From owner-freebsd-security  Wed Jun 19  7:58:53 2002
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 530B737B401
	for <freebsd-security@FreeBSD.ORG>; Wed, 19 Jun 2002 07:58:46 -0700 (PDT)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 55F185361; Wed, 19 Jun 2002 16:58:44 +0200 (CEST)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Michael Sierchio <kudzu@tenebras.com>
Cc: Eric F Crist <ecrist@adtechintegrated.com>,
	'Ryan Thompson' <ryan@sasknow.com>, freebsd-security@FreeBSD.ORG
Subject: Re: Password security
References: <000c01c2174c$5a38f230$77fe180c@armageddon>
	<xzpr8j3ipbp.fsf@flood.ping.uio.no> <3D109329.8050007@tenebras.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 19 Jun 2002 16:58:43 +0200
In-Reply-To: <3D109329.8050007@tenebras.com>
Message-ID: <xzp4rfziacc.fsf@flood.ping.uio.no>
Lines: 30
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Michael Sierchio <kudzu@tenebras.com> writes:
> Dag-Erling Smorgrav wrote:
> > 1) Biometrics can't be used reliably for remote access.
> There are zero-knowledge protocols for secure remote use of
> biometric data.

Most fingerprint scanners don't even encrypt the data they send to the
computer they're connected to.

> > 2) I don't know of any currently available biometric authentication
> >    device that can't be easily fooled.
> Somewhat misleading -- any biometric method of identification
> has false positives and false negatives.  For software engineers,
> this seems unacceptable, since we're used to boolean values
> for Truth.

When "false positives" includes reliably identifying a laptop showing
an AVI of a talking person (for one facial recognition system I know
of) or a plastic bag filled with warm water (for one fingerprint
scanner I know of) as the rightful user, they fall under my definition
of "useless".  I know of two independent studies in which all the
biometric devices tested (about a dozen in each study, with some
overlap) were fooled with very simple means.

The only biometric authentication system I trust (to some degree,
anyway) is the human brain.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message