IBM Introduces Biometric Thinkpad

An anonymous reader writes "IBM has added biometric security to its thinkpad notebooks. The next generation of T series thinkpads will have an integrated fingerprint scanner for added security. The latest machines will also include some pretty cool encryption software, that will keep your hard disk safe, but still let you backup and restore images. This guy managed to get his hands on an early prototype T42 with the new security features integrated."

Micron has biometric support

[CyberSlugGump]

Some models of Micron laptops have had this feature [mpccorp.com] for a while.

Bloomberg keyboards have had biometrics for a whil

[Anonymous Coward]

Just saying IBM is fanot first to embed biometrics with their standard hardware.

I realize IBM is a mainstream notebook company...

[Infinite93]

But Motorola has sold a laptop with this for law enforcement for over a year now.

http://ruggedpower.motorola.com/ [motorola.com] Our local PD has them for detectives. Heavy, but nice feature set.

Hype Factor 9

[cynic10508]

For an IT manager, biometric security will make life much easier. Gone will be all those phone calls from users who've forgotten their passwords. And there will be no more worries about insecure passwords, or even keystroke loggers, trapping passwords and passing them onto hackers and fraudsters.

Gone may be phone calls for forgotten passwords but there'll be plenty of new calls as to why their fingerprints aren't scanning. The function of accuracy for fingerprint scanners varies according to things such as the skin's elasticity. This changes with age, humidity, cuts, etc. So biometrics aren't a 100% fix. There will always be "goats," the people for whom biometrics just doesn't work well, including the biometrics professor around here who's missing a fingertips (not due to any experiment mishap, mind you). I'd also worry about the security of your stored biometric data. Hopefully it'd be a hash and not the raw data, which could be harvested and used. Then again, I wonder what the incidence of collisions in a hash that uses biometric data is?

Re:Remember your friends

[tanguyr]

Does this mean you can hack it to record your friends' (or co-workers') fingerprints? Sounds fun and scary.

No, you can't. From the article:
"Of course since the Power On security layer is something that occurs well before Windows has started up, the fingerprint data can't be stored in a Windows file or folder. Instead, the fingerprint scanner itself stores the fingerprint data and retrieves it when the Power On security request is made. You can store a total of 21 profiles in the scanner, which should be more than enough, unless you share one notebook between a score of users. If you're worried about someone extracting the fingerprint data from the scanner and breaking your security, dont be. The scanner only stores a tiny amount of data for each fingerprint, just enough to ensure an accurate match, and nowhere near enough to recreate a complete fingerprint."

Re:Can't Access My Computer Please Help!!!

[jormurgandr]

That would be the reason why it allows you to store multiple profiles, and actively encourages users to store more than one finger, and on more than one hand (just look at the screenshots).

Re:swipe scan

[cynic10508]

That is a great idea. Such an elegant solution to what could have been a big problem.

Actually, the swipe scanner is cheaper, consumes less power, and has a smaller footprint than the original designs. So it's really best suited for devices such as cell phones, PDAs, etc.

Re:False security

[browncs]

Has anyone here used or admined IBM's lotus notes? I feel real good about trusting IBM with my encrypted HD.

Are you aware that:

• Lotus Notes had the first commercial implementation of a Public Key Infrastructure (PKI), and it's still by far the largest commercial deployment of a PKI.
• Lotus Notes has never had a security incident where a virus or worm successfully attacked it via Notes native interfaces or e-mail. (There have been some security patches required in the Internet-compatible interfaces.)

If you don't want an IBM...

[IronChefMorimoto]

If you don't want an IBM Thinkpad for the fingerprint scanner, the APC fingerprint scanner/biometric reader seems to work pretty well. I saw it for $29 or so at Fry's yesterday.

My friend bought one a while back and used it rather successfully on his Dell D800 before he had to give the computer back to his employer. It was pretty accurate in scanning his fingerprint. He never got locked out of his machine.

I can't remember if the machine would NOT allow a login without the reader or not. If it would, then that sort of defeats the purpose of the reader if you were able to steal the laptop without the reader attached.

IronChefMorimoto

Re:Hype Factor 9

[lesinator]

Not only easier, but also more secure. A common username and password is only 1-factor authentication (they're both something you can know). Using a username and biometric is 2-factor authentication (in this case, someting you are and something you know). For 3 factor authentication you need to cover: something you know, something you have, and something you are.

Biometrics stored for authentication are stored in a reduced, non-reversable format. Its designed to be searched and matched, but not extracted.

L

Re:Yes, but...

