Security Question? Is a Finger Scan better than a USB Key to login to your PC.

[Clare]

I'm working on a set of computers for a company and what to see if finger print scanners or USB key logins are more secure than traditional long passwords. Any information or ideas would be great. All I'm trying to do is make the login of the computer from boot as secure as possible.

[dizmo]

How much of a nightmare is it going to be when the employees inevitably forget their USB key? Something to keep in mind.

[Clare]

1 minute ago, dizmo said:

How much of a nightmare is it going to be when the employees inevitably forget their USB key? Something to keep in mind.

I thought of this as well but they want as much security as I can give them so I think if i make 2 of each key and keep 1 that might be ok. But my worry with fingerprint scanners is deep fakes have been shown to be able to break them.

[dizmo]

7 minutes ago, Clare said:

I thought of this as well but they want as much security as I can give them so I think if i make 2 of each key and keep 1 that might be ok. But my worry with fingerprint scanners is deep fakes have been shown to be able to break them.

Having 2 of something makes it less secure. What are the chances of someone faking a fingerprint to get into the system? They seem overly paranoid. 

 

While I know it's needed in some companies, I highly doubt it's necessary here, since you, their security/IT expert (and no offense intended to you), is asking on an LTT forum. 

[Clare]

9 minutes ago, dizmo said:

Having 2 of something makes it less secure. What are the chances of someone faking a fingerprint to get into the system? They seem overly paranoid. 

 

While I know it's needed in some companies, I highly doubt it's necessary here, since you, their security/IT expert (and no offense intended to you), is asking on an LTT forum. 

I can understand that and take no offense. I do think it is worth pointing out that a person who may know better than me could very well be here and no one is the best in their field at everything. As there IT expert I must be a jack of all trades which leaving me to not be the best at everything and go to find that information. better to be resourceful than try to know it all. The Tech. field as I'm sure you know is ever changing. The person I'm looking for could very well be here as it is a Tech. Form so I disagree with the thought process but respect it. I also can advise against something but I'm not the one footing the bill.

Edit: I'm also on many other forms casting a wide net can be very effective and additionally there paranoid nature may have merit I don't dive into what work they do I just provide a service. 

[Electronics Wizardy]

20 minutes ago, Clare said:

what to see if finger print scanners or USB key logins are more secure than traditional long passwords.

Yea there much more secure than a long password. And Id argue that long/secure passwords don't really matter that much these days.

 

Id pick the solution thats easier to implement with the rest of the software setup.

 

I setup yubikeys at the company Im doing some IT stuff for and it works well with the system that is in use. 

 

19 minutes ago, dizmo said:

How much of a nightmare is it going to be when the employees inevitably forget their USB key? Something to keep in mind.

If you use something like duo you can remotely de activate the keys if there reported lost. Also employees don't lose key cards for building too often it seems, so while it will happen, it won't be that common.

 

18 minutes ago, Clare said:

I thought of this as well but they want as much security as I can give them so I think if i make 2 of each key and keep 1 that might be ok. But my worry with fingerprint scanners is deep fakes have been shown to be able to break them.

What is your threat model? Faking fingerprints is still a good amount of work, and the person would need the password for the system too.

[bluesummer]

Personally I'd go with the USB key, as not to give away my fingerprint, but fingerprints would probably work better in case someone inevitably loses or breaks their USB key. So for this scale, fingerprint. 

[dizmo]

6 minutes ago, Clare said:

I can understand that and take no offense. I do think it is worth pointing out that a person who may know better than me could very well be here and no one is the best in their field at everything. As there IT expert I must be a jack of all trades which leaving me to not be the best at everything and go to find that information. better to be resourceful than try to know it all. The Tech. field as I'm sure you know is ever changing. The person I'm looking for could very well be here as it is a Tech. Form so I disagree with the thought process but respect it. I also can advise against something but I'm not the one footing the bill.

Edit: I'm also on many other forms casting a wide net can be very effective and additionally there paranoid nature may have merit I don't dive into what work they do I just provide a service. 

