nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: replacing compromised biometric authenticators

From: Wayne Bouchard <web () typo org>
Date: Wed, 11 Oct 2017 19:25:19 -0700
I agree that multiple levels are best and, for the moment, I'd frankly
be hesitant to give anything like finger print data since one can
never change that and the harm of it getting loose can not yet be
determined. (Not that the data being taken by these scanners is
necessarily all that grandiose.)

I also would accept a facility that did something like handscan and
pin to access the lobby/security desk and keycard or fob to move
around once inside along with scan in/scan out enforcement. (No tail
gating.)

I've never really been keen on relying on biometrics though. The
handscanners can be convenient for not having to carry anything around
but when all is said and done, they are really not all that much
better than just a keycard.

-Wayne

On Wed, Oct 11, 2017 at 04:10:51PM -0500, Matt Harris wrote:

I would definitely not say that it is current best practice not to deploy
biometrics.  As part of a holistic approach, biometric systems can improve
security greatly.  As a singular approach, using it as a single factor for
authentication and authorization of access/actions, it's as terrible an
idea as any other.  The difficult of passing a high-quality biometric
authentication system, even knowing its success conditions, is
non-trivial.  The good ones check for basic signs of life, as well, so
simply cutting off someone's hand and trying to use it would fail, for
example.  There are, of course, cheap biometric systems that are not as
good, and ymmv depending on what and how you deploy biometrics.  Taking the
specific threat level you're up against is always relevant.

All of the facilities I have in production have a three factor approach to
access - "something you know, something you have, and something you are."
 Biometrics being the latter, plus a badge or dongle, and a four digit
code.  None of my production facilities can be access without all three.

Take care,
Matt


On Wed, Oct 11, 2017 at 4:04 PM, Ken Chase <math () sizone org> wrote:


(forking the thread here..)

Biometrics are still the new hotness out in North America. Cologix whom I
deal
with in Canada has a dozen and a half odd POPs in canada/usa and I think
has
fingerprinting at all sites.

If the current best operating practice is to avoid biometrics, why are they
still in use out here? Has anyone gotten the message? Is anyone in North
America
ripping them out yet?

Other factors include your country's privacy regulations for storing
irreplaceable personal information, the burden of which might not be worth
the security 'benefit'.

/kc


On Wed, Oct 11, 2017 at 04:46:02PM -0400, William Herrin said:
  >On Wed, Oct 11, 2017 at 4:32 PM, J??rg Kost <jk () ip-clear de> wrote:
  >
  >> Do you guys still at least have biometric access control devices at
your
  >> Level3 dc? They even removed this things at our site, because there
is no
  >> budget for a successor for the failing unit. And to be consistent,
they
  >> event want to remove all biometric access devices at least across
Germany.
  >>
  >
  >Hi  J??rg,
  >
  >IMO, biometric was a gimmick in the first place and a bad idea when
  >carefully considered. All authenticators can be compromised. Hence, all
  >authenticators must be replaceable following a compromise. If one of
your
  >DCs' palm vein databases is lost, what's your plan for replacing that
hand?
  >
  >Regards,
  >Bill Herrin
  >
  >
  >--
  >William Herrin ................ herrin () dirtside com  bill () herrin us
  >Dirtside Systems ......... Web: <http://www.dirtside.com/>

--
Ken Chase - math () sizone org Guelph Canada





-- 
Matt Harris - Chief Security Officer
Main: +1 855.696.3834 ext 103
Mobile: +1 908.590.9472
Email: matt () netfire net


---
Wayne Bouchard
web () typo org
Network Dude
http://www.typo.org/~web/
Previous By Date Next
Previous By Thread Next

Current thread: