Integrating biometric authentication with Active Directory

Integrating biometrics with an existing enterprise IAM architecture was once a trying task, but it's much easier today because many biometrics products are designed to work hand in hand with Active Directory. Joel Dubin explains what Active Directory can do and how financial organizations can make the most of it.

This tip is part of the Security School lesson, Biometrics: Banking on secure identity...

management. Visit the lesson page for additional learning resources.

A notable complaint about biometrics technology is that it doesn't mesh well with existing enterprise networks. While that might have been the case in the past, it's not today. Many biometrics devices now integrate with Microsoft Active Directory, just like many other authentication tools or products. The ability of biometrics to work with Active Directory (AD) is a feature that has recently helped increase the viability of enterprise biometrics.

Basically, Active Directory has the ability to store biometrics data as part of a user's authentication profile alongside their other authentication credentials. In this tip, we'll explore how to ensure your biometrics devices fit seamlessly into your organization's existing Active Directory infrastructure.

With or without passwords?

Biometric credentials, like any other authentication credential, need to be securely transmitted from the device and stored in the authentication directory service. Active Directory can fit the bill on both counts, which is why it complements biometrics deployments.

First, decide on a basic biometric network authentication strategy. A biometric device can be used in two ways within an existing authentication system. It can be the sole login credential, replacing user IDs and passwords, or it can be part of a two-factor authentication system, supplementing existing user IDs and passwords. The difference is important for setting up biometrics in Active Directory.

A notable complaint about biometrics technology is that it doesn't mesh well with existing enterprise networks. While that might have been the case in the past, it's not today.

If the device replaces an existing user ID and password system, a special login screen might not be required. In this case, make sure the biometric device connects directly and securely to Active Directory through the workstation. Biometric data, like user IDs and passwords, needs to be encrypted in transit.

If the device is an add-on to your existing user ID and password system, the login screen should be modified to display input from biometric devices. The first thing to check is if the vendor provides software to modify Windows' Graphical Identification and Authentication (GINA) code, which is the dynamic-link library used to create the Windows logon screen.

Hardware and software requirements

There are certain key elements a biometrics product must have in order to integrate successfully with Active Directory. The first is on the software side. The litmus test is whether it can be managed using existing Active Directory tools, such as the Microsoft Management Console (MMC) and the Active Directory Application Module (ADAM) interface.

Security and auditing policies should also be manageable, as with those of your existing user IDs and passwords, through the Active Directory Users and Computers MMC snap-in.

Without a link to these interfaces, managing biometric products would be a shot in the dark, since it would be difficult to effectively add, change or delete users in a consistent fashion. In addition, there should be user-friendly wizards for registering profiles. The wizard should make it easy for a new user to register, for example, their fingerprint on the device. Again, the key is ease of use of the administration software and its ability to mesh with Active Directory's own built-in tools.

Another litmus test is whether the software meets BioAPI, a new standard developed in 2002 for meshing biometric software with the Windows API. BioAPI supports 18 different biometric devices linked to Active Directory, including fingerprint and iris scanners, face- and voice-recognition systems and smart cards with embedded biometric credentials. Its cross-device platform allows one to focus on the type of biometric device that best fits their system, rather than worrying about whether different devices will work with Active Directory. With BioAPI, the type of device doesn't matter.

For auditing purposes and to track down incidents, biometric software should allow logins to be registered in the Windows Event Viewer. Not all biometrics software does this.

On the hardware side, the main requirement is secure storage and transmission of biometric data from the device to Active Directory. Of course, like the other authentication credentials it stores, Active Directory will also store encrypted biometric data. But if it's sent in the clear from the biometric device to the Active Directory server, it's just like sending an unexposed password over the wire.

Active Directory itself securely stores authentication credentials. The only additional safeguard to the Active Directory infrastructure is to make sure biometrics data is encrypted on its way to the Active Directory server.

So, what can go wrong when installing biometrics on Active Directory? Some of the same problems that plague biometrics, in general, can affect an Active Directory implementation, such as performance issues -- i.e. lengthy login times -- and errors like false positives. But these problems are inherent to biometrics and are not necessarily Active Directory issues. The specific problems of biometrics and Active Directory revolve around configuration of the biometrics software. If it isn't configured properly, it might not even read the biometrics data correctly, if at all.

The best way to overcome these issues is to thoroughly test your Active Directory deployment in a test lab environment. Start with a sample base of volunteer users. Ask them to determine if the software works, if it performs up to expectations without hanging or dropping logins, if it reads from the device properly and, finally, if it stores the credentials properly and can be managed from the MMC or ADAM.

Some products that help integrate biometrics with Active Directory are IdentiPHI Inc.'s SAFsolution and DigitalPersona Inc.'s Pro 4.0. Both come with software for server installations that mesh neatly with Active Directory.

Active Directory has come a long way in terms of easing the addition of biometrics to your authentication suite. Microsoft has more plans in the works and is cultivating partnerships with biometrics vendors to make it even easier in the future.

About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and is the author of The Little Black Book of Computer Security available from Amazon. He also has a radio show on WIIT in Chicago on computer security and runs The IT Security Guy blog at

Dig Deeper on Microsoft identity and access management