Re: Biometrics (was Re: Username password VS hardware token plus PIN)

[Vin McLellan <vin () theworld com>]

Marcus <mjr () ranum com> highlighted an "important point:"

> > [...] against an opponent that is willing to physically attack,
> > threaten, or torture you ALL authentication systems
> > are worthless. Especially if you assume a level of indirection
> > can be added (I.e.: "log me into the system or your child dies.")

Kevin Kadow (and ArkanoiD) pointed that some authentication systems offered 
a duress PIN:

> There are relatively simple safeguards that can be added on to
> most systems to address this.  For example, many ATM systems
> (and also the SecurID hardware token product) support what are
> called "duress PINs".  Basically, enter your PIN backwards, and
> the system still grants you access, but also sets off a silent alarm.

I've always been intrigued that duress PINs were, for many years, on 
everybody's initial check-list for pre-qualifying an 2FA system, but they 
were seldom actually implemented outside of very high security government 
systems.

I know that RSA, which made a big deal about the option in the 1980s and 
early 1990s, basically stopped talking about it. RSA sales folk certainly 
stopped using it to sell SecurIDs when they realized how few enterprise 
system managers actually wanted to implement it.  It's still in the code, 
and it could be implemented upon request -- but I suspect the number of 
actual implementations in recent years is tiny.

I always thought this was because -- as with the finger-risk in  biometrics 
being discussed here -- the cost/benefit ratio was out of wack.  IT pros 
had second-thoughts about asking employees to place themselves, or their 
loved ones, at risk by telling them to bluff someone who was threatening 
them with actual violence.

Variety store owners may get away with asking 20 year-olds to risk getting 
cut in half by a shotgun to protect $74 in the cash register -- but can, 
say, Intel or Fidelity get away with asking a VP to set off an alarm when a 
bandit has a gun to his head, or the head of his wife?  I don't think so.

Better to do what the guy with the gun wants you to do, and let the cops 
deal with the crime.  Isn't that what bank tellers are 
told?  Countermeasures or alarms should be systemic, or buried in the 
delivery system -- not dependent on the valor or stupidity of some man or 
woman facing the business end of a pistol.

As I recall, btw, both Intel and Microsoft sell fingerprint readers, but 
they explicitly qualify the sale with a warning that these are devices 
suitable only for minimal security home environments, and limited functions 
like switching between multiple authorized users. I think Microsoft went 
further and tried, in its code, to block the use of their device for server 
authentication -- although I know that some Admins have jury-rigged their 
servers to permit this unauthorized use.

RSA, where I am a consultant, still refuses to support anything beyond a 
formally-labelled "pilot" application to explore the use of biometrics with 
as a third factor its SSO app, SOM, or its extranet federation utility, FIM 
-- although a couple RSA engineers track developments in the field closely 
and collaborate with several biometric developers.

Suerte,
           _Vin


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards