Re: Biometrics
From: Eduardo Kienetz (eduardok_at_gmail.com)
Date: 07/13/05
- Previous message: Kirk Brady: "RE: force https"
- In reply to: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Next in thread: Jean François Quéralt: "RE: Biometrics"
- Reply: Jean François Quéralt: "RE: Biometrics"
- Reply: Chris Douglas: "Re: Biometrics"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Jul 2005 20:12:51 -0300 To: security-basics@securityfocus.com
On 7/12/05, Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net> wrote:
> On 2005-07-08 Trevor Jennings wrote:
> > Hi, I have a bank customer who wants to roll out a biometric
> > (fingerprint) solution in an AD 2003 enviorenment for his branch
> > sites. His primary goal is to reduce password administration and
> > secondary goal is to provide more secure authentication. Does anyone
> > know of any banks that have implemented such a solution? Has anyone
> > had experience with 'digital persona's product? Any thoughts on
> > bio-metric vendors, reviews or even ideas about token based auth
> > (remember password emimination Is the key).
>
> Not an answer to your question, but some points you (and your customer)
> might want to consider, since biometric authentication has various
> security-related issues:
>
> 1. With biometrics you always have to find a balance between false
> accepts (wrong person get's access) and false rejects (valid user
> doesn't get access).
> 2. Fingerprints can be easily forged [1], and people leave their marks
> around everywhere they go.
> 3. How will you handle a biometric token (i.e. fingerprint), that gets
> compromised? People usually have only ten fingers.
Just a clarification here...
This is not a problem anymore... there are new fingerprint (even whole
hand) scanners that not only scan your finger/hand, but also measure
temperature/pulse (to make sure the hand is alive :). Besides that if
you use password-based auth, the "thief" would just need to threat you
that... for example he'll cut your finger if you don't tell him the
password... ;) etc.
One could even combine the scanning of BOTH hands to authorize.
I have experience with using eyeD hamster, which, at that time I was
working with it, was quite good. In fact, I've done the
programming/integration with an application login.
EyeD hamster used (again, at that time ~2 years ago) to store a
WideString as your finger representation. I know there are systems
where the image of your finger is stored. That finger record
representation would be also interesting to discuss.
http://www.pcmag.com/article2/0,1759,88200,00.asp
http://www.secugen.com
> [1] http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
Regards,
-- Eduardo Bacchi Kienetz LPI Certified - Level 1 & 2 http://www.noticiaslinux.com.br/eduardo/
- Previous message: Kirk Brady: "RE: force https"
- In reply to: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Next in thread: Jean François Quéralt: "RE: Biometrics"
- Reply: Jean François Quéralt: "RE: Biometrics"
- Reply: Chris Douglas: "Re: Biometrics"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Biometrics"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