[Anne Thwacks]

Probably not ... the I-paq one allegedy uses the thermal imprint and not optical, so you would need jelly with suitable infrastructure of arteries and veins.

Re:But what happens...

[mobby_6kl]

You can set it up to use more than one finger, so if you break one you can use the one on the other hand, in case all fingers on the first hand are broken/cut off/missing.

Re:But...

[temojen]

Obviously flamebait as IBM is a major supporter of linux.

And yet, the ThinkPad configurator (at least on their Canadian site) has options for Windows XP Home or Professional, but no Linux distributions (nor BSD) and no "no operating system" option.

Re:fingerprints are everywhere

[over_exposed]

How the hell does you mind work? ANYONE can steal a laptop. I've seen a 13 year old in an airport try to walk away with one and you're saying that a 13 year old kid could reproduce my fingerprint accurately enough for a scanner to read it? Shut up and read the articles. Maybe even google the technology in the article so you can comment on it intelligently...

Re:False security

[darkwhite]

A clueful cracker with console access can usually get access to data. If the laptop is stolen, so is the data

RTFM.

Do you know how password protection and data encryption works on laptops? No, you don't.

There are several layers of security involved. First, the BIOS and the HDD both have password authentication mechanism. The BIOS stores its passwords on a custom chip which scrambles its I/O. Resetting the BIOS master password is possible, but it requires a highly modified chip programmator and a skillful person.

The HDD stores its password on the platter and requires it before it will allow access to any data. To bypass this mechanism, you must engineer your own HDD controller chip which will skip the authentication and the PCB for it and transplant it in place of the one on the HDD. This is virtually impossible unless you have very good friends in the HDD manufacturer company.

Finally, after the HDD allows access, the software encrypts selected files using strong encryption and stores the keys on the secure (TCPA) chip. The secure chip requires a passphrase before it will allow access to the keystore. It is virtually impossible to bypass this and retrieve the keys from the secure chip without knowing the passphrase.

Therefore, to retrieve the data from the stolen laptop's HDD, you must first possess either extreme competence in electronics or extremely good illicit connections in the industry, and second, brute-force industrial-strength encryption on the files. Good luck.

Re:Yes, but...

[HalfStarted]

Even if it can... it is not totally useless. Strong authentication theory basically says for an authentication method to really be strong it has to be comprised of two parts: something you have, and something you know.

Biometric measurements are attractive candidates for the "something you have" part because they are unique, in most cases easy to read and convenient... i.e. never left behind. On there own though they do not provide a strong authentication solution... but even then, a large bit-length key on a USB or serial device does not provide strong authentication on its own as the key can always be stolen or compromised.

A finger print tied to a password on the other hand renders the entire system much, much more secure. It is up for debate if this is more secure in general than a key/password solution though... the trade off is something that is easier to use, more convenient for the user in hopes that it is used and used correctly vs a solution that is inherently stronger but more cumbersome for the user and more likely to be abused (leaving the key plugged in all the time for instance).


Comparing fingerprints to a USB key as a solution to the "something you have" challenge in a security response:

Fingerprint:

+ Impractical to steal
+ Always with you
+ Standard format
- Relatively easy to forge for optical scanners
- May change over time

USB Key:

+ Hard to forge
+ Stable format
- Not always on hand, could be left behind, lost, forgotten
- Can be stolen
- More difficult to provide a standard interface

One of the reasons I personally favor keys, while they can be stolen the effort required to secure a key based token is much easier than the effort required to prevent leaving fingerprints around (unless you want to start wearing gloves all the time). Also if your key based token is stolen (or lost) you know it is gone, until you detect a break-in after the fact you will not know if a print has been forged... you would probably be aware if someone stole a print by removing a finger though ;)

In my own (non-expert opinion) I would rank various authentication techniques as follows from most secure to least:


Long bit-length token + Strong Password
Strong Biometric measurement + Strong Password
Weak Biometric measurement + Strong Password
Long bit-length token
Strong Biometric measurement
Strong Password
Weak Biometric measurement

Not going even bother including weak passwords and not counting improper use/storage of tokens and devices (I consider weak passwords improper use btw). Weak Biometric measurements would be something like optical scanning, strong measurements are stuff like eye prints and thermal scanning/imaging.

Re:the fujitsu lifebook P7010 already has fp scann

[praxis]

Also, the Electrovaya Scribbler SC800 and Electrovaya Scribbler SC2100 have finger print scanners as well. [1] They've had them for years. I guess they are just becomming more mainstream.

http://www.electrovaya.com/product/scribbler_pro du ct.html