Security Basics mailing list archives
Re: Biometrics
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 13 Jul 2005 19:43:30 +0200
On 2005-07-12 Vinsik, Steven C wrote:
Good point in bringing up potential security issues with biometrics. Biometrics are certainly not a cure all for security, but should be considered as another layer in a layered security approach. I also agree that a compromised biometric presents a serious problem, but if multi-factor authentication is employed, then a single point of compromised authentication does not allow access.
I brought this up mainly because the OP was talking about password elimination.
The only time I would recommend using a biometric as the sole authentication mechanism would be in a low security/ low risk situation where a compromise would have a minimal impact.
Even then I would rule out fingerprint systems. Fingerprints are great for police work (because people tend to leave them around), but they are not very good for authentication purposes (for the very same reason).
While it is true that fingerprints can be acquired and possibly copied, I would consider it far more difficult for an outsider to acquire a persons' fingerprint and successfully recreate it to log into a system remotely. An insider may have an easier time of acquiring the latent fingerprint from a co-worker, but the task of re-creating this image into a workable fake finger is difficult.
No. In fact it's relatively easy. Please read the article about forging fingerprints I mentioned in my previous mail. It describes *one* way of doing that (there are several others). [...]
Many of the fingerprint readers of today, which are of any quality, have built in mechanisms to detect when a fake finger is placed on the fingerprint reader platen. While this is certainly not foolproof and there are always exceptions to the rule, I would submit that a fingerprint is in general going to be more secure than a password.
Most definitely not. There are *far* too many ways to trick fingerprint readers into accepting a forged fingerprint. Not to mention FAR and FRR. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Biometrics Trevor Jennings (Jul 11)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 12)
- Re: Biometrics Eduardo Kienetz (Jul 13)
- RE: Biometrics Jean François Quéralt (Jul 18)
- Re: Biometrics Chris Douglas (Jul 18)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 18)
- Re: Biometrics Eduardo Kienetz (Jul 20)
- Re: Biometrics Eduardo Kienetz (Jul 13)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 12)
- <Possible follow-ups>
- RE: Biometrics Vinsik, Steven C (Jul 12)
- RE: Biometrics Vinsik, Steven C (Jul 13)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 18)
- RE: Biometrics Brunner, Mark (Jul 18)
- RE: Biometrics Vinsik, Steven C (Jul 20)