RE: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)

• Previous message: Shimon Silberschlag: "[fw-wiz] Out of Band management"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Marcus J. Ranum" <mjr@ranum.com>, "Paul D. Robertson" <paul@compuwar.net>, "Michael J. Tubby B.Sc. (Hons)" <mike.tubby@thorcom.co.uk>
Date: Fri, 15 Apr 2005 00:18:05 -0700

Fingerprint scans, as I've seen implemented, represent significantly
less entropy that the 14 character "complex" password. The grids are
pretty coarse.

Biometrics are maybe a good replacement for PINs, used to authenticate a
two-factor item, like a smartcard or time-based number token. In fact I
wish this were available! They're crap for password replacement.

There is a certain vendor selling fingerprint readers for Windows domain
logon. They are "stashing" a tough password behind a low-entropy
fingerprint. Business is good, because... "Hey! Biometrics!"

Microsoft - to their credit - is marketing a fingerprint reader only as
a store for low-grade, website passwords and IM logins.

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Marcus J. Ranum
> Sent: Thursday, April 14, 2005 6:21 PM
> To: Paul D. Robertson; Michael J. Tubby B.Sc. (Hons)
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: Biometrics (was Re: [fw-wiz] Username password VS
hardware
> token plus PIN)
>
> Paul D. Robertson wrote:
> >I don't think a wrist is that much more trouble than a finger to a
> >machette
>
> I know you're just being funny, but this all misses an important
> point: against an opponent that is willing to physically attack,
> threaten, or torture you ALL authentication systems
> are worthless. Especially if you assume a level of indirection
> can be added (I.e.: "log me into the system or your child dies.")
>
> There's only so good it's worth making these things. My problem
> with biometrics is that they're not even *that* good without a
> heck of a lot of extra mechanisms and tweakage. Biometrics
> are really only good if you, ummm.... sell biometrics.
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Shimon Silberschlag: "[fw-wiz] Out of Band management"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Hacking USB Thumbdrives, Thumprint authentication ... applications using fingerprint readers before, ... Many of the fingerprint authentication systems do encrypt the ... biometrics can get a deFacto standard in the security industry. ... There are a few things that are very disturbing about Biometrics (even ... (Bugtraq) Re: Password security ... Biometrics, but one thing that scares me about them ... once your fingerprint is stolen it can never be ... things then replay attacks can follow you for years. ... > I will not trust any biometric device until vendors ... (FreeBSD-Security) RE: Physical Access Control ... infrastructure company that had biometrics as part of the solution... ... There are really two types of fingerprint systems, ... For the purposes of physical access or even information access, ... Subject: Physical Access Control ... (Security-Basics) Re: Yahoo Messenger Stale Sessions ... I also register those zombie sessions here. ... Connections i've registered that would last a long time: ... } about fingerprint}> scanners is:}> ... } will be based on}> biometrics, ... (Security-Basics) Re: Methods of Authentication on a Corporate ... > I would be careful with biometrics. ... > fingerprint and lose it to hackers, you may well have some problems ... sensor on the card ... ... digital template form is done by a chip in the reader and then the ... (comp.security.misc)