Fingerprint reader + smart card

[khaverblad]

Just wondering if anyone are using the combination of storing fingerprint scan on a smart card so that smart card and fingerprint scan has to be used together to access the system.

[Leikeze Ajnin]

1) The fingerprint reader stores it's stuff in the security chip's memory, and I don't think it is possible to configure it to export to another location and perform lookups there.

2) It should be possible to setup the computer such that the smart card is required in any case, but I'm not familiar with how to do that.

[centrex]

The best thing to do is order Utimaco Safedisc Easy from Lenovo. You can have new machines shipped with it or you can order it as an accessory later on. The part number will be on the Lenovo site, but in the corporate / government section, not the home user section.

This will allow you to encrypt your whole harddisk and work in perfect harmony with Lenovo's Rescue and recovery.

This software allows you to set up pre-boot authentication with an Aladdin eToken (USB) or various smart cards. If you go the smartcard route, keep in mind you will need to sacrifice a PCMCIA slot or a USB slot to install a smartcard reader.

Lock the HDD to your fingerprint in the BIOS.

The boot sequence on a cold boot will be as follows:

1) System starts with BIOS prompt to swipe your finger to unlock HDD. No finger, no boot. This alone will not suffice. Why ?

There are recovery companies who can supposedly bypass this and there are people who can take your fingerprint off an item you touched and then play it back to the Lenovo fingerprint reader.

2) Now you can access the HDD as far as the BIOS is concerned, Windows XP cannot boot up because the harddisk is completely encrypted.

Instead of the Windows XP boot, you will get a safedisc easy screen in what looks like a DOS window. The Safedisc Easy software will ask you for your smartcard or USB token. If this is present, you enter it's PIN number to allow the harddisk to encrypt and decrypt on the fly and you can finally boot up.

This is only useful if you make a strong PIN for your card / token and carry the card / token on your person and never leave it with the machine unattended. I.e. in an airport lounge or whatever.

I have tested this on Thinkpad X41 Tablet, X60 Tablet, T43p, X60, T60p with Safedisc Easy 4.20 and 4.30 using both Athena smartcards and Aladdin eToken Pro USB tokens.

Users ended up prefering USB tokens.

Note that PGP corporation also have whole-disk encryption products which offer 2-factor authenctication via smartcard / token. Stay away from PGP products for whole-disk encrpytion!

I tested all versions from 9.0.3 to 9.6beta. None of them work with your Lenovo service partition, so Rescue and Recovery and re-imaging without recovery media is impossible with PGP.

It also blue-screens at will and you have to do a manual decrpyt with a PGP rescue CD (that still requires your token and password). A manual decrypt of an almost full 7200rpm 100GB drive in a T60p takes around 16 hours with PGP. PGP Corporation offer virtually no support for this product, so it's best to stay away.

[khaverblad]

First of all big thanks for excellent answer on my question and as well sorry for zero feedback earlier, but I never came around to get any further on with this topic, until now.

The best thing to do is order Utimaco Safedisc Easy from Lenovo. You can have new machines shipped with it or you can order it as an accessory later on.

I'm actually thinking about using SafeGuard Easy for whole disk encryption due to that it makes use of the fingerprint scanner as well. I've tested PGP Enterprise and works fine, but found several other that posted negative experience with the PGP whole disk encryption. But, going to test WinMagic SecureDoc and Pointsec PC-Full Disk Encryption as well.

This will allow you to encrypt your whole harddisk and work in perfect harmony with Lenovo's Rescue and recovery.

Well, not using Lenovo's Rescue and recovery but Acronis TrueImage; but need to test this as well how it works together. Backups made are primary on work files and so bare-metal or mirroring backup is needed.

I have tested this on Thinkpad X41 Tablet, X60 Tablet, T43p, X60, T60p with Safedisc Easy 4.20 and 4.30 using both Athena smartcards and Aladdin eToken Pro USB tokens. Users ended up prefering USB tokens.

What was the reason why user preferred the USB token instead of a smartcard; any particular reason for this?

[snife]

Oh please don't use Safeguard Easy, it is a horrible program imho. If you've got a T61 you can get an FDE hard drive which does the same functionality on a BIOS level.

I also believe that fingerprint authentication is a gimmick, its not more secure, normally isn't faster (due to failed swipes) than typing a password and makes it more likely for users to have to write down their passwords for when they do actually need them.

I'm not a fan of smart cards either just because I think they are overkill on the security front and cause hassle for users.

IMHO, if I have a supervisor, hard drive and power on password with a FDE drive, no-one is going to get access to my data. (not that I use a FDE drive at the moment though as I dont think anyway is after my data anyway - its all very boring unless your a geek)

[khaverblad]

Oh please don't use Safeguard Easy, it is a horrible program imho. If you've got a T61 you can get an FDE hard drive which does the same functionality on a BIOS level.

In making the test with a T60; wasn't aware of that the T61 offered true FDE out of the box; you wouldn't have a link to more specific info abouth this? Can't say that I've found any specific with SGE that I dislike, I actually kind of likes SGE better than PGP WDE.

I also believe that fingerprint authentication is a gimmick, its not more secure, normally isn't faster (due to failed swipes) than typing a password and makes it more likely for users to have to write down their passwords for when they do actually need them.

Well, I've used the fingerprint authentication for quite a while and I seldom have problems using or I could actually say that it's so seldom that it's nothing to speak about. Gimmick or not, it actually works for the average users and even if there has been articles published to show how easy it can be to fake fingerprints; I've actually never read an article where it has been claimed that it's can't be trusted enough.

I'm not a fan of smart cards either just because I think they are overkill on the security front and cause hassle for users.

Well, I'm testing FDE to be used together with either smartcard or fingerprint authentication; but as always if it's gets to complex and hard to use for the users it will of course have a negative impact.

IMHO, if I have a supervisor, hard drive and power on password with a FDE drive, no-one is going to get access to my data.

Maybe for the average user password protection is good enough and the drive can still be yanked out and data can be accessed. And as said many times before in this forum there are companies that can get around the hard drive password so it's just not enough.

Then again; what might be an even easier way of handling FDE would be to wait and make use of the new Hitachi BDE drives that are available in small amounts now. But, I haven't read any first hand info about using the drives, yet.

[snife]

I know passwords are not enough for some people, thats why I said about having the FDE drives.

I've not personally tried it yet but I have a few of the drives so i'll try it soon and let you know.

I've just seen too many issues with safeguard easy and other programs, if you get a setup that works then its generally good but there are a lot of compatibility issues with it.