RE: Biometrics
From: Vinsik, Steven C (Steven.Vinsik_at_unisys.com)
Date: 07/12/05
- Previous message: Jason Leung: "RE: tippingpoint IDS"
- Maybe in reply to: Trevor Jennings: "Biometrics"
- Next in thread: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Jul 2005 14:53:44 -0400 To: <security-basics@securityfocus.com>
Good point in bringing up potential security issues with biometrics.
Biometrics are certainly not a cure all for security, but should be
considered as another layer in a layered security approach. I also agree
that a compromised biometric presents a serious problem, but if
multi-factor authentication is employed, then a single point of
compromised authentication does not allow access. The only time I would
recommend using a biometric as the sole authentication mechanism would
be in a low security/ low risk situation where a compromise would have a
minimal impact.
While it is true that fingerprints can be acquired and possibly copied,
I would consider it far more difficult for an outsider to acquire a
persons' fingerprint and successfully recreate it to log into a system
remotely. An insider may have an easier time of acquiring the latent
fingerprint from a co-worker, but the task of re-creating this image
into a workable fake finger is difficult. Again, if this were the only
line of defense I would say that we would be in trouble, but in a
layered security approach, the risk of this happening should be
mitigated.
Many of the fingerprint readers of today, which are of any quality, have
built in mechanisms to detect when a fake finger is placed on the
fingerprint reader platen. While this is certainly not foolproof and
there are always exceptions to the rule, I would submit that a
fingerprint is in general going to be more secure than a password.
Steve
-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
Sent: Tuesday, July 12, 2005 5:14 AM
To: security-basics@securityfocus.com
Subject: Re: Biometrics
On 2005-07-08 Trevor Jennings wrote:
> Hi, I have a bank customer who wants to roll out a biometric
> (fingerprint) solution in an AD 2003 enviorenment for his branch
> sites. His primary goal is to reduce password administration and
> secondary goal is to provide more secure authentication. Does anyone
> know of any banks that have implemented such a solution? Has anyone
> had experience with 'digital persona's product? Any thoughts on
> bio-metric vendors, reviews or even ideas about token based auth
> (remember password emimination Is the key).
Not an answer to your question, but some points you (and your customer)
might want to consider, since biometric authentication has various
security-related issues:
1. With biometrics you always have to find a balance between false
accepts (wrong person get's access) and false rejects (valid user
doesn't get access).
2. Fingerprints can be easily forged [1], and people leave their marks
around everywhere they go.
3. How will you handle a biometric token (i.e. fingerprint), that gets
compromised? People usually have only ten fingers.
[1] http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en
Regards
Ansgar Wiechers
-- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
- Previous message: Jason Leung: "RE: tippingpoint IDS"
- Maybe in reply to: Trevor Jennings: "Biometrics"
- Next in thread: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
