Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)
From: Michael J. Tubby B.Sc. (Hons) (mike.tubby_at_thorcom.co.uk)
To: <firstname.lastname@example.org> Date: Sun, 10 Apr 2005 19:02:22 +0100
> On Fri, 1 Apr 2005, Devdas Bhagat wrote:
Just goes to show that finger print recognition, or *any* Biometrics
on their own, are insuffufficient.
A _proper_ security system needs to be based on:
a) something that you own
b) something that you know
You can call (a) a "token" if you wish, you can call (b) a "password"
or "pass phrase" if you wish... the _best_ systems would be ones where
the token identifies itself using an unpredictable sequence like the RSA
SecureID tags and the think that you 'know' was, say, the next item
from a one-time-pad.
Clearly in the case of the unfortunate Merc driver they obtained the
token (his finger) and there was no requirement for something he knew
- if there was then it would likely have been a (fixed) PIN code which
they could also have extorted under pain-of-death type tactics.
However if they had needed a token plus the next PIN from a sequence
(or part of a challenge/response) then they would have needed him,
alive, and always _with_ the vehicle.... this would make stealing the
Equally, if the biometrics could have asked for any finger, toe, retina
scan the theives would have had more trouble...
firewall-wizards mailing list