Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)
From: Crispin Cowan (crispin_at_immunix.com)
To: "Marcus J. Ranum" <firstname.lastname@example.org> Date: Fri, 15 Apr 2005 13:45:42 -0700
Marcus J. Ranum wrote:
>In the case where you have a human guard in the system,
>the human guard will generally (assuming it's not a
>$7/hr idiot) so dramatically out-perform a computer system
>that you may as well omit the computer system entirely.
I roll to disbelieve. This study shows 71% of people will give up their
password for a candy bar
Kevin Mitnick was most successful with exploits that involved social
engineering. I don't actually believe that "Private Bob" is
significantly resistant to a social engineering attack.
* Scientist: Bob, this here is my girlfriend, and I don't want my
wife to find out, so could you look the other way?
* Bob: Why, sure ...
Like other multi-factor authentication systems, I suspect that
biometrics + human guard works much better than either in isolation.
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards