[unisog] Biometrics for Active Directory Authentication

Mike Wiseman mike.wiseman at utoronto.ca
Thu Dec 15 13:54:42 GMT 2005


>
> Keep in mind they're not that hard to fool:
>
>    http://www.yubanet.com/artman/publish/article_28878.shtml
>
>
> I suspect a token-based system, e.g., SecurID, would be far more
> difficult to defeat, but don't recall seeing any solid, objective
> research on that.
>

Interesting article. But I don't think that a fingerprint sensor is 'easy' to defeat - 
making fingerprint models of an unsuspecting user would require a lot of effort. If one is 
willing to go this far, stealing a hardware token and capturing a PIN using a keylogger 
sounds simpler to me.

I evaluated the Sony Puppy USB fingerprint sensor (model 810) a while back and was 
impressed by it. It uses electrical capacitance sensing so perhaps this would distinguish 
between a real and fake finger. It also contains a cryptographic chip to do on-board 
functions - so it could be used with an x509 cert which, in itself, provides a high level 
of authentication assurance and can be used without a server component. They're too 
expensive ($200) for my application though.

Mike


Mike Wiseman
Computing and Networking Services
University of Toronto 




More information about the unisog mailing list