issues that made it practically impossible for the workers to actually do the assembly without lying to it. And because it was all hand-rolled C++ spaghetti that was actually trying to get an adequate solution to an NP-hard problem under some severe constraints it wasn't practical to change it. Nor was it actually necessary, because the workers were really trying to do the right thing, they just couldn't.

But the experience made me very aware of how easy it is for co-operative workers to fake reality big-time without the system being at all aware of it, and most password/identity schemes are subject to this. Some kind of deep biometrics really does seem to be required, but unless they are very reliable, fast, easy to use and unobtrusive they won't be used. And some, as others have pointed out regarding optical fingerprint readers, are very easy to game.

Smart Cards DON'T trigger logoff on removal (2)

GIL_Dude (850471) | more than 7 years ago | (#16800464)

We use SmartCards on 70,000 Windows XP machines. Smart Card Removal behavior is something you can set. Anything from "do nothing", "lock screen", etc. Anyway, they don't cause a logoff unless you wanted them to.

Be aware that all of the alternate auth systems I have seen so far (including Smart Card) have lots of caveats. Some want to load a custom GINA. Resist this (read: NO, don't load that GINA). Most don't work right for multi-domain scenarios (where you are in domain 1, and want to connect or maybe map a drive to domain 2 which is an untrusted domain).

Anyway, be ready for things like a "self service" site to reset PINs and lots of user training for what to do when their web browser or email client all of a sudden asks for a "user ID and password" and won't accept a token, card, etc.

two choices (1)

Lumpy (12016) | more than 7 years ago | (#16800484)

Smartcard - works great, works under windows,Solaris,OSX,linux,bsd. proven and used by many corperations.

SecurID - Works great, same as above. Costs money every month for service, significantly higher security than the smartcard or other systems.

YOU FAIL IlT! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16800502)

At work.. (2, Funny)

kbox (980541) | more than 7 years ago | (#16800534)

.. We use colonic mapping. It's a pain when i leave my colon at home though, and i have to borrow my friends just to get into the canteen for a coffee.

Biometrics are hazardous to security!!! (2, Insightful)

Tumbleweed (3706) | more than 7 years ago | (#16800536)

Okay, let's say you get all your biometric info stored somewhere for secure access to something. Inevitably, some site that has your info stored will be hacked (this will always happen), and your biometric information is now out there in the wild. Enterprising hacker can then submit *that* biometric info to sites AS YOU to gain access.

How is this different from passwords, you say?

You can change your damned compromised passwords! Once your biometric info gets out there, you're compromised for LIFE.

My advice is to avoid all instances of biometric 'security'. Forever.

Re:Biometrics are hazardous to security!!! (1)

jeff300 (1025780) | more than 7 years ago | (#16801108)

Buddy, get a clue. At least do some research. Biometric systems do not store any record of your biometric (fingerprint, retinal scan data, voiceperint, etc.). They store a hash. To authenticate you, you provide your data to the scanner each time you need to authenticate and the information is hashed in real time while your finger/eye/whatever is being scanned. The hashes are then compared. The live data is never stored anywhere.

Re:Biometrics are hazardous to security!!! (2, Insightful)

Zadaz (950521) | more than 7 years ago | (#16801854)

True enough, though a hash could be exploited with some kind of injection attack.

However what if, instead of getting their hands on my hash, they get something that looks like my finger, at least to a sensor?

Well then I am fucked, and the argument about consequences are real. Can't change my finger. Well, I can up to 10 times, but an authentication scheme with only 10 possible hashes is obviously lousy.

Biometrics aren't passwords (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16801128)

Their key security property is uniqueness, not secrecy.

A password (in theory) identifies you because you're the only one who knows it. That identification property can be lost in a heartbeat to a phishing scam.

Biometrics need a different set of precautions. Recording and replaying the biometric information isn't an issue if there's a trustworthy path from the sensor to the database and a security guard who will challenge anybody who holds a severed finger up to the reader.

You've been using biometrics for identification your entire life. You recognize family and coworkers by facial geometry in person and by voice over the phone. There's no need to "revoke" a face if someone takes a photograph of it.

Novell NMAS (1)

IgorMrBean (528387) | more than 7 years ago | (#16800588)

Novell NMAS framework is a mudular authentication schema. You can have multifactor (password, bio, token, smartcard, etc.etc) authentification and/or identification. Lots of device allows you to have an NMAS sequence. I've setup some setup like this, for hospitals, which requires quick login/logout. You can easily in integrate that with Windows. Support for other platform are also available.

Suggest typing with a keyboard under the desk... (0)

Anonymous Coward | more than 7 years ago | (#16800636)

If you don't have the money, typing with a keyboard that's UNDER the desk (but you have to be able to type without looking at your hands... and using lots of shift characters in passwords is almost as good. And change your passwords every month! Can you type without moving your mouth?

Why even use biometric??? (1)

simulacra-norm (1025766) | more than 7 years ago | (#16800688)

I have no clue as to why you would need to use biometric. If you set password policies to have users create complex passwords, plus have a lock out policy after three unsuccessful tries, there is no need for biometric. Sure there is the coolness factor, but that does not make all the extra effort to maintain the system worth it. The simple fact is that if someone has physical access to a computer any type of security can be broken. Besides BM can be cracked by lifting the finger prints. Just set some common sense rules down and I doubt that you will ever have a problem.

Get a Mac, no serious (1)

guruevi (827432) | more than 7 years ago | (#16800732)

Mac OS X supports "fast user switching" with any type of authentication because the authentication daemon is separate from the process.

Furthermore, RFID (RSA) tags, keycard, iris scanning - see what you can AFFORD. You're probably not the NSA so you can't just spend any type of money. Good iris or fingerprint scanners (which are not easily fooled) are quite expensive if you need them for each terminal.

Simple... complete security needs 3 things... (1)

Not_Wiggins (686627) | more than 7 years ago | (#16800756)

I wish I could claim this as mine, but someone else came up with it first. 8/
To have security be complete, you need three things:

1) What you have
2) What you are
3) What you know

In a simple case, this could be accomplished by using:
1) A SecureID fob
2) Your finger print
3) A PIN number

Together, it makes trying to impersonate a user dang-near impossible.
Of course, insert your own favorite 1,2,3's. 8)

Restricted physical access (2, Insightful)

davidwr (791652) | more than 7 years ago | (#16800830)

I'm not being a smart-ass. In classrooms and other environments, restricted physical access to a bank of machines with a common, limited-rights user works well enough. It's implicitly what goes on in homes around the world, minus the "limited-rights" part.

I wouldn't do that in most offices though.

Sometime you have to ask yourself..... (1)

sLaCkEr808 (1025778) | more than 7 years ago | (#16800944)

Why bother? We use post-it note authentication. I can go to just about anyone's desk and find their login/password written on a post-it note. I also know for a fact that many people here keep a post-it note with their passcodes attached to their credit/debit cards.

Unfortunately, options are limited. (0)

Anonymous Coward | more than 7 years ago | (#16800964)

Unfortunately, for the person who asked this, options are limited for items which work with most applications without forcing GINA replacement.

Until something better comes out, your best bet is to bite the bullet, and go SecurID. Its not 100% secure, and its not fast, but it does require "something owned and something known" to log in.

Yeah..... (1)

IHC Navistar (967161) | more than 7 years ago | (#16801352)

It's called a crowbar.

Two good choices .... (1)

RallyDriver (49641) | more than 7 years ago | (#16801592)

For added convenience compared to passwords, but similar levels of security, the fingerprint reader built into current Thinkpad laptops works very nicely.

For a bit of added security without too much grief over drivers and special hardware, RSA SecurID is the gold standard ... it's not true public key crypto, and it is quite pricey at c. $130 a user, but it works with a normal keyboard, defends against replay and can be integrated into anything.

Sun-Ray (2, Informative)

0xG (712423) | more than 7 years ago | (#16801708)

I would hate to be the first one to say "try *nix" instead of Microsnot, but... I have seen Sun-Ray employed in a retail environment using ID cards, and was very impressed. The staff walk up to any terminal, insert the smart card, and instantly have their (previously disconnected, but still live) session re-established. As soon as they removed their cards, the session was disconected pending resumption at any other terminal. No login, no restarting applications, etc. It was beautiful. On the downside, it does take bandwidth, and you may need to use a Sun server, which your app may not support. OTOH the may now support Terminal Services. Start here; HTH: http://www.sun.com/software/index.jsp?cat=Desktop& tab=3&subcat=Sun%20Ray%20Clients [sun.com]
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...