1

UPDATE:

I found the answer to the "How To?" part of my question on superuser:

ORIGINAL QUESTION:

I'm looking to upgrade my home computer security, and I've been thinking about using a biometric scanner. At the time being, fingerprint scanners are the most easily obtainable biometric scanners, and they're also the most convient, which is why I'm considering using them. For the same reason, a TOTP application like Google Authenticator is not exactly what I'm looking for - sure, it's probably even more secure than just a password/fingerprint combination (compared to only having a password), but its impact on usability is too severe for my purposes.

Unfortunately, replacing my password with a biometric scan would actually be a downgrade, since obtaining a fingerprint is significantly easier than obtaining my computer password, which I only use for my computer. A fingerprint, on the other hand, can be found on anything I've touched.

Therefore, I'd like to utilize a 2-factor-authentication that requires both my password and my fingerprint (something I know + something I am). Unfortunately, it appears that Windows Hello doesn't support this natively (not unless you're connected to an Active Directory plus some other magic, that is).

Hence my question: at the time being, is it somehow possible to enable a 2-factor-authentication (using a biometric scan and a password) to log on to Windows 10?
Additionally, are there any password safes available that allow such a 2-factor-authentication?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
PixelMaster
  • 111
  • 1
  • 8
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/81464/discussion-on-question-by-pixelmaster-combining-a-fingerprint-scan-and-password). – schroeder Aug 10 '18 at 16:00
  • @schroeder would you mind closing my question as off-topic? I've been looking for product recommendations rather than an answer to *Should I use a two-factor authentication combining a password and fingerprint*. However, these types of questions are apparently off-topic, as Mike kindly informed me. For the sake of future readers, I don't want to simply delete it. – PixelMaster Aug 10 '18 at 16:10

2 Answers2

3

If you take a look at this link or, better yet, this link you'll see examples of how to set up Google Authenticator as your second factor, which will then require your password AND the code to log onto Windows.

There are other methods (some free) to do the same thing, too.

Jesse P.
  • 415
  • 1
  • 3
  • 8
  • I know about Google Authenticator, and I'm using it for stuff like Discord already. I wasn't aware you could use it for a windows login, though (thanks for that tip). Anyhow, a phone can get stolen, and it's a lot more effort to unlock your phone, open the app, and type the code into your computer, than it is to put your finger on a scanner. – PixelMaster Aug 10 '18 at 13:21
  • Granted a phone can be stolen but it would still be locked and nobody would be able to get your tokens (in theory). Also, if you use an app such as Authy to handle all of your 2FA accounts, you can access those tokens from multiple devices. For example, if you have Authy on your phone and also your laptop, if your phone is lost you can still access your codes from your laptop (a shortcoming of the actual Google Authenticator app). – Jesse P. Aug 10 '18 at 13:57
  • As for being more of a process than just using your fingerprint, I can't argue that - it's true that it does require more steps. But, if you're wanting added security to your environment (which you obviously are, otherwise we wouldn't be discussing this, aren't those extra steps worth while to have even better security than a fingerprint scanner? – Jesse P. Aug 10 '18 at 13:58
  • For comparison, let's say I have a room in my house, containing a safe and other valuables. Currently, it's protected with a 4-digit pin code, and I want to upgrade security. Now, I could replace the passcode with a 64-letter alphanumerical password, add an iris scanner, a hand vein scanner, a fingerprint scanner and a voice scanner, as well as a 24/7 team of guards. Getting inside would take a long time, for both me and intruders. Or I only install one or two scanners in addition to the passcode, which wouldn't make it as secure, but still more secure than it used to be. <-- compromise :) – PixelMaster Aug 10 '18 at 14:06
  • @PixelMaster I didn't lack an understanding of what you meant. To me, unlocking your phone to get a code is trivially easy and effortless. I do it all the time with the 38+ accounts that are set up with Google Authenticator. It takes maybe 5 seconds to unlock my phone, open the Authy app, and get a code. Maybe another 3 seconds to type it into the code entry field. So, less than 10 seconds to have much better security. If that's too much work, though, that's fine... We can stick to biometrics. – Jesse P. Aug 10 '18 at 14:11
1

First off,

FINGERPRINT SCANNERS DO NOT PROVIDE SECURITY

They may keep your kid sister out of your computer, but not a skilled attacker. If you want to set up a fingerprint-unlock, that's fine, but know that you are doing it entirely for convenience reasons not for security reasons.

Fingerprint scanners are very easy to spoof.

With a couple dollars' worth of supplies it's pretty easy to lift a fingerprint off the device itself (or even from a photo of you) and make a mold that will fool the scanner. These articles speak for themselves.

(I googled for iphone rather than windows pc because there are more articles)

Fingerprints are rather hard to change once compromised

If someone cracks your email password, then you change your password. If you lose your phone with the Google Authonticator TOTP app, then once you have a new phone, you deactivate your old OTP codes. If someone spoofs your fingerprints, then you ... get new fingerprints?

As far as I'm concerned, biometrics ("something I am") are only useful in human-supervised settings like airports where someone can check that the machine is in fact scanning you (ie you're not wearing a glove, holding a photo in front of the camera, etc).

Yes, phone and laptop manufacturers are increasingly putting fingerprint scanners into their devices, but you should consider it a convenience feature, not a security feature.

TOTP application like Google Authenticator is not exactly what I'm looking for - its impact on usability is too severe for my purposes.

Unfortunately, this is where you need to make a personal choice between security or convenience. (I won't judge your decision, just don't pretend that you're getting both.)

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • I'm aware that fingerprints are indeed not very secure, which is why I'm not simply using Windows Hello, but instead looking for a 2-factor-authentication. Sure, ideally the software that replaces/modifies the login process would allow the usage of different options for a multi-factor-authentication, including a password/passcode, biometric identification methods, TOTP apps and throttling mechanisms. I'm not a high-value target of some kind, though, so I'm not sure that's necessary - from my point of view, a fingerprint + password combination is secure enough. – PixelMaster Aug 10 '18 at 14:24
  • Then I've done my public service announcement :) – Mike Ounsworth Aug 10 '18 at 14:29
  • It's not clear to me that `password+fingerprint` is any more secure than `password` by itself, which is probably why you're having troubles finding it. If your question is _"How do I do this?"_ rather than _"Should I do this?"_ then it would be a better fit on superuser. Configuration or product recommendations are generally considered off-topic here. – Mike Ounsworth Aug 10 '18 at 14:31
  • 1
    Hmm. I guess you're right, a product recommendation is more what I was looking for (and "*Should I do this?*" has been clearly answered with a "no" ^^). I flagged the question to be closed as off-topic (I'd vote to close myself, but I don't have the rep). – PixelMaster Aug 10 '18 at 14:39
  • I'm also not a security expert, nor an experienced hacker (the most I did was hack a school computer using a bootable USB-Stick). I figured `password + fingerprint` would be a notable upgrade compared to `password` only, but apparently I was wrong ^^ – PixelMaster Aug 10 '18 at 14:41
  • I mean, maybe? It probably depends on your security model: where do you set your bar for the amount of skill / effort you're trying to defend against? Either way though, I suspect that getting your password (cracking, keylogging, watching over your shoulder, ...) is probably a higher bar than spoofing your fingerprint. – Mike Ounsworth Aug 10 '18 at 14:53