You Can't Jot Down Fingerprints: Windows Beyond Passwords - Page 2
Digital certificates are an important consideration, because they are the mechanism by which smartcards provide their authentication information. In order to produce digital certificates, you'll need to implement a Public Key Infrastructure (PKI) on your network using Windows Certificate Services. Certificate Services is included with Windows 2000 and Windows Server 2003, and is relatively easy to configure unless you want to create complex policies to manage the certificates. You can find detailed information on PKI and Certificate Services here .
Once you have programmed the smartcards and provided them to your users, each time the user logs on they will need to insert the smartcard into the reader and provide the PIN number. No smartcard or no PIN - no access to the network.
If you have a network with users of differing security levels, you can choose to require some users to have smartcards to log on to the system, while others don't. This determination is made in Active Directory on the Properties page of the user object. You can see an example of this screen in Figure 1.
(Click for a larger image)
Overall, smartcards represent the ideal choice for organizations that want to get into multi-factor authentication without spending a fortune. Economies of scale will mean that as more companies install smartcard systems, the price of readers and smartcard media may come down, but don't expect to be making vast savings. A healthy competitive market between the existing smartcard vendors has already put the systems at a reasonable price point. You might save a few bucks by waiting for a couple of years, but the reality is that if you can justify the extra security offered by smartcards now, you can also probably justify spending the money.
As we have already discussed, smartcards offer a multi-factor authentication system that requires a user to provide something they have, along with something they know. But there is still one more even better way of verifying a users identity – proof of person, referred to as biometrics.
Proof of person authentication systems use some kind of biological facet to verify a users identity. By far the most common method of biometric authentication is fingerprints, but others like iris recognition, facial recognition and speech verification are available.
While modern biometric authentication systems are very reliable, the hardware used for recognition is relatively expensive. Additionally, there is the added administrative overhead of programming the system in the first place with the biometric information from each user.
Although many security conscious organizations have been using biometrics for physical access purposes for many years, it has yet to make a real break through into LAN authentication. However, recent developments would suggest that biometrics is preparing to enter the mainstream. A number of consumer oriented fingerprint readers are already available at a reasonable price point ($40-$50), and even though these devices are pitched at home users rather than network systems, as we become more accepting of biometrics as an authentication system, it's highly likely that we will see LAN authentication deployments. There are a number of biometric authentication devices approved for use with Windows Server 2003 on the Windows Server 2003 Server Catalog, but they are more expensive than their consumer-oriented brethren.
Like any security implementation, if the losses that you might suffer as a result of an intruder accessing your system outweigh the cost of implementing the security, then you may have a case for biometrics. But, given the complexity of implementation and the associated costs, it's likely that large-scale biometric network authentication systems will remain the domain of government and ultra high security private organizations for some time to come.
Editor's Note: This is Drew's last column with Enterprise Networking Planet as he leaves us to pursue another opportunity. Drew's been a valuable part of the ENP bullpen for several years, and we'll miss him. Best of luck, Drew!