WebApp Sec: RE: Two-Factor Authentication on the Web

From: <Glenn.Everhart_at_chase.com>
Date: Mon, 3 Jul 2006 08:43:48 -0400

A biometric in practice is NOT your DNA, fingerprint, etc., but some data representation of
something like this, the way it gets used in computers. That can be tied to an individual PROVIDED someone is making very very sure that individual generates the signal that goes into the representaion, and PROVIDED nothing is interfering with the translation. People leave their fingerprints and DNA all over the place, so that obtaining a fake input for a sensor is relatively easy. Also, how often do people using fingerprints actually watch those entering them, or better yet inspect their fingers? (Play-Doh fake fingerprints might show, but transparent ones made of gel?) Worst thing about biometrics is they must be guarded so that fakes cannot be gathered for ~100 years. I do not relish the prospect of needing to wear gloves the rest of my life, and have no idea how anyone could prevent collection of his DNA.

A signature is actually a better biometric in that it requires conscious effort to produce, and a copied one can sometimes be identified by pointing out it is identical to the original. Trouble is that it does not lend itself to electronic testing. I would suggest though that anything that is to be used as a "signature" should require conscious activity by the subject, which should make it harder for others or their mechanized agents to "authenticate" as someone without the someone's knowing.

Glenn Everhart

-----Original Message-----
From: Gaydosh, Adam [mailto:GaydoshA_at_ctc.com]
Sent: Sunday, July 02, 2006 6:10 PM
To: Webappsec Mail List
Subject: RE: Two-Factor Authentication on the Web

>
>"But even when biometric authentication "works", it still does
>not prove my _identity_, it just proves that I am who *I said*
>I am, which is another thing entirely;"
>Umm... I don't follow. How could your DNA (I would waver on
>this one since I heard somewhere that twins could have the
>same DNA), fingerprint, retinal scan, etc, not be unique to
>you and only you?

I think the idea is that the concept of 'identity' which we are
attempting to authenticate is not an inherent characteristic of our
bodies, but something that has been officially associated with a given
biometric by the issuing authority, e.g. my SSN, Account Name, etc...are
not in my DNA.

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

-------------------------------------------------------------------------
Sponsored by: Watchfire

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
Received on Jul 03 2006