Every time I come across fingerprint, fingervein, retina, iris, and other sorts of biometric scanners, I think of various science-fiction movie characters Arnold Schwarzenegger and others have played, and numerous scenes in which some bad guy borrows someone else’s body part to gain biometric access to a secure area or system. But I assure you, biometrics are real and they are good. For computers of all shapes and sizes, for telephones, building, office, laboratory, and data center access, can biometrics with Mac, Linux, Solaris, Windows and such operating systems be effectively utilized?
Let’s focus on a smaller question – what support does Microsoft Windows 7 and Windows Server 2008 R2 offer in terms of biometrics? Having authentication and subsequent authorization based on biometrics is not new in Windows if you consider third-party hardware and software, yet now Microsoft is making fingerprint devices and has included significant support for such devices from many vendors in these recent versions of Windows.
Be careful. Even Microsoft lists some of their own fingerprint reader as not 32-bit nor 64-bit compatible with Windows 7. And there’s a note on another Microsoft site which states “The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities.” Clearly, if you’re not careful, there could be some concerns aside from how to authenticate people who have no fingers, certain cancer patients, and other people whose fingerprints aren’t reliably readable. I hope you don’t have to worry about someone borrowing a finger to gain access to your systems.
Yet there are many positive aspects to this huge step down the road to integrated biometric security which Microsoft has just taken. Windows Server 2008 R2 and Windows 7 both support the Windows Biometric Framework (WBF) which not only allows intrinsic security features such as interactive logon and user account control (UAC) to use fingerprint authentication, but also allows third-party applications to utilize such benefits.
Note that the new biometric features support both stand-alone computers and those in domain environments, as clearly stated more than once in TechNet’s “What’s New in Biometrics” article. Still, multi-factor authentication such as adequately secure passphrases (not simple passwords) along with fingerprint scanners can provide greater security. Better still, smartcards plus biometrics offer a potentially more secure combination.
Am I suggesting that everyone dive into the fingerprint scanning pool and abandon passwords all together? No, not yet and not without smartcards, and not without a good system lifecycle design which includes recovery and remediation options for all scenarios. This step Microsoft has taken to reduce the dependence on third-party hardware and software for such an integral facet of the operating system as authentication is of immense significance. Please keep two things in mind as you evaluate such technologies. First, Microsoft refers to the control panel, group policy, framework, and driver aspects generically as biometrics rather than just specifically fingerprints, so expect more options in the near future. Second, be sure to involve help desk, network security, and directory personnel in design of the pilot project(s) for evaluation and broader deployment. Although smartcards and biometrics can both offer significant advantages over the woes of password insecurity, they each have their own costs in the operational and support infrastructure.
Oh, and one more thing. Don’t forget to stock up on alcohol wipes and have all users wipe their fingerprints off their laptops each time they’re done using them, or ask them to wear gloves except when they’re authenticating.