WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Two-Factor Authentication on the Web

From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 1 Jul 2006 00:46:41 +1000

On 30/06/2006, at 4:03 PM, Tim wrote:


 the only way I see that you can accurately validate
someone would be through biometrics (something you are)


This is not possible, as:
All devices in general are tamperable and not trustworthy when in the hands of the attacker
Biometric devices have a long history of being little more than snake oil or toys. The good ones are significantly more expensive than ANY other form of actual 2FA authentication device
Many attacks against existing biometric devices are so trivial as to be a complete joke. Check out this page: 

http://www.heise.de/ct/english/02/11/114/
Lastly, trustworthy biometric registration requires an in-person visit, thus negating any possibility of remote authentication.
No matter what 2FA device you use, evidence of identity is only as strong as the registration process. I'd prefer to see the initial registration (and recovery of registration) done only in-person. Otherwise the process is open to abuse by definition. 

thanks,
Andrew

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: