Kensington USB fingerprint reader for Windows Hello and FIDO/FIDO2 2FA

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

PHolder

Well-known member
Sep 16, 2020
1,555
1
618
Ontario, Canada

I've ordered one (I have to import it via Amazon) to see how well it works. I have a Windows Hello camera from Intel (made by Creative) and it works well enough, but it doesn't do any FIDO. I am wondering if the Kengsinton device actually does FIDO or if it just integrates with support built in to Windows. More info to come after I get it (they claim delivery on Easter Sunday, I have my doubts that they'll pay the premium for delivery drivers to work on a public holiday.)
 
After a weird experience where my Amazon [import] parcel went to the post office instead of to my door, and where I had to provide proof of being age 19+ for some strange reason, I finally have my device.

Initial impressions are that it is very straightforward to install in Windows 10. Just plug it in... Windows will retrieve the drivers and install it with zero fuss. You do then need to configure it in the appropriate Windows Settings page. (Search for "Hello" in settings is the easiest way there.)

When you configure it Windows will require you to establish a PIN if you do not have one. I've always found this annoying, but whatever. You will train the device by pressing it with your finger multiple times in at least two "angles." Thereafter, your lock screen will say to touch the device to unlock the screen.

I haven't yet gone into trying it as a second factor on a web page, but since it appears to have a "lock icon LED" I think it should be possible to work similar to a Yubikey where it would flash when it is expecting you to authorize something.

It's very tiny, and the USB cable is pretty short and not removable (which kind of sucks to be honest.) It's a USB-A connctor on the end, which would mean dongletown for certain Mac users. (Assuming it also works with a Mac, which I don't actually know.) It really should have a USB-C connector on the back so you could replace the cable if you wanted. Like any modern device, there is no included manual, even though there is warranty documentation that warns you to read the manual before using it. You don't really need the manual though, and there are PDF's on the support site with instructions on how to configure usage with specific sites/apps.

I'll add more here later if I have anything new to add after I try using it for 2nd factor authentication.
 
  • Like
Reactions: Dave
Sit, FIDO, sit!
Good dog!
*woof!*

Does the fingerprint reader work with any finger other than the one(s) you trained it with? Does it detect a pulse in the fingertip/whatever you used as a way of determining whether it's a real finger/toe/etc.? (Sit, Ubu, Sit!)
 
Last edited:
whether it's a real finger
Well, their marketing isn't very helpful in talking about what they do... Question 13 from their FAQ says "anti-spoof" without them saying how.

13. What technology is used to secure my biometric information?
  1. Synaptics Technology (SentryPoint ® end-to-end security)
  2. SentryPoint ®: A suite of security features for the Synaptics fingerprint sensor solution.
  3. SecureLink ™: Enables a strong TLS 1.2 (communication channel encryption)/AES-256 (data encryption) from the sensor to the host.
  4. PurePrint®: Anti-spoof technology. Detects real fingers from fake fingers.
  5. Match-in-Sensor ™: Technology whereby the fingerprint template is securely matched on the fingerprint sensor silicon itself. This limits the data transfer to the host as a simple “yes/no” communication. Even then, the match result is encrypted.
  6. Quantum Matcher ™: The chip features a 192 MHz processor, a hardware accelerated matcher.
 
  • Haha
Reactions: danlock
  • PurePrint®: Anti-spoof technology. Detects real fingers from fake fingers.
I don't know how much detail goes into registered trademark applications, but searching for PurePrint might yield more details... hmm...
 
A good fact about fingerprint readers in Fido keys is the data is kept in the device itself (your fingerprint is not sent beyond the device).

On of the potential issues with biometrics is, unlike passwords, you can't easily change things like your fingerprints (so if the fingerprint itself was stored externally, and that escaped in some way, your only option would be to remove/replace the biometric factor).