nanog mailing list archives
Re: User negligence?
From: "Stephen Sprunk" <stephen () sprunk org>
Date: Sun, 27 Jul 2003 22:38:20 -0500
Thus spake "Jamie Reid" <Jamie.Reid () mbs gov on ca>
All that user end security devices do is put more non-repudiable onus on the user, so that when it fails, the service provider is
protected,
and the user is cryptographically guaranteed to be SOL. ... and when the database gets compromised, nobody will believe that the user isn't responsible, because "The System is Perfect".
I hope this was in jest... All it will take is one expert witness to show the system is not perfect and there's hundreds of ways the bank (or even a smart criminal) could defraud the user.
Biometrics are an excellent example of this. They are a single factor authentication technology, maybe two factor if there is a PIN,
There are now techniques to copy latent fingerprints off surfaces and produce counterfeits that have been shown to fool _all_ commercially available fingerprint gear -- and it costs less than $2 per use. Biometrics is a failure because there is no shared secret; once a user submits to a test (either knowingly or not), the validator has all the information necessary to spoof that person _for the rest of their life_. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Current thread:
- Re: User negligence?, (continued)
- Re: User negligence? ken emery (Jul 27)
- Re: User negligence? Peter Galbavy (Jul 28)
- Remembering history passwords may be bad, but they are getting worse Sean Donelan (Jul 27)
- Message not available
- Re: Remembering history passwords may be bad, but they are getting worse Kevin Day (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Peter Galbavy (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Scott Call (Jul 28)
- Learning more about authentication and passwords Sean Donelan (Jul 29)
- Re: Learning more about authentication and passwords Dave Israel (Jul 29)
- Re: Learning more about authentication and passwords Jason Dixon (Jul 29)
- Re: User negligence? Stephen Sprunk (Jul 27)