Ask Slashdot: Best Biometric Authentication System? 127
kwelch007 writes I run a network for a company that does manufacturing primarily in a clean-room. We have many systems in place that track countless aspects of every step. However, we do not have systems in place to identify the specific user performing the step. I could do this easily, but asking users to input their AD login every time they perform a task is a time-waster (we have "shared" workstations throughout.) My question is, what technologies are people actually using successfully for rapid authentication? I've thought about fingerprint scanners, but they don't work because in the CR we have to wear gloves. So, I'm thinking either face-recognition or retinal scans...but am open to other ideas if they are commercially viable.
RFID/card scanner (Score:5, Insightful)
Don't you all already badges or dongles or something along those lines?
Re:RFID/card scanner (Score:5, Interesting)
An AC first post hits the nail on the head. I'd have thought RFID would be faster, less intrusive and possibly more reliable. Pretty sure it would be cheaper to implement too.
Unless you're worried about people using someone else's card to authenticate, this seems like the smart solution. Still, I can't believe you haven't thought about this, so maybe there's some reason you feel RFID wouldn't be suitable.
Re:RFID/card scanner (Score:5, Funny)
cattle tag on the ear should also work well. readily available and not that expense. software already available for tracking movement and what milking station they are in. what more do you need?
Re: (Score:3)
An AC first post hits the nail on the head.
And AC first post -- and the first responder to the post -- appear to have been hit on the heat by a very heavy nail.
RFID, chips, cards, etc. have the SAME "problem" as IP addresses: they don't identify the PERSON, they just identify the identification. If someone else is holding the identification, all bets are off.
Entire movies have been made about this. I mean, come on.
Re: (Score:2)
The author of the article mentioned using a simple login/password, but rejected the idea because it was too much hassle - not because someone else could use the login/password combination. This means that the employees can be trusted not misuse their credentials.
Re: (Score:2)
OP asked for "biometric" ID, okay? RFID, cards, NFC, etc. are not biometric. The reasonable assumption -- unlike yours -- is that he had an actual REASON for asking for biometrics. People don't usually say things for no reason.
Having said that, most consumer-level biometrics are crap. Despite Apple, fingerprint readers are crap for any kind of real security. Capacitance is even worse. You can foil it (pun intended, but pretty literally)
Re: (Score:2)
Probably because biometrics are easy. You're pretty much guaranteed to have a face or a finger that can be scanned inside the cleanroom. Except of course, you're wearing gloves, and no mention if they have to put on the burka-like hoods as well (which eliminate all but iris scans, wh
Re: (Score:2)
Re: RFID/card scanner (Score:1)
Re: (Score:2)
OK, that's a valid point.
(1) This is a working environment where people are already wearing all-encompassing clothing, so there are no issues about requiring someone to wear another item of clothing/ equipment. ... put the RFID (or equivalent, I'll use "RFID*" to cover all such technologies) onto a wr
(2) So
Re: (Score:2)
Re: (Score:2)
Use a YubiKey and OAuth APIs. Neat and clean, and although it can be spoofed, it's not easy to do, and is as good as you get without easy to screw up "bio-authentication" infrastructure. You keep it on your badge fob, and it squirts a string as a single-key USB keyboard. Grab the string, use it with OAuth or as an identifier, and be on your way with sanity.
Re: (Score:3)
Biometrics might be useful for a lock inside an already secure company, but there are so many existing solutions which work well with AD that cobbling up something can be pointless:
1: Why not just use regular AD authentication at the core, move the 2FA to the edges? I've seen this done using either Cisco software for VPNs, Citrix, or other means. This way, to authenticate from machine to machine (especially if UNIX machines use AD and there isn't a way to add anything), it doesn't take that much. Plus,
Re: (Score:2)
I'd agree with this. There comes a point where people will avoid 2Fa if it's too complex. Sometimes it just means adding nagware, timeouts, and WTFs if auth isn't congruent. And sometimes weird legal dept senses of regulatory compliance enter in, too. Indeed that might be the best place to start if audit/compliance is a side-output of the process.
Re: (Score:3)
If I were deploying an infrastructure, I'd go with a basic layered approach. The sensitive stuff either gets put behind RDP or Citrix (with 2FA to log onto those servers), the edge VPNs definitely get 2FA, and average machines get "plain old" AD logins with passwords changed on a normal schedule like every 30-60 days [1].
Of course, network topology, and devices play a large part in this. This way, a guy in receiving who gets malware on his machine will not affect the computers in finance or development.
Bad advice (Score:2)
I don't agree with any kind of single Auth mechanism even inside the network, except for personal workstations. A single keylogger on a compromised machine can ruin your business pretty quickly this way, and it has happen(s|ed) often enough that people should know better by now. Maybe 1FA on your workstation, but any server access should be 2FA all the time regardless of your location and connection type. At least as important, if you are using 1FA for a workstation the LDAP infrastructure should be comp
Re:RFID/card scanner (Score:4, Insightful)
Don't you all already badges or dongles or something along those lines?