What I meant was if it was really that sensitive, they'd have reached out to security experts who already know the solutions and don't have to ask. 

5 minutes ago, Electronics Wizardy said:

If you use something like duo you can remotely de activate the keys if there reported lost. Also employees don't lose key cards for building too often it seems, so while it will happen, it won't be that common. 

Depends on the size of the team and punishments I suppose, but it does happen. Pretty hard to lose a fingerprint (though I suppose that's not entirely foolproof either...)

[Clare]

6 minutes ago, Electronics Wizardy said:

Yea there much more secure than a long password. And Id argue that long/secure passwords don't really matter that much these days.

 

Id pick the solution thats easier to implement with the rest of the software setup.

 

I setup yubikeys at the company Im doing some IT stuff for and it works well with the system that is in use. 

 

If you use something like duo you can remotely de activate the keys if there reported lost. Also employees don't lose key cards for building too often it seems, so while it will happen, it won't be that common.

 

What is your threat model? Faking fingerprints is still a good amount of work, and the person would need the password for the system too.

I have seen the yubikeys and was considering them but wanted to make sure it was trusted outside of some random reviews. I have also seen the encrypted usbs from DUO and that was the direction I was planning to go. I have them set with alot of monitoring software like a UTM, Webroots, bleachbit, Zoho Mail and Keeper for some extra security but wanted to add a level to the login.

[Clare]

5 minutes ago, dizmo said:

What I meant was if it was really that sensitive, they'd have reached out to security experts who already know the solutions and don't have to ask. 

Depends on the size of the team and punishments I suppose, but it does happen. Pretty hard to lose a fingerprint (though I suppose that's not entirely foolproof either...)

Again I just don't agree, asking questions seems the best way to get better understanding and unless you are on the bleeding edge you can never provide what you ask. Also many companies what to hide there clients personal data who are no bigger than a mom and pop shop.

[Brooksie359]

3 minutes ago, Clare said:

Again I just don't agree, asking questions seems the best way to get better understanding and unless you are on the bleeding edge you can never provide what you ask. Also many companies what to hide there clients personal data who are no bigger than a mom and pop shop.

You have to realize that the point is nobody is going to go through the trouble of faking fingerprints for a mom and pops shop. The type of person who would do that would go for high value targets and most high value targets are ones with alot of money and likewise have spent a significant amount ok security. Now that assumption could be wrong but it does make sense logically. 

[Electronics Wizardy]

15 minutes ago, Clare said:

I have seen the yubikeys and was considering them but wanted to make sure it was trusted outside of some random reviews. I have also seen the encrypted usbs from DUO and that was the direction I was planning to go. I have them set with alot of monitoring software like a UTM, Webroots, bleachbit, Zoho Mail and Keeper for some extra security but wanted to add a level to the login.

I use duo at work, and it works well, I use yubikeys as the second factor normally(can use phone apps too, but normally avoid it).

 

What model of encrypted USB are you looking at? Normally for 2fa you don't want a usb storage device, you want something like a yubikey.

 

 

[Clare]

1 minute ago, Brooksie359 said:

You have to realize that the point is nobody is going to go through the trouble of faking fingerprints for a mom and pops shop. The type of person who would do that would go for high value targets and most high value targets are ones with alot of money and likewise have spent a significant amount ok security. Now that assumption could be wrong but it does make sense logically. 

I also disagree, that comes under the assumption of bigger companies are the only ones with massive money available. A simple food truck makes 300k a year a car wash makes 400k a year a storage business makes 500k a year. Additionally elderly people are far more targeted then anyone on the internet. Why as a hacker would I take the time to hack a fortune 500 company with massive security for money when I could hack a storage facility and take there over head for anywhere between 400k and a million whos run by a handful of employees. But this has gone in a completely wrong direction and become more of a belittling than helpful to the topic.

[Clare]

2 minutes ago, Electronics Wizardy said:

I use duo at work, and it works well, I use yubikeys as the second factor normally(can use phone apps too, but normally avoid it).

 

What model of encrypted USB are you looking at? Normally for 2fa you don't want a usb storage device, you want something like a yubikey.

 

 

I new to using both I have never placed them on a pc before. I generally stay to software protection and password management with maybe a hardware firewall box. I think I'm going to go with yubikey just because in the short time I have looked at it. It appears to be ez to setup and trouble shoot with other software.

[Electronics Wizardy]

Just now, Clare said:

I new to using both I have never placed them on a pc before. I generally stay to software protection and password management with maybe a hardware firewall box. I think I'm going to go with yubikey just because in the short time I have looked at it. It appears to be ez to setup and trouble shoot with other software.

What software are you using? Are you using AD? 

 

Id do a good amount more planning before setting this up and deciding on a solution.

 

What systems do you have? Do they have fingerprinter readers?

[Clare]

Just now, Electronics Wizardy said:

What software are you using? Are you using AD? 

 

Id do a good amount more planning before setting this up and deciding on a solution.

 

What systems do you have? Do they have fingerprinter readers?

As of right now they don't have any fingerprint readers. The only security equipment they have is what I have given them. As far as software they have Windows 10 as I recommended against windows 11 do to its under development. Then the security software I talked of before, beyond that its should be a clean slate as the computers have not been shipped out yet. AD? 

[DigitalGoat]

4 minutes ago, Clare said:

I also disagree, that comes under the assumption of bigger companies are the only ones with massive money available. A simple food truck makes 300k a year a car wash makes 400k a year a storage business makes 500k a year. Additionally elderly people are far more targeted then anyone on the internet. Why as a hacker would I take the time to hack a fortune 500 company with massive security for money when I could hack a storage facility and take there over head for anywhere between 400k and a million whos run by a handful of employees. But this has gone in a completely wrong direction and become more of a belittling than helpful to the topic.

I would go for a hardware system that could be backed up, like keys and a copy or master key. Yes USB keys can be lost/ damaged but also employees can lose fingers, leave the company, die etc, no one solution is fool proof here, the option that is the easiest to implement, most resilient to error and cheapest to maintain should be chosen in your situation, in IMHO.

The method mentioned above for keys that can be deactivated if lost is similar to the way bank cards work and is probably more resilient to 'issues' as a security method.

A simpler method is PIN, a record can be held of each one for emergency situations, and again, is good enough and easy enough for banks to use.

[Electronics Wizardy]

6 minutes ago, Clare said:

As of right now they don't have any fingerprint readers. The only security equipment they have is what I have given them. As far as software they have Windows 10 as I recommended against windows 11 do to its under development. Then the security software I talked of before, beyond that its should be a clean slate as the computers have not been shipped out yet. AD? 

Are the systems managed centrallay? AD = active directory. 

 

Id setup some sort of central management system for the computers. That will make it much easier to setup 2fa too. I have set it up so computers will auto install duo and setup 2fa, so I don't have have to setup anything manually on each system.

[Clare]

4 minutes ago, Electronics Wizardy said:

Are the systems managed centrallay? AD = active directory. 

 

Id setup some sort of central management system for the computers. That will make it much easier to setup 2fa too. I have set it up so computers will auto install duo and setup 2fa, so I don't have have to setup anything manually on each system.

Generally the systems run in there own. I do have remote access if something were to go wrong, but almost all the software is self maintained. The hardware sends off diagnostics to me if a weekly checks shows signs of failure but beyond that I install all programs individually or from a USB if I'm on the road. I'm interested in how you go about have it run programs for setup with no password or email sign-ins to the licenses of the products you use. 

[wanderingfool2]

USB's are more likely to be kept with the computer...ask me how I know.  Seriously though, I've seen a yubikey that is just pretty much attached to the computer

[LAwLz]

It is impossible to give a good answers to this without taking the whole system into consideration.

Some might say that a fingerprint is more secure than a password, but most fingerprint systems has passwords as a fall-back. As a result, you now have two attack vectors and whichever one is the weakest will get taken advantage of. 

