RE: Security procedure question

["Henry Troup" <HenryT () watchfire com>]

Mario A. Spinthiras describes a three-factor authentication system:

> - What you know
> - What you have
> - Who you are

which is excellent, but there are a couple of caveats.

To maintain the independence of the factors requires end-user best
practices, specifically not keeping the USB device conveniently at hand
in the laptop bag.  This requires training and a continual awareness
campaign.

In the case where the USB fingerprint reader is stolen with the laptop,
there is some degradation of security, possibly a lot:

I haven't found an authoritative update to show that today's fingerprint
readers are any more secure than the ones that Tsutomu Matsumoto spoofed
in 2002 - details at http://cryptome.org/gummy.htm and
http://cryptome.org/fake-prints.htm 

At that time, some fingerprint readers could be spoofed as easily as
breathing on them, or with a flashlight at just the correct angle.  Both
of these techniques leverage the residual skin oils left on the device
surface.

So, a careless user could take it down to single-factor authentication.
To manage this, you need to use the principle of "make the right thing
an easy thing"; somehow make it in the user's interest to keep the parts
separated.  (As an aside, remember that male and female users may have
significantly different preferred styles of device; in general males
have pockets, females may have no pockets and prefer a purse.)
Strangely enough, that would push in the direction of Bluetooth over
USB; even though normally we feel that wireless devices don't add
security.  BMW has gone this route with some recent automobiles,
preferring a proximity card over a physical key.

Also, you need to ensure that authorized service people can work on the
laptop without compromise of the confidential information; that is, you
still need user-level encryption inside the boot-level protection.


Henry Troup
Watchfire Corporation
Suite 300, 1 Hines Rd.
Kanata, ON K2K 3C7 Canada
613-599-3888 x4048


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------