Date: 19 Jun 2002 18:19:54 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: "Eric F Crist" <ecrist@adtechintegrated.com> Cc: "'Michael Sierchio'" <kudzu@tenebras.com>, "'Ryan Thompson'" <ryan@sasknow.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: Password security Message-ID: <xzplm9bgs0l.fsf@flood.ping.uio.no> In-Reply-To: <002201c217a9$1daf1300$77fe180c@armageddon> References: <002201c217a9$1daf1300$77fe180c@armageddon>
next in thread | previous in thread | raw e-mail | index | archive | help
"Eric F Crist" <ecrist@adtechintegrated.com> writes: > Of course the technology is not perfect. Things such as cuts on your > finger and blood-shot eyes can still fool these systems, but password > technology has its faults too. These are false negatives, which are annoying but tolerable. I'm more worried about false positives, and from what I can see they're far too easy to provoke. > Biometrics, on the other hand, requires a little more work. If you > couple basic username/password token systems, a hardware or address > token, such as I-button/smart card and IP address, with either a retinal > scanner or palm print, or finger print, or voice recognition, there > becomes a greater amount of homework to be done to break into the > system. Not when the biometric device is so easy to fool that it becomes practically irrelevant. Then the "passwords & fingerprints" scheme is reduced to just "passwords & warm fuzzy feelings". It has been shown empirically that "state of the art" biometric devices can be fooled by any amateur with a little ingenuity and less than $50 in supplies. Some fingerprint scanners are so bad they can be tricked into scanning and accepting the latent print left on their surface from the previous time they were used. Others will accept an image of a fingerprint lifted from, say, your coffee mug. Yet others are vulnerable to trivial replay attacks. All of them are vulnerable to fake fingers (made of silicone or agar-agar) whose "fingerprint" can be reconstructed from a mold, or from a latent fingerprint (coffee mug again) made three-dimensional with a hobby PCB etching kit. Facial recognition systems have been tricked by photographs (or video clips for those with "live subject" safeguards) of the subject. Iris recognition systems have been tricked with printouts of an image of the subject's iris, with a hole cut in the middle for the attacker to see through. The fact that vendors have reacted by either denying the results or just refusing to discuss them does not increase my faith in the biometrics industry. I will not trust any biometric device until vendors start openly acknowledging and discussing possible attacks, and publishing the methods they use to resist them. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzplm9bgs0l.fsf>