 

A hardware authentication device such as a YubiKey however is often used as a secondary authentication method. It is usually not a replacement to a username/password but rather it is used in addition to username and password. In the case of YubiKey, it also offers the option to require a physical touch of the device itself in order to authenticate. In those scenarios, the YubiKey serves a purpose even if someone leaves it permanently plugged in to the computer, because it protects against remote attacks. Someone could get your full username and password, with the YubiKey plugged in and remote access to your PC, but still wouldn't be able to login. 

 

 

Security can usually not be boiled down to simple "this or that" questions. It requires a full overview of the entire system and right now you have not provided us with anywhere near enough info. I would argue that this is not a topic that you should be asking online for. If you need help, which you clearly do, then contacting a consultant is your best bet.

[Electronics Wizardy]

2 hours ago, Clare said:

Generally the systems run in there own. I do have remote access if something were to go wrong, but almost all the software is self maintained. The hardware sends off diagnostics to me if a weekly checks shows signs of failure but beyond that I install all programs individually or from a USB if I'm on the road. I'm interested in how you go about have it run programs for setup with no password or email sign-ins to the licenses of the products you use. 

I have all the systems in active directory. Then I can apply settings and scripts on groups of computers and they will run them all. 

 

What OS are these systems running? if your on windows, you can use windows hello for buiness for 2fa on windows systems, this may require some setup depending ing on how things are working now.

 

One other thing, Id stop try to have users create long or super secure passwords, as it often doesn't increase, but gives a false impression of security. One of the biggest things to increase security is 2FA, so something like a usb token + password, or a password + token. 

 

 

 

[BlueChinchillaEatingDorito]

14 minutes ago, Electronics Wizardy said:

I have all the systems in active directory. Then I can apply settings and scripts on groups of computers and they will run them all. 

 

What OS are these systems running? if your on windows, you can use windows hello for buiness for 2fa on windows systems, this may require some setup depending ing on how things are working now.

 

One other thing, Id stop try to have users create long or super secure passwords, as it often doesn't increase, but gives a false impression of security. One of the biggest things to increase security is 2FA, so something like a usb token + password, or a password + token. 

 

 

 

Even forced password expirations in my opinion do little... because all that ends up happening is people just start appending or prepending random crap onto existing passwords. Not that I do that... stop looking at me like that.  

[wanderingfool2]

7 hours ago, BlueChinchillaEatingDorito said:

Even forced password expirations in my opinion do little... because all that ends up happening is people just start appending or prepending random crap onto existing passwords. Not that I do that... stop looking at me like that.  

Actually, if passwords are set to expire too often it can actually cause a major issue in users who write down their passwords.  Countless times I've gone to someone else's computer, sat down looked at the monitor and said "is that your password"?  So there actually was an automotive laptop that was used for diagnostics that was protected by a Yubikey and password.  I was asked to look at it one day as a favor, as the authorized IT personal was going to take a few weeks to visit and they didn't have that type of time for downtime.  Looked at the laptop, they had literally a post it note, with the Yubikey attached.

 

Do agree with what Lawl said, everything needs to be based on needs and properly assessed.  Most places realistically don't need that level of 2FA, and sometimes if you don't have the best educated employees having that many hurdles can cause even more security lapses (like having post it notes with passwords, or people sharing logins).  In general the biggest threat is user error, a well trained employee can play a major role in reducing probability.

[Brooksie359]

16 hours ago, Clare said:

I also disagree, that comes under the assumption of bigger companies are the only ones with massive money available. A simple food truck makes 300k a year a car wash makes 400k a year a storage business makes 500k a year. Additionally elderly people are far more targeted then anyone on the internet. Why as a hacker would I take the time to hack a fortune 500 company with massive security for money when I could hack a storage facility and take there over head for anywhere between 400k and a million whos run by a handful of employees. But this has gone in a completely wrong direction and become more of a belittling than helpful to the topic.

Again a wrong assumption. If they are going to go for a mom and pops shop which one are they going to go for the one with simple username and password security or the one with fingerprint authentication? The entire point being that if someone is going to go through the trouble of hacking more advanced security why not do so against more valuable targets that have that security especially when bigger companies have more links in the chain to exploit. It only takes one negligent employee to cause a security breach.