S 4.415 Secure operation of biometric authentication under Windows

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

From Windows Server 2008 R2 and Windows 7 and higher, Windows supports biometric authentication with fingerprints by default. For this purpose, the Windows Biometric Framework (WBF) was developed and integrated into the operating system. Using WBF, the manufacturers of biometric solutions can integrate their sensors and algorithms into the operating system and securely store biometrically registered data. Using the WBF, the system control is extended accordingly by a Biometric Devices element provided that Windows identifies a fingerprint reader on the system.

First, Windows supports the use of fingerprint readers for the following purposes:

• biometric authentication to access the operating system or the domain (Windows login)
• biometric authentication to elevate the privileges for the user account control (see S 4.340 Use of Windows User Account Control UAC under Windows Vista and higher)
• access to biometric functions from applications providing of a uniform interface

Whether or not the domain login is allowed with biometric authentication can be specified by means of a group policy object. If possible, this option should be used to implement a uniform, secure configuration for all devices in the domain. Using biometric authentication for guest accounts or the "Administrators" default account is not possible.

The motivation for using fingerprint readers is often above all the easier authentication for the users. Again and again, the fingerprint readers commonly installed in laptops have proven in tests to be reliable only to a certain extent. Depending on the model, "copying" of foreign fingerprints is feasible with more or less technical effort. For systems with higher protection requirements, it must therefore be examined carefully whether the security level of the devices actually used is high enough when the authentication is to be carried out by means of fingerprint identification exclusively. When using other biometric methods, the reliability of the identification should be assessed in advance and compared to the protection requirements of the affected systems and applications. For systems with high and very high protection requirements, authentication based on chip cards or tokens generally have an advantage over available biometric methods.

When planning the use of biometric authorisation, it is also important to provide other options to access the system if the biometrically registered fingerprint is not available, for example due to an injury to the finger. Here, Windows allows the registration of several fingers which can be used alternatively. In addition to this, an access with a secure and centrally stored password should be set up as fallback solution.

Review questions:

• Was careful consideration given to the use of biometric authentication based on the protection requirements of the affected systems and applications?
• Is the reliability of the biometric authentication controlled using group policies?
• Are substitute methods to access the system available when biometric authentication is not possible?