Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Two-Factor Authentication on the Web
From: Andrew van der Stock <vanderaj () greebo net>
Date: Mon, 3 Jul 2006 23:59:44 +1000
My main concerns with biometric devices are:
they are extremely dangerous to clients for value transactions. People have already lost fingers to them (reference: http:// news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm ). Therefore, they are completely unsuitable for high value transactions, as the danger to the client exceeds the value of the item being protected
the lack of backup credentials when a credential has to be repudiated (say your index finger has been copied using a gel copy, you have to re-enrol another finger. What happens if someone works out how to fake your face for a facial recognition device, such as using a photo of you? You have NO backup faces to enrol)
the relative expense of "good" (ie better than cereal toy decoder ring) biometric devices wastes valuable security investment when you can buy say 40 transaction signing calculators for the cost of a single relatively secure biometric device. If I had a million customers to enrol (and many of us work for places that have more customers than this...), I'd rather spend the 1/40th the money and get more trustworthy security, thanks.
Others have made the point that unless you strictly control the device and monitor enrolment, such as the US customs enrolment at airports, there is no safe way to remotely enrol and trust biometric authentication, particularly if the devices are trivially spoofable. And to date, they are trivially spoofable, most particularly the cheapest devices costing about 1.5-4 times the price of a trx signing calculator.
Lastly, biometrics when the false positive accept rate within your user population does not exceed tolerable levels. When you have a million customers, no biometric device today has the necessary false accept positive rate. Such a user base with the best devices has a few users who will authenticate as someone else, which if it was Joe Bloggs logging on to his finger print reader and gets unauthorized accesses a high value customer like Bill Gates, I'm sure the lawyers would have a feeding frenzy. Heads would roll, in a different sense to my first point. 

thanks,
Andrew

Attachment: smime.p7s
Description:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]