Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

Biometrics

// // //
2/12/2018
09:30 AM
Larry Loeb
Larry Loeb
Larry Loeb

Windows 10 Bypassing Passwords With Fujitu's PalmSecure Biometrics

Microsoft is looking to overcome the password dilemma by incorporating Fujitsu's PalmSecure biometric technology into Windows 10.

Users don't like passwords for authorization very much.

Studies have shown they prefer other, more convenient ways to verify that they are indeed who they claim to be. Biometric authorization has popped up as a preferred method in these studies. It's hard for a user to misplace a biometric characteristic or have it stolen by a cyberthief the way a password can be misused.

One biometric method that has been used for authentication for the last 20 years, primarily in Japan, just got a big push into the mainstream. Microsoft Corp. (Nasdaq: MSFT) announced that it will use Fujitsu's palm vein authentication method -- PalmSecure -- in Windows 10 Pro as a way to sign into the system.

It is being added as a part of the Windows Hello facial and fingerprint-recognition system. Redmond will initially focus on enterprise users, keeping any decision about use for consumer devices for a later date.

(Source: Microsoft)
(Source: Microsoft)

Fujitsu Ltd. (Tokyo: 6702; London: FUJ; OTC: FJTSY) has been the world leader in this technology for the last ten years, but it remains relatively unknown and unused outside of Japan.

Hardware scanners for the method have been built into the company's Lifebook and Stylystic series notebooks for the enterprise. The company also delivers a USB connectible hardware palm scanning device that may be usable by other manufacturer's machines.

One study that used the data of 140,000 palms from 70,000 individuals to investigate the performance of palm vein authentication found that the false acceptance rate was 0.00008% and the false rejection rate was 0.01%, providing that the palm was held over the sensor three times during registration and that only one final scan was permitted to confirm authentication.

Images taken from a user scan are compared to a database that contains previously registered palm information.

Fujitsu noted:

Vein patterns are unique to individuals and contain detailed characteristics for formulation of algorithm template. The sensor of the palm vein device can only recognize the pattern if the deoxidized hemoglobin is actively flowing within the individual's veins.

The statement highlights one of the conceptual problems with the system -- having a template on the machine that can be used to authorize a go/no-go decision. Such data might be exfiltrated to be used in fake authorizations.

Indeed, one of the problems Apple Inc. (Nasdaq: AAPL) solved with its own fingerprint ID system was to keep known good scans encrypted within the system and not allowed to be exfiltrated for misuse.

This kind of biometric method does have some unique advantages over fingerprint and facial recognition. It is harder to copy veins under the skin than to take fingerprints or photos of someone's face.

But the security community may wonder if such a niche and proprietary method can truly address what the mainstream needs. Whether the data that is collected by this method can be kept secure within the Windows environment is another challenge that has yet to be proven.

Microsoft seemingly has little to lose by having this method as one of the options available for users. It may be useful for a subset of its users, and anything that encourages adoption of Windows 10 will be beneficial to them.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-40204
PUBLISHED: 2022-12-01
A cross-site scripting (XSS) vulnerability exists in all current versions of Digital Alert Systems DASDEC software via the Host Header in undisclosed pages after login.
CVE-2022-46162
PUBLISHED: 2022-11-30
discourse-bbcode is the official BBCode plugin for Discourse. Prior to commit 91478f5, CSS injection can occur when rendering content generated with the discourse-bccode plugin. This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled. This issue is patched ...
CVE-2019-18265
PUBLISHED: 2022-11-30
Digital Alert Systems’ DASDEC software prior to version 4.1 contains a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the SSH username, username field of the login page, or via the HTTP host header. The injected con...
CVE-2022-46156
PUBLISHED: 2022-11-30
The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The authentication token use...
CVE-2022-23746
PUBLISHED: 2022-11-30
The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords.