Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)

From: Vin McLellan (vin_at_theworld.com)
Date: 04/16/05

  • Next message: Bruce B. Platt: "Re: [fw-wiz] Out of Band management" 
    To: Kevin <kkadow@gmail.com>, firewall-wizards@honor.icsalabs.com
Date: Fri, 15 Apr 2005 22:31:56 -0400

    Marcus <mjr@ranum.com> highlighted an "important point:"

    > > [...] against an opponent that is willing to physically attack,
    > > threaten, or torture you ALL authentication systems
    > > are worthless. Especially if you assume a level of indirection
    > > can be added (I.e.: "log me into the system or your child dies.")

    Kevin Kadow (and ArkanoiD) pointed that some authentication systems offered
    a duress PIN:

    >There are relatively simple safeguards that can be added on to
    >most systems to address this. For example, many ATM systems
    >(and also the SecurID hardware token product) support what are
    >called "duress PINs". Basically, enter your PIN backwards, and
    >the system still grants you access, but also sets off a silent alarm.

    I've always been intrigued that duress PINs were, for many years, on
    everybody's initial check-list for pre-qualifying an 2FA system, but they
    were seldom actually implemented outside of very high security government
    systems.

    I know that RSA, which made a big deal about the option in the 1980s and
    early 1990s, basically stopped talking about it. RSA sales folk certainly
    stopped using it to sell SecurIDs when they realized how few enterprise
    system managers actually wanted to implement it. It's still in the code,
    and it could be implemented upon request -- but I suspect the number of
    actual implementations in recent years is tiny.

    I always thought this was because -- as with the finger-risk in biometrics
    being discussed here -- the cost/benefit ratio was out of wack. IT pros
    had second-thoughts about asking employees to place themselves, or their
    loved ones, at risk by telling them to bluff someone who was threatening
    them with actual violence.

    Variety store owners may get away with asking 20 year-olds to risk getting
    cut in half by a shotgun to protect $74 in the cash register -- but can,
    say, Intel or Fidelity get away with asking a VP to set off an alarm when a
    bandit has a gun to his head, or the head of his wife? I don't think so.

    Better to do what the guy with the gun wants you to do, and let the cops
    deal with the crime. Isn't that what bank tellers are
    told? Countermeasures or alarms should be systemic, or buried in the
    delivery system -- not dependent on the valor or stupidity of some man or
    woman facing the business end of a pistol.

    As I recall, btw, both Intel and Microsoft sell fingerprint readers, but
    they explicitly qualify the sale with a warning that these are devices
    suitable only for minimal security home environments, and limited functions
    like switching between multiple authorized users. I think Microsoft went
    further and tried, in its code, to block the use of their device for server
    authentication -- although I know that some Admins have jury-rigged their
    servers to permit this unauthorized use.

    RSA, where I am a consultant, still refuses to support anything beyond a
    formally-labelled "pilot" application to explore the use of biometrics with
    as a third factor its SSO app, SOM, or its extranet federation utility, FIM
    -- although a couple RSA engineers track developments in the field closely
    and collaborate with several biometric developers.

    Suerte,
                _Vin

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Bruce B. Platt: "Re: [fw-wiz] Out of Band management"
    • Quantcast