Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)

From: Crispin Cowan (crispin_at_immunix.com)
Date: 04/15/05

  • Next message: Vin McLellan: "Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Fri, 15 Apr 2005 13:45:42 -0700
    
    

    Marcus J. Ranum wrote:

    >In the case where you have a human guard in the system,
    >the human guard will generally (assuming it's not a
    >$7/hr idiot) so dramatically out-perform a computer system
    >that you may as well omit the computer system entirely.
    >
    >
    I roll to disbelieve. This study shows 71% of people will give up their
    password for a candy bar
    http://www.enterpriseitplanet.com/security/news/article.php/3342871
    Kevin Mitnick was most successful with exploits that involved social
    engineering. I don't actually believe that "Private Bob" is
    significantly resistant to a social engineering attack.

        * Scientist: Bob, this here is my girlfriend, and I don't want my
          wife to find out, so could you look the other way?
        * Bob: Why, sure ...

    Like other multi-factor authentication systems, I suspect that
    biometrics + human guard works much better than either in isolation.

    Crispin

    -- 
    Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
    CTO, Immunix          http://immunix.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Vin McLellan: "Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)"