Hard to get any faster and more convenient than this -- if they don't want to make employees scan their badges, put an RFID reader in the chair and keep the badge in the back pocket and it's automatic and instant every time they sit down at a workstation.
Unless they have a specific need for biometrics, there's no point in using it.
Re: (Score:3)
If you really need security for some reason, use it to match the person to the badge at the clean room entrance. That will keep someone from using a stolen badge.
Re: (Score:3)
RFID bracelets are fairly cheap.
If a little thought is put into the readers' placement, authentication should require minimal/no interruption of the workflow.
Re: (Score:2)
What's the matter? Not looking forward to the calls to IT support to change your Biometric Password? Biometric authentication is generally a Very Bad Idea (tm), with a very narrow set of reasonable use cases. Typing a password being "a time-waster" does not, in my opinion, meet the criteria.
I'm with the parent here, use HID or something similar.
None (Score:4, Informative)
I work in a class 10 clean room with shared workstations as well. Manual log-in to every workstation is the norm. Biometrics are not only infeasible in such a cleanroom environment, they are more trouble than they are worth, and also not likely to be as secure as you hope (or as reliable).
Re: (Score:2)
Above posts already answered the question, though. Biometrics make no sense when the point is not really authentication (which assumedly in a clean room was already done) but identification. Just use an RFID tag. Done.
why bio (Score:1)
Why does it need to be bio-metric? How about scanning a fob or access card?
A probing question (Score:2)
If, for example, you want to incontinence users the most, you could devise biometric authentication based on anal probing. If you want to inconvenience the least, some form of gait analysis would work, but with a significant number of false positives.
Re:A probing question (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
If you can't trust them not to cheat the system, you shouldn't be letting them in the clean room at all.
Re: (Score:2)
The Apple Pay implementation of NFC would work, though because of the gloves you would have to use the passcode option, not the fingerprint.
why biometric? (Score:2)
Biometric certainly ISN'T a time saver. They tend to be slow to process and take more time than most authentication options. Surely you have proximity cards or smart cards, they are a far easier, faster option if all you are after is a fast easy authentication method.
Re: (Score:2)
Exactly. Biometrics make even less sense because this is a clean room. Use clip on RFID tags on the end of their shirtsleeves or some other physical location that allows the RFID tag to be read while the worker is at the station.
Re: (Score:2)
I don't know what kind of biometric auth systems you used, but I used to work for a company that did professional AFIS systems and on the side some fingerprint auth solutions including usb readers, and they were damn fast and convenient.
I imagine it must depend on what you use. There's consumer grade shit like apple's or MS's fingerprint scanners and software, and then there's pro stuff.
Plus, to the guy that said ADN was secure. It's not. Fingerprints are far more secure (the gummy bear trick and others hav
Identify or Authenticate?? (Score:1)
If you're just trying to *identify* a user then a simple RFID, barcode scanner or QR reader would be fine. I assume the staff have ID cards so just incorporate it with that.
For any steps that specifically require security authentication then you use a password as well.
Cameras (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
It's hard to identify people that are all dressed the same and are wearing face coverings. Thankfully, team sports figured out a HUNDRED YEARS AGO how to do this. Put big numbers and/or names on their backs. Done.
Kinect (Score:2)
Next Great Thing (Score:1)
I've been sitting on this idea for authentification using seat mounted sphincter scans.
Go ahead and make your jokes, but ..
FTFY (Score:2)
Go ahead and make your jokes, butt ..
Re: (Score:2)
I saw some video about hand scanner that uses your vein mapping. This is good because you dont need to touch it, and it'd be hard to replicate.
But does it work through gloves?
Re: (Score:3)
I saw some video about hand scanner that uses your vein mapping. This is good because you dont need to touch it, and it'd be hard to replicate.
But does it work through gloves?
Yes. You simply place your hand in the 3T MRI cavity, wait 45 minutes for the scan to complete, and voila, instant authentication!
too complicated (Score:4, Insightful)
> So, I'm thinking either face-recognition or retinal scans...
Waayyyy too complicated and expensive and Charlie's Angels-ish. If all you're trying to do is identify which user performed which step, RFID is your friend. Have an RFID sensor integrated into the workstation, and require the user to "sign" their work with their badge before they can commit.
Look at people going to work every day using RFID badges. If you want something faster than logging in with A/D credentials (which would have been my first suggestion), swiping a badge is pretty much as fast as you're going to find.
Now, if people using each other's credentials is a concern, or security in general, then you're looking at using A/D credentials plus a badge ("something you know, and something you have"). I personally wouldn't go with biometrics until they've gotten cheaper and more foolproof. Maybe never.
Re: (Score:2)
I agree that this is not a great usage for biometrics... maybe if you were adding security to the whole lab not just a step verification.
BUT if you were to go Biometric then you should use Iris (Not Retina or Face). It is the easiest, fastest and most accurate for 1-1 Verification (Assuming you get your tech from Morpho... they have a patent on the only good tech right now)
Retina is just too invasive and doesn't give you any more (maybe even less) accuracy than Iris.. not really used much any more.
Face is
Re: (Score:2)
I was just going to post the same, except to mention AOpix (haven't used a Morpho system).
Re: (Score:2)
Exactly. I used to work at Morpho's base company (ex Sagem, french co.), and they had some good products. The fingerprint recogniton solutions were top notch too.
Disclaimer: yes, I worked for them, but I don't now, not even working in biometrics now, and I couldn't care less how the company is doing, I'm not trying to advertise for them, I just think the tech they had when I was there was pretty good :)
Part 11 much? (Score:1)
If you have to meet something like 21 CFR part 11 you better start explaining why you want to implant proximity rfid in your employees's hands.
If you are serious though - a usb OTP+keypad unlocking a X509 certificate on same (chip & pin EMV)
None! (Score:5, Insightful)
Can this discussion about the supposed virtues of biometric identification / authentication please die? /system/, because the property can not be changed!
Biometric properties are like usernames. Not like passwords. They don't "authenticate" anybody; your fingerprints e.g. can be found all over the world, right in the open.
And on top of that they are BAD usernames, because they can not be changed. Once your biometric identity has been compromised, you have to give up to whole identification / authentication
Re: (Score:2)
There are lots of perfectly valid uses for biometric identification, including as a factor in a set of authenticated credentials. It's just that they shouldn't be used alone (nor should any other factor).
most biometric sensors have significant issues (Score:1)
For instance, at any given time, about 2% of the population cannot be authenticated by fingerprints (people with various conditions that result in very thin skin tend to have no prints; occupational reasons: bricklayers; people with fingerprints that don't generate decent features for the recognizers, which look for whorls and gaps and points; people with cuts and disfigurement)
It is also incredibly easy to make fake fingers that will false positive the system. No, you don't need to cut the finger off the
Re: (Score:2)
It is my understanding that retinal scans can be effected by health conditions. Pregnancy, diabetes, glaucoma, retinal degenerative disorder, AIDS, syphilis, malaria, chicken pox, lyme disease, leukemia, lympoma, sickle cell, congestive heart failure, atherosclerosis, and significant cholesterol change can all apparently cause a retinal scan to change. While some employees may find detection of these conditions as a good thing, other employees may find it invasive.
Research seems to indicate that iris scan
Re: (Score:2)
Dear me, you must have missed "THREEE-DEEE PRINTERS IN SPAAAAAAAAACE [slashdot.org]" that was posted... um, yesterday.
Bracelet (Score:1)
How concerned are you about taking the responsibility of authenticating "I am me" away from the individuals? If you can trust them with that information, then the RFID bracelets that a lot of barstaff use seems like it would be perfect. Swipe your arm past the scanner whenever you need to say "this is me" -- works great unless you are worried about people swapping them.
Biometric authentication is flawed (Score:4, Insightful)
Biometric authentication is flawed, because your credentials are not secret, and they cannot be revoked. If an attacker manage to clone for instance your fingertip, you cannot change it, you need to change the authentication system.
Biometric may be reasonably used as a second factor, for instance for unlocking a smart card
WTF (Score:5, Insightful)
Typical engineer, overcomplicating the shit out of a simple problem. Give each guy a 4-digit PIN and have them hammer it in to the workstation to gain access.
Best biometric? A doorman with good memory. (Score:3)
devil's advocate: bio for 200 people (Score:2)
Although I tend to agree with the general consensus that RFID or even QR codes would be a simpler way to identify (not authenticate) people, there is one important nuance being missed in all the criticism of biometric.
In the most common use cases for biometrics, you're attempting to distinguish this one person vs the other 5 billion people in the world. That's hard. This particular use case is much simpler - we're judt asking it to distinguish betweenthe 50 or so people who work in this clean room. In ot
Who wants this? You? (Score:5, Interesting)
If your boss or the CEO is asking for this - great. Go do it. That's your job. (The RFID comments seem in the right ballpark.)
If a mid-level manager or you is taking this on as a pet project, then you need to do some soul searching. This doesn't seem to have much immediate benefit to the bottom line of the company. This doesn't drive revenue creation and it doesn't drive product development. Almost every time I hear someone say, "We need to track X", I rarely ever hear someone else say, "Get me the statistics on X". Tracking shit is easy, crunching the numbers to calculate metrics isn't. If this is simply compliance tracking, listen to the guy who says to install cameras and then dump it to a crapload of drives. If there's an audit, hand over the video and let the auditors sort it out.
