Biometric scanners vs. CAC readers

SSG Private RallyPoint Member — Fri, 02 May 2014 10:24:15 -0400

I was recently in a discussion regarding logging in to government computers. Personally I think the DOD should abandon the Smart Card schema for logging in to .mil domain. It's cumbersome, has significant PII loss risk, and can be expensive. Biometric scanners (fingerprint) can be purchased now for about the same cost as CAC readers and in my opinion are more secure. What does the community here think about this?

Response by MAJ Steve Sheridan made May 2 at 2014 12:51 PM

MAJ Steve Sheridan — Fri, 02 May 2014 12:51:40 -0400

I like your idea. I have to use my finger to get into my building, so they already have my info.

I love it when technology makes my life easier.

I have so many passwords and pins to remember.

Response by SSG V. Michelle Woods made May 2 at 2014 12:56 PM

SSG V. Michelle Woods — Fri, 02 May 2014 12:56:05 -0400

I love the idea. Only problem I see is the government purchasing some overpriced biometric scanner that breaks down constantly.

I know the salon I go to uses a cheap fingerprint scanner and I've never had an issue with it.

Response by SFC Stephen P. made May 2 at 2014 1:12 PM

SFC Stephen P. — Fri, 02 May 2014 13:12:48 -0400

The fingerprint scanners have some security flaws. We leave fingerprints everywhere, which could be used to exploit these devices and our networks.

The certificates on a CAC can be cancelled remotely, rendering the card useless. Fingerprints, you only have 10.

Not an obvious choice for me; I'll leave it to the experts.

Response by SSgt Gregory Guina made May 2 at 2014 1:19 PM

SSgt Gregory Guina — Fri, 02 May 2014 13:19:19 -0400

Fingerprint scanner are already available on many commercial computers and even on cell phones now. This is something that the military could easily do however like SSG Woods stated the military would probably go out and have a company design something new and it would be overpriced and wouldn't work the way that it needs to.

Response by SSG Robert Burns made May 2 at 2014 1:27 PM

SSG Robert Burns — Fri, 02 May 2014 13:27:22 -0400

Finger print scanners are extremely unsecure. Watch the myth busters episode. It's ridiculously easy to bypass.

Response by TSgt Scott Hurley made May 2 at 2014 6:53 PM

TSgt Scott Hurley — Fri, 02 May 2014 18:53:52 -0400

Instead of fingerprints, I would go for Retina scans. Since they can not be replicated. Unless you steal the eyeball.

Response by MAJ Private RallyPoint Member made May 2 at 2014 8:11 PM

MAJ Private RallyPoint Member — Fri, 02 May 2014 20:11:35 -0400

I think the problem with biometrics, if we decide to go that route would be the enrollment time, privacy issues and errors. For example if a person that works with their hands a lot and the skin becomes damaged, the possibly of a false rejection would be high. I also don't think that we would have the manpower to maintain the proper Crossover Error Rate(CER). If you start moving to retina, iris or voice print I just know that there will be some privacy issues. In my opinion the best was to use this technology is the defense in depth strategy.

Response by LTC Yinon Weiss made May 2 at 2014 8:38 PM

LTC Yinon Weiss — Fri, 02 May 2014 20:38:50 -0400

In my opinion, smartphone enabled two factor authentication is better than either biometric scanners or CAC readers.

Biometric scanners can be manipulated, and don't always even work, which leads to a frustrating user experience. CAC readers have their own problems (namely that 99% of computers in the world don't have a CAC reader and the proper software configured). However, you can use two-factor authentication through your personal smartphone. After entering your regular password on a web site, you get a text message on your phone with a 6 digit code which is good for like 10 minutes, and good only once. You type that code in, and you're set. You therefore need to know both your password and have physical possession of your personal cell phone to log on, which is essentially what CAC accomplishes, minus all the headaches. If a cell phone is lost or stolen (just like a CAC card could be), then that cell phone can be cancelled from the network. And just like a CAC card, the cell phone is actually worthless just by itself, since you still need the user's actual web site password to get in.

Two factor authentication is already available on sites like Facebook, Google, and Dropbox. I would guess that the government might move to it eventually (though it may be 10+ years). Integrating people's personal cell phones into the mix is probably a bit too unorthodox for the government to seriously consider it for now.

If you use Google, you can enable this and also tell it to only check it when you are on new computer. Here are the steps:
https://www.google.com/landing/2step/

Google 2-Step Verification

With 2-Step Verification, you’ll protect your account with both your password and your phone

Response by MSgt Private RallyPoint Member made May 3 at 2014 1:11 PM

MSgt Private RallyPoint Member — Sat, 03 May 2014 13:11:20 -0400

My experience with both biometrics and the military's ability to adjust the sensitivity of a security measure work against this.

One of my old laptops had a fingerprint scanner; it was difficult to get configured (wouldn't match the prints I was giving it) and wouldn't work about about an hour after I woke up in the morning. Fingers swell or contract depending on temperature, hydration, or however many other factors, and can be damaged.

I imagine a high-end fingerprint scanning security system could have its sensitivity adjusted, but that brings up the other problem: can the military be trusted to configure the system in a reasonable manner.
My experience says no. I worked in an area where we had to go through a booth with three-factor authentication (swipe card, enter pin, hand-geometry scan). It had an added feature of checking the weight in the booth to make sure a second person wasn't riding in with the first. Our security folks, in their infinite wisdom, set the weight threshold at 10 lbs; if you were 10 lbs lighter or heavier than the weight programmed to your account, it set off the alarm.

Response by LTC Private RallyPoint Member made May 3 at 2014 2:53 PM

LTC Private RallyPoint Member — Sat, 03 May 2014 14:53:40 -0400

I think biometric scanners for the mass market doesn't seem reliable right now. The ones that are affordable seem to have significant reliability issues and I've heard of instances where fingerprint safes can be opened by just about anyone with a fingerprint and not the unique individual that set it up....i think there needs to be more advancement of the technology before that can be reliable yet