U.are.U/Microsoft fingerprint reader
| Microsoft has aquired Digital Persona technology for their fingerprint sensor (keyboard & mouse), so It may be time to read this "old" review (posted before M$ even announce avaibility of it security device line) because it contains some comments you won’t find elsewhere: |
{mosgoogle center}
Usage:
You can create as many profile as needed, open a browser and go to the login page (Here I choose www.runryder.com as an example)
 Put your finger on the sensor, the page do not exist in the keystore, so a page will popup. The title of internet page is use as key. |
 Enter the first credential, here the login and drag it to the right place in logon page. Repeat for all fields in page. |
 |
 |
| next time You go to that page, put your finger on the sensor and You’re in! |
{mosgoogle center}
Bad:
- Only working in Internet explorer, not working in any other browser: Opera or Mozilla
NEW: U.are.U is working in Firefox 1.0 but Microsoft fingerprint NOT - Security by obscurity (which has be proven to be the worst strategy in history of cryptography): no mention to algorithm used, cipher strengths, no possible review of code. Would’nt it be good for customers, or sales to use clearly communicate on algorithm used?
- Impossibility to do a backup of the keystore, web profiles… where is the repository of credentials? in windows SAM registry? If you lost your windows account (due to a crash or whatever), your only option is to use the small recovery utility provided, but you will have to remember your passphrase, and you have lost your web account profile.
- Only working with Windows! Linux is gaining market share at the rate not seen before, why not opening some part to the community or developing a drivers?
- In a browser, profile are depending on windows title -> clearly not enough if you have many credential on different pages which the same title. Maybe the software should use a variable html part of the content, url…
- Dll mess, a lot of library are copied to windows/system32 but this is common under Windows…
- Software version is 2.1, no update since 2002. I would like to see more options!
- The manual do not give enough advices on how to increase security, which habits are bad, and basics security concepts.
- Encrypting disk or directory is not possible: only files. You can right click on any file, choose encrypt
and start encryption by putting one finger on the sensor:
Decrypting is done by double clicking on a encrypted resource, and putting one finger on the sensor: EASY
{mosgoogle center}
Good:
- Work perfectly with Windows, no problems with: lotus notes login, windows logon, web browsing…
You are identified Unknow user - GUI for the average Joe user, nice and simple, very easy to use. Here the contextual menu:
- Very fast regognition,
- Fast Learning phase, in 5 minutes the device is working.
- Nice design, the red color is a nice touch on your desk.
- Price tags under 69$ in USA (but be careful it will cost You 270⬠in Europe…)
- Good integration in windows (here in system tray)
{mosgoogle center}
Conclusions/What I would like to see
- Open source the code!!!!
- Working with other browser, Mozilla has 18% of market now, all together alternate browser have less than 30% (see google geist here)
- Use a know standard: PGP? for example (PGP disk for encrypting folder and partitions)
- Name of algorithm used: Blowfish?, AES? and options to change cipher strength.
- A file based keystore, a lot more easier for backup.
- A linux version or plugin for Kwallet.
New What are the differences with the Microsoft version?
I’ve had the chance to see a Microsoft keyboard with the fingerprint reader in action, what a shame!!
- Only basic functionnality are still in the driver.
- No possibility to encrypt file with the device,
- It is working ONLY in Internet explorer, not in Mozilla (Is it a surprise for You???).
- Only "normal" windows are recognized by the system: no way to use it under a terminal (rxvt – cygwin) where the digital persona just work.
I would stay away from the Microsoft version as long as they do not integrate new intersting capabilities. No need to mention that drivers are not compatible each other….
{mosgoogle center}
Overall
A product for geek, but due to lack of peer reviews on algorithms, it is certainly not a corporate device in any means. For example: why attacking the keystore if you can hook a backdoor to the activeX component in use? (should be easy to do with all Internet explorer issues…)
Links
[email protected] sell them in usa at a good prices, also on ebay.com as well
EHAG
Industriestrasse 8
Oetwil am See, ZH 8618
Switzerland
+41 43 844 94 00
www.ehag.ch
COMEDIA
4 BIS ALLEE CHARLES V
VINCENNES, - 94300
France
33 1 43 28 48 48
www.comediatech.com
Others reviews:
- http://www.dansdata.com/uareu.htm A very good review with some tips how to fake the sensor
- Microsoft Device
- Michael Swanson’s Blog
- RedNova
- Security Pipeline
- Microsoft Optical Desktop with Fingerprint Reader PCMAG
{mosgoogle center}
