WebApp Sec mailing list archives
RE: Two-Factor Authentication on the Web
From: <Glenn.Everhart () chase com>
Date: Mon, 3 Jul 2006 08:43:48 -0400
A biometric in practice is NOT your DNA, fingerprint, etc., but some data representation of something like this, the way it gets used in computers. That can be tied to an individual PROVIDED someone is making very very sure that individual generates the signal that goes into the representaion, and PROVIDED nothing is interfering with the translation. People leave their fingerprints and DNA all over the place, so that obtaining a fake input for a sensor is relatively easy. Also, how often do people using fingerprints actually watch those entering them, or better yet inspect their fingers? (Play-Doh fake fingerprints might show, but transparent ones made of gel?) Worst thing about biometrics is they must be guarded so that fakes cannot be gathered for ~100 years. I do not relish the prospect of needing to wear gloves the rest of my life, and have no idea how anyone could prevent collection of his DNA. A signature is actually a better biometric in that it requires conscious effort to produce, and a copied one can sometimes be identified by pointing out it is identical to the original. Trouble is that it does not lend itself to electronic testing. I would suggest though that anything that is to be used as a "signature" should require conscious activity by the subject, which should make it harder for others or their mechanized agents to "authenticate" as someone without the someone's knowing. Glenn Everhart -----Original Message----- From: Gaydosh, Adam [mailto:GaydoshA () ctc com] Sent: Sunday, July 02, 2006 6:10 PM To: Webappsec Mail List Subject: RE: Two-Factor Authentication on the Web
"But even when biometric authentication "works", it still does not prove my _identity_, it just proves that I am who *I said* I am, which is another thing entirely;" Umm... I don't follow. How could your DNA (I would waver on this one since I heard somewhere that twins could have the same DNA), fingerprint, retinal scan, etc, not be unique to you and only you?
I think the idea is that the concept of 'identity' which we are attempting to authenticate is not an inherent characteristic of our bodies, but something that has been officially associated with a given biometric by the issuing authority, e.g. my SSN, Account Name, etc...are not in my DNA. ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm -------------------------------------------------------------------------- ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ********************************************************************** ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- RE: Two-Factor Authentication on the Web Gaydosh, Adam (Jul 02)
- <Possible follow-ups>
- RE: Two-Factor Authentication on the Web Glenn.Everhart (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 05)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 05)
- RE: Two-Factor Authentication on the Web James Pujals (Jul 05)
- RE: Two-Factor Authentication on the Web PPowenski (Jul 06)
- Re: Two-Factor Authentication on the Web mikeiscool (Jul 07)
- Re: Two-Factor Authentication on the Web Devdas Bhagat (Jul 17)