Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Ask Slashdot: Best Biometric Authentication System? 127

kwelch007 writes I run a network for a company that does manufacturing primarily in a clean-room. We have many systems in place that track countless aspects of every step. However, we do not have systems in place to identify the specific user performing the step. I could do this easily, but asking users to input their AD login every time they perform a task is a time-waster (we have "shared" workstations throughout.) My question is, what technologies are people actually using successfully for rapid authentication? I've thought about fingerprint scanners, but they don't work because in the CR we have to wear gloves. So, I'm thinking either face-recognition or retinal scans...but am open to other ideas if they are commercially viable.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Best Biometric Authentication System?

Comments Filter:
  • RFID/card scanner (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 26, 2014 @07:09PM (#48471013)

    Don't you all already badges or dongles or something along those lines?

    • Re:RFID/card scanner (Score:5, Interesting)

      by Albanach ( 527650 ) on Wednesday November 26, 2014 @07:17PM (#48471075) Homepage

      An AC first post hits the nail on the head. I'd have thought RFID would be faster, less intrusive and possibly more reliable. Pretty sure it would be cheaper to implement too.

      Unless you're worried about people using someone else's card to authenticate, this seems like the smart solution. Still, I can't believe you haven't thought about this, so maybe there's some reason you feel RFID wouldn't be suitable.

      • by davester666 ( 731373 ) on Thursday November 27, 2014 @12:05AM (#48472223) Journal

        cattle tag on the ear should also work well. readily available and not that expense. software already available for tracking movement and what milking station they are in. what more do you need?

      • An AC first post hits the nail on the head.

        And AC first post -- and the first responder to the post -- appear to have been hit on the heat by a very heavy nail.

        RFID, chips, cards, etc. have the SAME "problem" as IP addresses: they don't identify the PERSON, they just identify the identification. If someone else is holding the identification, all bets are off.

        Entire movies have been made about this. I mean, come on.

        • by Ihlosi ( 895663 )
          RFID, chips, cards, etc. have the SAME "problem" as IP addresses: they don't identify the PERSON, they just identify the identification. If someone else is holding the identification, all bets are off.

          The author of the article mentioned using a simple login/password, but rejected the idea because it was too much hassle - not because someone else could use the login/password combination. This means that the employees can be trusted not misuse their credentials.

          • It means nothing of the sort. That is an assumption on your part.

            OP asked for "biometric" ID, okay? RFID, cards, NFC, etc. are not biometric. The reasonable assumption -- unlike yours -- is that he had an actual REASON for asking for biometrics. People don't usually say things for no reason.

            Having said that, most consumer-level biometrics are crap. Despite Apple, fingerprint readers are crap for any kind of real security. Capacitance is even worse. You can foil it (pun intended, but pretty literally)
            • by tlhIngan ( 30335 )

              OP asked for "biometric" ID, okay? RFID, cards, NFC, etc. are not biometric. The reasonable assumption -- unlike yours -- is that he had an actual REASON for asking for biometrics. People don't usually say things for no reason.

              Probably because biometrics are easy. You're pretty much guaranteed to have a face or a finger that can be scanned inside the cleanroom. Except of course, you're wearing gloves, and no mention if they have to put on the burka-like hoods as well (which eliminate all but iris scans, wh

        • by hughk ( 248126 )
          Plain RFID is fairly good, especially in an already secure area. Otherwise, the oldie but goodie: Something you have, Something you know. RFID+easy PIN? RFID as it doesn't need contact and will work through protective "skins" and a 4-digit PIN to identify the card owner.
        • Fair point, but easily mitigated with a simple procedure: When people come into the clean room have a person check their ID and give them a one time use RFID wristband like those tear off wristbands you get at nightclubs. Now that RFID value is tied to the owner and cannot be changed without destroying it. When their shift ends, take it off, throw it away, lather, rinse, repeat.
        • RFID, chips, cards, etc. have the SAME "problem" as IP addresses: they don't identify the PERSON, they just identify the identification. If someone else is holding the identification, all bets are off.

          OK, that's a valid point.

