Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)

From: Michael J. Tubby B.Sc. (Hons) (mike.tubby_at_thorcom.co.uk)
Date: 04/10/05

  • Next message: Seguridad en Computo - UNAM: "[fw-wiz] Computer Security Mexico 2005"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Sun, 10 Apr 2005 19:02:22 +0100
    
    

    > On Fri, 1 Apr 2005, Devdas Bhagat wrote:
    >
    >> http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm
    >>
    >

    <snip>

    Just goes to show that finger print recognition, or *any* Biometrics
    on their own, are insuffufficient.

    A _proper_ security system needs to be based on:

        a) something that you own
        b) something that you know

    You can call (a) a "token" if you wish, you can call (b) a "password"
    or "pass phrase" if you wish... the _best_ systems would be ones where
    the token identifies itself using an unpredictable sequence like the RSA
    SecureID tags and the think that you 'know' was, say, the next item
    from a one-time-pad.

    Clearly in the case of the unfortunate Merc driver they obtained the
    token (his finger) and there was no requirement for something he knew
    - if there was then it would likely have been a (fixed) PIN code which
    they could also have extorted under pain-of-death type tactics.

    However if they had needed a token plus the next PIN from a sequence
    (or part of a challenge/response) then they would have needed him,
    alive, and always _with_ the vehicle.... this would make stealing the
    pointless.

    Equally, if the biometrics could have asked for any finger, toe, retina
    scan the theives would have had more trouble...

    Mike

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Seguridad en Computo - UNAM: "[fw-wiz] Computer Security Mexico 2005"

    Relevant Pages