I would like to tighten desktop security by replacing/reinforcing the login passwords with fingerprints. The userID must match the user's fingerprint for logon authentication. My USB fingerprint scanner already has software that enrolls, verifies and stores fingerprints in a database in the form of templates. So how do I personalize/replace the Windows 2000 logon prompt to suit my fingerprint login needs?

    Requires Free Membership to View

    Login

Some commercially available USB biometrics devices, like the one you describe, come with installation software that modifies Windows 2000, Windows 2003 and Windows XP logon prompts for fingerprint readers. Three companies offering these products are BioCert, Saflink and Priva. These products actually replace the original GINA, or Graphical Identification and Authentication component that displays the classic Windows logon prompt. They do this with a custom DLL (dynamic link library) written for the occasion.

Again, this is not an easy task for a valid reason. Remember, the logon prompt is the gateway into your system, so you wouldn't want just anyone to tamper with it. If you did, it would mean that anyone could write code to bypass Windows logons.

To learn how to customize a GINA for your particular fingerprint scanner, I suggest you read this security brief from msdn:http://msdn.microsoft.com/msdnmag/issues/05/05/SecurityBriefs. This article not only guides you through the process, but provides sample code as well. Keep this in mind, should you decide to write your own GINA code, you may want to keep that user ID and password alongside your fingerprint login in your new personalized prompt, especially if you're looking for true two-factor authentication and the protection that it promises.

Finally, it's important to remember biometrics devices aren't replacements for passwords. The point of biometrics is to be part of a two-factor authentication system. Two-factor systems are generally stronger because they require two layers of authentication, while a user ID and password combination alone, or a biometrics device by itself only provides one layer of protection. It's best to add biometrics to augment a user ID and password set up, rather than deploy it as a standalone, because it's only a marginally better authentication mechanism by itself.

This was first published in December 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top