          (1) This is a working environment where people are already wearing all-encompassing clothing, so there are no issues about requiring someone to wear another item of clothing/ equipment.
          (2) So ... put the RFID (or equivalent, I'll use "RFID*" to cover all such technologies) onto a wr

      • If there was concern about people using someone else's card, a hybrid system could be used. On coming in to work, a person could pick up a random RFID bracelet, put it on, and "clock in" at a station that does a biometric check and assigns that bracelet to that identity for the day. Design the bracelets so that removing one causes it to signify that it has "clocked out," and needs a visit to a clock-in station to become valid again.
    • Use a YubiKey and OAuth APIs. Neat and clean, and although it can be spoofed, it's not easy to do, and is as good as you get without easy to screw up "bio-authentication" infrastructure. You keep it on your badge fob, and it squirts a string as a single-key USB keyboard. Grab the string, use it with OAuth or as an identifier, and be on your way with sanity.

      • by mlts ( 1038732 )

        Biometrics might be useful for a lock inside an already secure company, but there are so many existing solutions which work well with AD that cobbling up something can be pointless:

        1: Why not just use regular AD authentication at the core, move the 2FA to the edges? I've seen this done using either Cisco software for VPNs, Citrix, or other means. This way, to authenticate from machine to machine (especially if UNIX machines use AD and there isn't a way to add anything), it doesn't take that much. Plus,

        • I'd agree with this. There comes a point where people will avoid 2Fa if it's too complex. Sometimes it just means adding nagware, timeouts, and WTFs if auth isn't congruent. And sometimes weird legal dept senses of regulatory compliance enter in, too. Indeed that might be the best place to start if audit/compliance is a side-output of the process.

          • by mlts ( 1038732 )

            If I were deploying an infrastructure, I'd go with a basic layered approach. The sensitive stuff either gets put behind RDP or Citrix (with 2FA to log onto those servers), the edge VPNs definitely get 2FA, and average machines get "plain old" AD logins with passwords changed on a normal schedule like every 30-60 days [1].

            Of course, network topology, and devices play a large part in this. This way, a guy in receiving who gets malware on his machine will not affect the computers in finance or development.

        • I don't agree with any kind of single Auth mechanism even inside the network, except for personal workstations. A single keylogger on a compromised machine can ruin your business pretty quickly this way, and it has happen(s|ed) often enough that people should know better by now. Maybe 1FA on your workstation, but any server access should be 2FA all the time regardless of your location and connection type. At least as important, if you are using 1FA for a workstation the LDAP infrastructure should be comp

    • by hawguy ( 1600213 ) on Wednesday November 26, 2014 @08:19PM (#48471379)

      Don't you all already badges or dongles or something along those lines?

      Hard to get any faster and more convenient than this -- if they don't want to make employees scan their badges, put an RFID reader in the chair and keep the badge in the back pocket and it's automatic and instant every time they sit down at a workstation.

      Unless they have a specific need for biometrics, there's no point in using it.

    • by Kohath ( 38547 )

      If you really need security for some reason, use it to match the person to the badge at the clean room entrance. That will keep someone from using a stolen badge.

    • RFID bracelets are fairly cheap.
      If a little thought is put into the readers' placement, authentication should require minimal/no interruption of the workflow.

    • What's the matter? Not looking forward to the calls to IT support to change your Biometric Password? Biometric authentication is generally a Very Bad Idea (tm), with a very narrow set of reasonable use cases. Typing a password being "a time-waster" does not, in my opinion, meet the criteria.

      I'm with the parent here, use HID or something similar.

  • None (Score:4, Informative)

    by Anonymous Coward on Wednesday November 26, 2014 @07:10PM (#48471023)

    I work in a class 10 clean room with shared workstations as well. Manual log-in to every workstation is the norm. Biometrics are not only infeasible in such a cleanroom environment, they are more trouble than they are worth, and also not likely to be as secure as you hope (or as reliable).

  • by Anonymous Coward

    Why does it need to be bio-metric? How about scanning a fob or access card?

  • A blood sample and DNA analysis is most accurate. Now, what is your definition of "best"?

    If, for example, you want to incontinence users the most, you could devise biometric authentication based on anal probing. If you want to inconvenience the least, some form of gait analysis would work, but with a significant number of false positives.
  • Biometric certainly ISN'T a time saver. They tend to be slow to process and take more time than most authentication options. Surely you have proximity cards or smart cards, they are a far easier, faster option if all you are after is a fast easy authentication method.

    • Exactly. Biometrics make even less sense because this is a clean room. Use clip on RFID tags on the end of their shirtsleeves or some other physical location that allows the RFID tag to be read while the worker is at the station.

