Re: User negligence?

["Stephen Sprunk" <stephen () sprunk org>]

Thus spake "Jamie Reid" <Jamie.Reid () mbs gov on ca>
> All that user end security devices do is put more non-repudiable
> onus on the user, so that when it fails, the service provider is
protected,
> and the user is cryptographically guaranteed to be SOL.
> ... and when the database gets compromised, nobody will believe that
> the user isn't responsible, because "The System is Perfect".

I hope this was in jest...  All it will take is one expert witness to show
the system is not perfect and there's hundreds of ways the bank (or even a
smart criminal) could defraud the user.

> Biometrics are an excellent example of this. They are a single factor
> authentication technology, maybe two factor if there is a PIN,

There are now techniques to copy latent fingerprints off surfaces and
produce counterfeits that have been shown to fool _all_ commercially
available fingerprint gear -- and it costs less than $2 per use.

Biometrics is a failure because there is no shared secret; once a user
submits to a test (either knowingly or not), the validator has all the
information necessary to spoof that person _for the rest of their life_.

S

Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking