WebApp Sec mailing list archives
Re: Two-Factor Authentication on the Web
From: Andrew van der Stock <vanderaj () greebo net>
Date: Mon, 3 Jul 2006 23:59:44 +1000
My main concerns with biometric devices are:they are extremely dangerous to clients for value transactions. People have already lost fingers to them (reference: http:// news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm ). Therefore, they are completely unsuitable for high value transactions, as the danger to the client exceeds the value of the item being protected
the lack of backup credentials when a credential has to be repudiated (say your index finger has been copied using a gel copy, you have to re-enrol another finger. What happens if someone works out how to fake your face for a facial recognition device, such as using a photo of you? You have NO backup faces to enrol)
the relative expense of "good" (ie better than cereal toy decoder ring) biometric devices wastes valuable security investment when you can buy say 40 transaction signing calculators for the cost of a single relatively secure biometric device. If I had a million customers to enrol (and many of us work for places that have more customers than this...), I'd rather spend the 1/40th the money and get more trustworthy security, thanks.
Others have made the point that unless you strictly control the device and monitor enrolment, such as the US customs enrolment at airports, there is no safe way to remotely enrol and trust biometric authentication, particularly if the devices are trivially spoofable. And to date, they are trivially spoofable, most particularly the cheapest devices costing about 1.5-4 times the price of a trx signing calculator.
Lastly, biometrics when the false positive accept rate within your user population does not exceed tolerable levels. When you have a million customers, no biometric device today has the necessary false accept positive rate. Such a user base with the best devices has a few users who will authenticate as someone else, which if it was Joe Bloggs logging on to his finger print reader and gets unauthorized accesses a high value customer like Bill Gates, I'm sure the lawyers would have a feeding frenzy. Heads would roll, in a different sense to my first point.
thanks, Andrew
Attachment:
smime.p7s
Description:
Current thread:
- RE: Two-Factor Authentication on the Web Gaydosh, Adam (Jul 02)
- <Possible follow-ups>
- RE: Two-Factor Authentication on the Web Glenn.Everhart (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 05)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 05)
- RE: Two-Factor Authentication on the Web James Pujals (Jul 05)
- RE: Two-Factor Authentication on the Web PPowenski (Jul 06)
- Re: Two-Factor Authentication on the Web mikeiscool (Jul 07)
- Re: Two-Factor Authentication on the Web Devdas Bhagat (Jul 17)