Re: Biometrics (was Re: Username password VS hardware token plus PIN)

[Adam Shostack <adam () homeport org>]

On Thu, Apr 14, 2005 at 09:21:24PM -0400, Marcus J. Ranum wrote:
| Paul D. Robertson wrote:
| >I don't think a wrist is that much more trouble than a finger to a
| >machette
| 
| I know you're just being funny, but this all misses an important
| point: against an opponent that is willing to physically attack,
| threaten, or torture you ALL authentication systems
| are worthless. Especially if you assume a level of indirection
| can be added (I.e.: "log me into the system or your child dies.")
| 
| There's only so good it's worth making these things. My problem
| with biometrics is that they're not even *that* good without a
| heck of a lot of extra mechanisms and tweakage. Biometrics
| are really only good if you, ummm.... sell biometrics.

Generally, that's true, but as a layer in a well thought out system,
they may be helpful.  (Eg, the guard watches you put your head up to
the retina scanner before he lets you in to maintain the shiny
weapons.)

Such systems can resist attacks and physical violence.  They very,
very rarely are worth the money that they cost.

Adam
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards