Security Basics mailing list archives
RE: Biometrics
From: "Vinsik, Steven C" <Steven.Vinsik () unisys com>
Date: Tue, 12 Jul 2005 14:53:44 -0400
Good point in bringing up potential security issues with biometrics. Biometrics are certainly not a cure all for security, but should be considered as another layer in a layered security approach. I also agree that a compromised biometric presents a serious problem, but if multi-factor authentication is employed, then a single point of compromised authentication does not allow access. The only time I would recommend using a biometric as the sole authentication mechanism would be in a low security/ low risk situation where a compromise would have a minimal impact. While it is true that fingerprints can be acquired and possibly copied, I would consider it far more difficult for an outsider to acquire a persons' fingerprint and successfully recreate it to log into a system remotely. An insider may have an easier time of acquiring the latent fingerprint from a co-worker, but the task of re-creating this image into a workable fake finger is difficult. Again, if this were the only line of defense I would say that we would be in trouble, but in a layered security approach, the risk of this happening should be mitigated. Many of the fingerprint readers of today, which are of any quality, have built in mechanisms to detect when a fake finger is placed on the fingerprint reader platen. While this is certainly not foolproof and there are always exceptions to the rule, I would submit that a fingerprint is in general going to be more secure than a password. Steve -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Tuesday, July 12, 2005 5:14 AM To: security-basics () securityfocus com Subject: Re: Biometrics On 2005-07-08 Trevor Jennings wrote:
Hi, I have a bank customer who wants to roll out a biometric (fingerprint) solution in an AD 2003 enviorenment for his branch sites. His primary goal is to reduce password administration and secondary goal is to provide more secure authentication. Does anyone know of any banks that have implemented such a solution? Has anyone had experience with 'digital persona's product? Any thoughts on bio-metric vendors, reviews or even ideas about token based auth (remember password emimination Is the key).
Not an answer to your question, but some points you (and your customer) might want to consider, since biometric authentication has various security-related issues: 1. With biometrics you always have to find a balance between false accepts (wrong person get's access) and false rejects (valid user doesn't get access). 2. Fingerprints can be easily forged [1], and people leave their marks around everywhere they go. 3. How will you handle a biometric token (i.e. fingerprint), that gets compromised? People usually have only ten fingers. [1] http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Biometrics Trevor Jennings (Jul 11)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 12)
- Re: Biometrics Eduardo Kienetz (Jul 13)
- RE: Biometrics Jean François Quéralt (Jul 18)
- Re: Biometrics Chris Douglas (Jul 18)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 18)
- Re: Biometrics Eduardo Kienetz (Jul 20)
- Re: Biometrics Eduardo Kienetz (Jul 13)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 12)
- <Possible follow-ups>
- RE: Biometrics Vinsik, Steven C (Jul 12)
- RE: Biometrics Vinsik, Steven C (Jul 13)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 18)
- RE: Biometrics Brunner, Mark (Jul 18)
- RE: Biometrics Vinsik, Steven C (Jul 20)