      • by cHALiTO ( 101461 )

        I don't know what kind of biometric auth systems you used, but I used to work for a company that did professional AFIS systems and on the side some fingerprint auth solutions including usb readers, and they were damn fast and convenient.
        I imagine it must depend on what you use. There's consumer grade shit like apple's or MS's fingerprint scanners and software, and then there's pro stuff.

        Plus, to the guy that said ADN was secure. It's not. Fingerprints are far more secure (the gummy bear trick and others hav

  • If you're just trying to *identify* a user then a simple RFID, barcode scanner or QR reader would be fine. I assume the staff have ID cards so just incorporate it with that.

    For any steps that specifically require security authentication then you use a password as well.

  • Cameras (Score:5, Interesting)

    by randall77 ( 1069956 ) on Wednesday November 26, 2014 @07:28PM (#48471143) Homepage
    Just buy a point-of-sale camera system that department stores use. They keep weeks of video from dozens of cameras available for review. Requires 0 overhead in the common case when no audit is required. It is really easy to find out who did what given a time and camera ID. Use humans for your facial recognition, they're actually really good at it.
    • by pepty ( 1976012 )
      For quite a few cleanrooms the common case is the logs are used for QC and for compliance with federal regulations. Also, people in clean rooms are generally wearing safety glasses, masks, bonnets, etc, so figuring out who is who would be a pain.
      • It's hard to identify people that are all dressed the same and are wearing face coverings. Thankfully, team sports figured out a HUNDRED YEARS AGO how to do this. Put big numbers and/or names on their backs. Done.

  • A kinect sensor could be hooked up to a computer and do a decent job of telling one user from another. You don't need a large open space if you simply want to identify who is working where.
  • by Anonymous Coward

    I've been sitting on this idea for authentification using seat mounted sphincter scans.

    Go ahead and make your jokes, but ..

  • too complicated (Score:4, Insightful)

    by roc97007 ( 608802 ) on Wednesday November 26, 2014 @07:52PM (#48471273) Journal

    > So, I'm thinking either face-recognition or retinal scans...

    Waayyyy too complicated and expensive and Charlie's Angels-ish. If all you're trying to do is identify which user performed which step, RFID is your friend. Have an RFID sensor integrated into the workstation, and require the user to "sign" their work with their badge before they can commit.

    Look at people going to work every day using RFID badges. If you want something faster than logging in with A/D credentials (which would have been my first suggestion), swiping a badge is pretty much as fast as you're going to find.

    Now, if people using each other's credentials is a concern, or security in general, then you're looking at using A/D credentials plus a badge ("something you know, and something you have"). I personally wouldn't go with biometrics until they've gotten cheaper and more foolproof. Maybe never.

    • by Matheus ( 586080 )

      I agree that this is not a great usage for biometrics... maybe if you were adding security to the whole lab not just a step verification.

      BUT if you were to go Biometric then you should use Iris (Not Retina or Face). It is the easiest, fastest and most accurate for 1-1 Verification (Assuming you get your tech from Morpho... they have a patent on the only good tech right now)

      Retina is just too invasive and doesn't give you any more (maybe even less) accuracy than Iris.. not really used much any more.

      Face is

      • by cusco ( 717999 )

        I was just going to post the same, except to mention AOpix (haven't used a Morpho system).

      • by cHALiTO ( 101461 )

        Exactly. I used to work at Morpho's base company (ex Sagem, french co.), and they had some good products. The fingerprint recogniton solutions were top notch too.

        Disclaimer: yes, I worked for them, but I don't now, not even working in biometrics now, and I couldn't care less how the company is doing, I'm not trying to advertise for them, I just think the tech they had when I was there was pretty good :)

  • by Anonymous Coward

    If you have to meet something like 21 CFR part 11 you better start explaining why you want to implant proximity rfid in your employees's hands.
    If you are serious though - a usb OTP+keypad unlocking a X509 certificate on same (chip & pin EMV)

  • None! (Score:5, Insightful)

    by Vlijmen Fileer ( 120268 ) on Wednesday November 26, 2014 @07:54PM (#48471287)

    Can this discussion about the supposed virtues of biometric identification / authentication please die?
    Biometric properties are like usernames. Not like passwords. They don't "authenticate" anybody; your fingerprints e.g. can be found all over the world, right in the open.
    And on top of that they are BAD usernames, because they can not be changed. Once your biometric identity has been compromised, you have to give up to whole identification / authentication /system/, because the property can not be changed!

