Biometeric authentication with Active Directory

active-directory windows-7 authentication
9,390

Solution 1

Windows 7 provides a device abstraction layer such that, assuming your fingerprinter reader's manufacturer has written the appropriate driver software, the reader itself will "just work" with Windows. Microsoft's goal in doing this was to provide a consistent user experience re: enrolling biometric data. (The "provider" functionality in Windows 7 supports only fingerprints. The framework is extensible, by Microsoft, to support other types of biometric data, but only fingerprint UI has been added in Windows 7. No retinal scanners for you... >smile<)

From the scant articles that I'm finding, it appears that the biometric-based logon becomes available after at least one user has "enrolled" their fingerprints, and will work for both local user accounts and domain user accounts.

It's unclear to me where Microsoft is actually storing the biometric data and the user's password. Since it has to be accessible prior to logon, my guess is that they're encrypting it with some machine-specific key and packing it away in the computer's registry somewhere. (Yeah-- per this article that appears to be what's happening...)

It certainly looks like Microsoft hasn't thought at all about how to deploy this functionality across groups of computers. I see no method for "pre-loading" biometric data into groups of machines. My guess is that if, for example, you wanted "enterprise-wide" biometric logon capability you'd need each employee to "enroll" their fingerprints on each computer they were going to logon to.

If, indeed, centralized biometric credential distribution (which, arguably, presents a lot of fun security challenges) isn't a part of the biometric authentication functionality in Windows 7 then, arguably, it's of little use.

Solution 2

You can allow domain credential logon with Biometrics in win7/server2K8R2+ with a group policy setting. Those credentials will require enrollment, but they should roam from workstation to workstation. As far as programmatic enrollment goes...obviously you would need the fingerprint data to start with...It's something that I'm researching at the moment.

The post above is incorrect about how biometric data is stored, and the need to enroll on each workstation that will be used. Since this question was answered the WBF has been completely documented.

It does NOT "pack the data away in the registry".

Active Directory is the mechanism that's used for Enterprise Wide solutions. It's enabled with a GPO. I also works for UAC elevation. I've been using this with Windows 8 and it's really nice.

These links might help:

http://technet.microsoft.com/en-us/library/dd759228.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/dd401509%28v=vs.85%29.aspx

The API is really very easy to understand and very well documented with source code that builds easily.

EDIT: The fingerprint data does NOT roam. That was a side effect of my lab being very well used. :)

Share:
9,390

Related videos on Youtube

James Hawkwind
Author by

James Hawkwind

Database Administration Supervisor

Updated on September 17, 2022

Comments

  • James Hawkwind
    James Hawkwind over 1 year

    There has been various blogs, MSDN pages, posts, etc. about Windows 7 and Windows 2008 R2 supporting biometric authentication built-in (or so it seems). (http://technet.microsoft.com/en-us/library/dd759228.aspx) In Windows 7 and Windows 2008 R2 it includs some group policy settings for it also.

    Anyone know how to enable it to work with Active Directory? So that it shows up on the logon screen or UAC prompt?

  • Philip
    Philip over 12 years
    We're running Win7 machines with WBF fingerprint readers; the data does not roam and is not stored in AD.
  • kishore
    kishore over 12 years
    The GPO is only present/functional in a native 2k8R2 forest and domain. It has to be turned on, it's not on by default. Domain and local accounts can be configured differently. I'll edit the post when I have verified this...maybe I'm wrong and it's just a by product of my setup.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't connect to domain computers until reboot
How can I enable domain authentication over wireless in Windows 7/2k8?
Is it possible to logon to a domain via wireless in windows 7?
How can I clear cached domain credentials?
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
Authenticate Oracle Database with Active Directory Users
C# netcore ldap authentication using Novell.Directory.Ldap.NETStandard library
How to check AD user credentials when the user password is expired or "user must change password at next logon"
Auto Signin with Active Directory Account in c# ASP.Net Website
SVN + SASL + ActiveDirectory: How to