Biometric solutions vs. smart cards
We are experts within smart cards and needed to see how they compare with biometric solutions. We tested the biometric support in Windows 10 and found that the entire chain begins with a password, which is a pity because this affects the credibility of the entire solution.
But even if this proves to be implemented in a way that feels sufficiently secure, we quickly run into several Achilles’ heels of biometric solutions:
The provisioning problem in environments where staff use lots of different devices that require identification.
Connected to this is the fact that you should not/cannot/dare not spread biometrically linked data to AD/IdP/target systems so that verification can be done on the server side.
Pros and cons
All verification must then be performed against locally stored biometric data, which in turn means that a doctor who uses, say, 18 different devices during her work week must first register her iris on every single one of these 18 devices. For us, this means that biometric methods are best suited to situations in which staff only work on a single device. This drawback is not experienced at all with PKI with smart cards, because verification against AD/IdP/target systems never means that any secrets need to be spread.
Smart cards are based on underlying PKI technology, with both private and public keys.
The biggest advantage of this technology (whether it is on a card or if the keys are on some other type of carrier) is that the technology is supported on all levels of the IT world: operating systems, applications, infrastructure components, patient record systems, VPN solutions, document signing, etc. etc.
Face recognition, fingerprints, iris scanning, vein matching etc. sometimes fit into the “authentication equation”. The new Windows 10 lets you log into Windows with, for example, face recognition or fingerprint. But it is in the next phase that problems can occur, i.e. when you need to access all the target systems. The biometric methods are rarely supported there. Instead, it’s the old tried and true methods that apply:
- SAML tokens
If the biometric methods aren’t going to be just a waste of time, the different areas need to be weaved together like PKI technology is intertwined with its surroundings. But a justifiable argument can be made that we are seeing the first concrete signs of this weaving in Windows 10.
SecMaker is of course monitoring developments in this area and taking a closer look at possibilities such as smart cards that use fingerprints instead of PIN codes.
We’re also doing tests related to the other biometric methods to find synergies between our own field and all of the new technologies that are emerging.