Educause Security Discussion mailing list archives
Re: SQRL (Re: [SECURITY] Image, word, and password login)
From: Ryan Hiebert <ryan () RYANHIEBERT COM>
Date: Sat, 7 Dec 2013 02:44:47 -0600
On Fri, Dec 6, 2013 at 8:25 PM, Mclaughlin, Kevin (mclaugkl) <mclaugkl () ucmail uc edu> wrote:
Ben and all: I would like to hear a bit more on the idea of biometrics asserting identity and not authorization. I am curious as to the distinction and what would then provide authorization. This seems like a change in the tried and true 1,2,3 factor of authentication which is used to provide proof of your identity but which is then used to provide the identified user with authorization to the items they are entitled. If that is the case wouldn't that mean that any of the forms (password, biometric, token, etc.) are for both asserting identity and authorization. - Kevin
Hi Kevin. The issue for me regarding using fingerprints for authentication (proving you are somebody) instead of identity (figuring out who you're claiming to be) is that fingerprints cannot ever be changed. Because of this, it ends up being a bit closer to a Social Security Number than a username and password. Since the user cannot ever change his fingerprint, if it is ever compromised, all systems that rely on his fingerprint for authentication are now vulnerable. Some systems (iPhone 5S) are encouraging use of a fingerprint for some authentication. This is a trade-off in security, trading security for convenience. It's convenient, quick, and of moderate difficulty to bypass, but it is possible, and once it's done, the user cannot go change his fingerprint as he would a password. If his fingerprint is compromised, and his authentication rely on his fingerprint, then his authentication are permanently compromised. Perhaps for your application that trade-off is a reasonable idea. However, it's very important to consider the ramifications of this, because it is true: fingerprints merely assert identity, not authentication. Ryan
Current thread:
- SQRL (Re: [SECURITY] Image, word, and password login) Ben Marsden (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ben Marsden (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ryan Hiebert (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Mclaughlin, Kevin (mclaugkl) (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ryan Hiebert (Dec 07)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Clouse, Michael J (Dec 09)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ben Marsden (Dec 06)