    • There are lots of perfectly valid uses for biometric identification, including as a factor in a set of authenticated credentials. It's just that they shouldn't be used alone (nor should any other factor).

  • For instance, at any given time, about 2% of the population cannot be authenticated by fingerprints (people with various conditions that result in very thin skin tend to have no prints; occupational reasons: bricklayers; people with fingerprints that don't generate decent features for the recognizers, which look for whorls and gaps and points; people with cuts and disfigurement)
    It is also incredibly easy to make fake fingers that will false positive the system. No, you don't need to cut the finger off the

    • by dszd0g ( 127522 )

      It is my understanding that retinal scans can be effected by health conditions. Pregnancy, diabetes, glaucoma, retinal degenerative disorder, AIDS, syphilis, malaria, chicken pox, lyme disease, leukemia, lympoma, sickle cell, congestive heart failure, atherosclerosis, and significant cholesterol change can all apparently cause a retinal scan to change. While some employees may find detection of these conditions as a good thing, other employees may find it invasive.

      Research seems to indicate that iris scan

  • How concerned are you about taking the responsibility of authenticating "I am me" away from the individuals? If you can trust them with that information, then the RFID bracelets that a lot of barstaff use seems like it would be perfect. Swipe your arm past the scanner whenever you need to say "this is me" -- works great unless you are worried about people swapping them.

  • by manu0601 ( 2221348 ) on Wednesday November 26, 2014 @09:00PM (#48471539)

    Biometric authentication is flawed, because your credentials are not secret, and they cannot be revoked. If an attacker manage to clone for instance your fingertip, you cannot change it, you need to change the authentication system.

    Biometric may be reasonably used as a second factor, for instance for unlocking a smart card

  • WTF (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 26, 2014 @09:06PM (#48471561)

    Typical engineer, overcomplicating the shit out of a simple problem. Give each guy a 4-digit PIN and have them hammer it in to the workstation to gain access.

  • by Culture20 ( 968837 ) on Wednesday November 26, 2014 @10:34PM (#48471887)
    Welcome back Mr. Soandso. Nice weather tonight isn't it?
  • Although I tend to agree with the general consensus that RFID or even QR codes would be a simpler way to identify (not authenticate) people, there is one important nuance being missed in all the criticism of biometric.

    In the most common use cases for biometrics, you're attempting to distinguish this one person vs the other 5 billion people in the world. That's hard. This particular use case is much simpler - we're judt asking it to distinguish betweenthe 50 or so people who work in this clean room. In ot

  • Who wants this? You? (Score:5, Interesting)

    by vinn ( 4370 ) on Thursday November 27, 2014 @12:09AM (#48472243) Homepage Journal
    Having spent a lot of time around such things, I have to ask, who's project is this? Who wants this? Just you?

    If your boss or the CEO is asking for this - great. Go do it. That's your job. (The RFID comments seem in the right ballpark.)

    If a mid-level manager or you is taking this on as a pet project, then you need to do some soul searching. This doesn't seem to have much immediate benefit to the bottom line of the company. This doesn't drive revenue creation and it doesn't drive product development. Almost every time I hear someone say, "We need to track X", I rarely ever hear someone else say, "Get me the statistics on X". Tracking shit is easy, crunching the numbers to calculate metrics isn't. If this is simply compliance tracking, listen to the guy who says to install cameras and then dump it to a crapload of drives. If there's an audit, hand over the video and let the auditors sort it out.

    There is a whole lot of not-your-job in here and very little hero making to be done.
  • by markdavis ( 642305 ) on Thursday November 27, 2014 @12:28AM (#48472289)

    Deep vein scan (typically of the palm) is the only biometric that I would find acceptable from a privacy standpoint. It can't be "stolen" or "lifted", it is not visible from a reasonable distance, it can't be easily scanned without the user's consent. It requires being "alive". It is reliable and simple to acquire. I have used it and seen it in action... very impressive.

    Fingerprints are horribly abused and left everywhere and can't be read through gloves. Easily copied and fooled.

    DNA is extremely expensive, extremely slow, has severe privacy implications, and is left everywhere.

    Facial recognition is not extremely accurate, is often slow, and is the WORST biometric from a privacy standpoint.

    Retina scan is complex and probably the most expensive besides DNA.

    Finger spread biometric is inaccurate and insecure (can be obtained from a distance via

    • by Anonymous Coward

      Completely agree - I was about to post a vein scanner option when I saw your comments. Some ATMs in Japan use them!

      http://www.fujitsu.com/us/services/biometrics/palm-vein/

      I don't understand why more products don't utilise vein scanning - seems like the holy grail of biometrics!

