Fingerprint Logon - It really won't work

Hello Matt,

fingerprint authentication today is still not standardized and diferent vendors all add their own flavours of mostly vendor specific software to it. To ensure customers get a good and compatible experience when combining fingerprint with full disk encryption, Sophos has decided to focus on the Lenovo models  for the time being, since due to our close cooperation with Lenovo, we can ensure interoperability on hard-and software level.

We plan to support other models in future as standards progress in that area.

best Regards

    Richard Aufreiter - Product Manager Data Protection

    richard.aufreiter@sophos.com

Hi Richard,

It's not a very 'close relationship' though because you don't support the newest Lenovo fingerprint readers either e.g. the ones on the X201 or T510i's.

What's important to note here is that SGE (pre 5.50) didn't really have any issues with most maufacturers when not using POA (I have it working quite happily on Sony, Dell and Lenovo's) but SGN (which we're forced to use because of the retirement of SGE and non support for Vista/7) does. So the software has pretty much written off any hope of biometric security on all platforms apart from older Lenovo models. A real backward step for us.

FYI, I've watched an experienced secretarial PA glance over the shoulder of a visitor and noted that persons password as they typed it (a 10 digit code which included capitals, letters and a special character). Not having biometric protection is simply asking for trouble. Surely you must realise this!!!!!!

Matt

Hi Matt,

there is a service release coming up in August that is formally Lenovo approved and extends the fingerprint support on Lenovo. Regarding fingerprint support on other platforms, I see your point, but can't promise you short term support due to the reasons mentioned above. Of course it is our general goal, to support as much hardware as possible on as many platforms as possible.

best regards

    Richard 

Just to clarify the Lenovo Fingerprint support update...

(Taken from my post on the thread "Safeguard Fingerprin​t logon - Lenovo laptop(s)")...

Hopefully this will provide a bit more clarity...

SGN 5.50.1 (which is scheduled for mid August) is supposed to provide support for the following Lenovo fingerprint software versions:

1)      UPEK: 5.8.5.6014

2)      Authentec: 3.3.2.27

The latest version of the UPEK chip fingerprint software from Lenovo is 5.9.x. However if you look at the download link on the Lenovo website for the 5.9.x software, there is an advisory stating that users of SGN 5.50 and Windows 7 should use version 5.8.5.6014 which is a Vista package. I've tested this package with Windows 7 and whilst it doesn't cause any harm to the system, and fingerprint works okay, it's still not supported from Sophos, and fingerprint POA doesn't work.

Thus the reason I'm waiting for SGN 5.50.1.

As a side note I also requested that LSH (Local Self Help) works with fingerprint activated policies too - seeing as fingerprint isn't working for a lot of customers we have to fall back to password authentication.  Unfortunately when fingerprint authentication is enabled on a policy Local Self Help stops working. (This is by design). Not good when the users forget their passwords and the Servicedesk is closed.

I understand that no-one forgets their fingerprint but until Sophos can guarantee 100% that fingerprint will work and that it wont fall back to password authentication then there is a clear need for LSH with fingerprint authentication. Not a well thought out design if you ask me

I've been advised that Local Self Help will work with fingerprint enabled policies in the next major release of SGN. Let's wait and see eh.

How many days until Mid August?

That's a great post but just to reitterate my original post, this is only Lenovo - a huge oversite if you ask me to dismiss manufacturers like Dell, HP or Sony. A lot of these manufacturers also use the same upek chips and drivers (with POA, I believe that the windows driver version is irrelevant anyway) .

The most frustrating part of all his is how I explain this to my users. E.g. I have a Sony Vaoi VGN-SZ1XP with a touchchip (UPEK 1.9.2.71 driver) running SGE 4.50. I don't use POA (actually I think the arguments for POA are mostly humbug!) and fingerprint logon works 'sweet as'. I'm able to login with fingerprint and use the fully encrypted system without so much as a Ctrl-Alt-Del on the keyboard. Migrating users from older platforms to nice shiney new laptops (even Lonovo's) and moving from XP to 7, I have to explain to them that they no longer can logon with a fingerprint. Is that a step forward? I don't think so! More frustrating is that they can see the finger print logon available now but that won't logon to SGN and makes them authenticate to SGN immediately after. It's all very well adding management functions and reportability but don't sacrifce basic functionality and decent biomtric security.

Matt

Hi RL,

I can confirm that Local Self Help for fingerprint is in work and will be released with version 5.60 of SafeGuard Easy / SafeGuard Enterprise, to complete the functionality there.

regards

    Richard

Hi Richard,

Doesn't help me but for RL's benefit, if 5.50.1 is to be released in August, when is 5.60 due out?

Matt

Hi Matt,

the current planning for version 5.60 is end Q1/2011.

regards

    Richard

Is there any hope for further scanner support in that release (which could be 9 months away), including other manufacturers - even without POA?

Matt

Hi Matt,

with POA off, this may be possible. My colleagues from R&D need to do some research on that. Please contact my colleague robert.zeh@sophos.com directly to follow-up.

regards

    Richard