There is a whole lot of not-your-job in here and very little hero making to be done.
vein scan is THE biometric (Score:4, Interesting)
Deep vein scan (typically of the palm) is the only biometric that I would find acceptable from a privacy standpoint. It can't be "stolen" or "lifted", it is not visible from a reasonable distance, it can't be easily scanned without the user's consent. It requires being "alive". It is reliable and simple to acquire. I have used it and seen it in action... very impressive.
Fingerprints are horribly abused and left everywhere and can't be read through gloves. Easily copied and fooled.
DNA is extremely expensive, extremely slow, has severe privacy implications, and is left everywhere.
Facial recognition is not extremely accurate, is often slow, and is the WORST biometric from a privacy standpoint.
Retina scan is complex and probably the most expensive besides DNA.
Finger spread biometric is inaccurate and insecure (can be obtained from a distance via
Re: (Score:1)
Completely agree - I was about to post a vein scanner option when I saw your comments. Some ATMs in Japan use them!
http://www.fujitsu.com/us/services/biometrics/palm-vein/
I don't understand why more products don't utilise vein scanning - seems like the holy grail of biometrics!
Other Options (Score:1)
I doubt you'll find a biometric solution that will work well in that environment. Have you considered NFC tokens such as YubiKey? What about active or passive proximity authentication?
lab book (Score:2)
Ok, so retina scans and face recognition don't work well in a clean room because your people should be wearing goggles and a face mask. Also, this is about training, not technology.
I'm assuming you're going beyond the standard card access machines that are already in most clean rooms and are instead trying to track "little" things like wash steps, microscopy review, hot plate use, etc.
Electronic lab notebooks (this used to be a server-workstation kind of thing, but it's tablets now) are great for this. Th
Re: (Score:2)
Reading the brain waves of a person may be better, harder to fake at least.
But a smart card with PKI and pin code authentication for every access needed will go a long way. If it's a facility with extreme security measures also add guards at checkpoints and make sure that some accesses requires counter-signed authentication.
RFID and strong authentication in a clean room (Score:2)
In a clean room, swiping a badge each time is hard. Use RFID in a wrist band. The hand needs to push a button. Put a reader next to the default button so pressing the button authenticates with RFID. For non-default operations requires a RFID swipe. Could the reader be an IoT (Internet of Things) device?
Strong authentication with an RFID device in a clean room environment is easy. Put the RFID wrist band on under the bunny suit. Require the user to authenticate on a computer with their RFID wrist ban
RFID + biometric with biometric at cleanroom entry (Score:1)
Why biometrics? (Score:2)
PalmSecure perhaps? (Score:1)
Face recognition in cleanroom? Really? (Score:2)
In all the cleanrooms I have been in face masks have been required. Human breath has a lot of water droplets in it.
How are you going to get a face recognition off someone in clothes like this? [moduleclean.com]
The employees are not allowed to take off their face mask for a scan. Suggesting it would get you laughed at and fired at the places where I worked.
Just use RFID scanners with the access badges they already have or with RFID bracelets like mentioned in other posts. For additional security: have a guard at the door. Onc
Be consistent (Score:1)
No matter the kind of authentication used: if it cannot be linked to your applications (e.g. via SSO), it is useless.
You say you cannot enforce personal login in "shared workstations" (what do you mean by "shared"? I hope you are not sharing user sessions). How would you enforce the use of other methods?
I guess you first should set a clear security policy, then look for an appropriate technology. Which access (physical, OS, application) do you want to authenticate / log, and how? As other commenters pointed
To actually respond to your question... (Score:2)
Iris recognition is the easiest and most reliable; the reason it's less popular is it was wildly overpriced until the patents on the technology expired a few years ago, but since then a number of players have entered the market and you can actually play with free software that will perform iris recognition via a Webcam, which might be all you need. Retinal scanning feels extremely invasive to users; you generally need people to put their forehead up against a rest and hold still and users typically won't ac
None. Use a biometric as a username only (Score:3)
iris (Score:1)
Re: (Score:1)
For your particular scenario iris recognition seems to be the most viable option. Iris is very fast and accurate and will not require removing gloves etc.
Iris scans are much more reliable than fingerprints. However, they don't come without issues. The capture algorithm must include:
* Dealing with occlusions. Either the top or bottom of the iris is usually occluded depending on racial origins.
* Dealing with spoofing. For this a single snapshot is not reasonable. A sequence (video) is needed in order to check for pupil pulsations that indicate a live eye. In addition, you need to do spherical eye checks so you know you're not looking at a projection. The
Re: (Score:2)