  • I doubt you'll find a biometric solution that will work well in that environment. Have you considered NFC tokens such as YubiKey? What about active or passive proximity authentication?

  • Ok, so retina scans and face recognition don't work well in a clean room because your people should be wearing goggles and a face mask. Also, this is about training, not technology.

    I'm assuming you're going beyond the standard card access machines that are already in most clean rooms and are instead trying to track "little" things like wash steps, microscopy review, hot plate use, etc.

    Electronic lab notebooks (this used to be a server-workstation kind of thing, but it's tablets now) are great for this. Th

  • In a clean room, swiping a badge each time is hard. Use RFID in a wrist band. The hand needs to push a button. Put a reader next to the default button so pressing the button authenticates with RFID. For non-default operations requires a RFID swipe. Could the reader be an IoT (Internet of Things) device?

    Strong authentication with an RFID device in a clean room environment is easy. Put the RFID wrist band on under the bunny suit. Require the user to authenticate on a computer with their RFID wrist ban

  • At the point of entry to the clean-room, use RFID + biometric (and possibly also PIN or password). That effectively reasserts RFID in possession of the authenticated person upon entry to clean-room. Policy should enforce that RFID is to be on the person from entry to exit of clean-room. Then just use the RFID until they exit the clean-room. If any operations in the clean-room are so crucial as to require additional authentication/audit beyond that, add cameras+recording and/or additional authentication wher
  • Can't you just (wirelessly) scan an ID card/badge?
  • Fujitsu PalmSecure is rather straightforward. Scans your palm veins using IR, which means a reasonable chance to scan through gloves and other material
  • In all the cleanrooms I have been in face masks have been required. Human breath has a lot of water droplets in it.
    How are you going to get a face recognition off someone in clothes like this? [moduleclean.com]
    The employees are not allowed to take off their face mask for a scan. Suggesting it would get you laughed at and fired at the places where I worked.

    Just use RFID scanners with the access badges they already have or with RFID bracelets like mentioned in other posts. For additional security: have a guard at the door. Onc

  • No matter the kind of authentication used: if it cannot be linked to your applications (e.g. via SSO), it is useless.

    You say you cannot enforce personal login in "shared workstations" (what do you mean by "shared"? I hope you are not sharing user sessions). How would you enforce the use of other methods?

    I guess you first should set a clear security policy, then look for an appropriate technology. Which access (physical, OS, application) do you want to authenticate / log, and how? As other commenters pointed

  • Iris recognition is the easiest and most reliable; the reason it's less popular is it was wildly overpriced until the patents on the technology expired a few years ago, but since then a number of players have entered the market and you can actually play with free software that will perform iris recognition via a Webcam, which might be all you need. Retinal scanning feels extremely invasive to users; you generally need people to put their forehead up against a rest and hold still and users typically won't ac

  • by popoutman ( 189497 ) * on Thursday November 27, 2014 @06:41AM (#48473215) Journal
    Why do people constantly think to use biometrics as passwords, instead of as usernames? The fuzzy nature of digitising a biometric makes the system fall between two stools - few false negatives at the expense of many false positives or the reverse. In practice this means that you either need to scan a few times to get a good id, or run the risk of scanning as someone else. Given that you cannot change a biometric, why on earth would you use it as a single factor authentication system. It's far far better to scan a biometric then use a PIN as you can change a PIN... If you use a biometric as a single factor, you have not gained anything over the use of e.g. only a PIN, and you must allow for the possibility of false positives (equivalent of entering someone else's PIN).
  • by ddg ( 3928855 )
    For your particular scenario iris recognition seems to be the most viable option. Iris is very fast and accurate and will not require removing gloves etc.
    • For your particular scenario iris recognition seems to be the most viable option. Iris is very fast and accurate and will not require removing gloves etc.

      Iris scans are much more reliable than fingerprints. However, they don't come without issues. The capture algorithm must include:

      * Dealing with occlusions. Either the top or bottom of the iris is usually occluded depending on racial origins.
      * Dealing with spoofing. For this a single snapshot is not reasonable. A sequence (video) is needed in order to check for pupil pulsations that indicate a live eye. In addition, you need to do spherical eye checks so you know you're not looking at a projection. The

Do molecular biologists wear designer genes?

Working...