[unisog] Biometrics for Active Directory Authentication

Micheal Cottingham micheal.cottingham at sv.vccs.edu
Thu Dec 22 20:03:57 GMT 2005


I apologize for not getting back to everybody sooner, we had some
upstream DNS problems earlier in the week.

I have read similar articles, and even tried a few simple things to
bypass the scanners. I tend to agree with Mike. If someone is able to
get that close for that period of time, you have more problems than
someone bypassing a fingerprint scanner.

Micheal Cottingham
Southside Virginia Community College
Network Security - Christanna Campus



Mike Wiseman wrote:

>>Keep in mind they're not that hard to fool:
>>
>>   http://www.yubanet.com/artman/publish/article_28878.shtml
>>
>>
>>I suspect a token-based system, e.g., SecurID, would be far more
>>difficult to defeat, but don't recall seeing any solid, objective
>>research on that.
>>
>>    
>>
>
>Interesting article. But I don't think that a fingerprint sensor is 'easy' to defeat - 
>making fingerprint models of an unsuspecting user would require a lot of effort. If one is 
>willing to go this far, stealing a hardware token and capturing a PIN using a keylogger 
>sounds simpler to me.
>
>I evaluated the Sony Puppy USB fingerprint sensor (model 810) a while back and was 
>impressed by it. It uses electrical capacitance sensing so perhaps this would distinguish 
>between a real and fake finger. It also contains a cryptographic chip to do on-board 
>functions - so it could be used with an x509 cert which, in itself, provides a high level 
>of authentication assurance and can be used without a server component. They're too 
>expensive ($200) for my application though.
>
>Mike
>
>
>Mike Wiseman
>Computing and Networking Services
>University of Toronto 
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>
>  
>


More information about the unisog mailing list