RE: CDSA-biometrics

From: Marc Sherman (mshermanat_private)
Date: Wed Jun 27 2001 - 06:19:05 PDT

  • Next message: Yonatan Bokovza: "RE: CDSA-biometrics"

    > -----Original Message-----
    > From: KuroiNeko [mailto:evpopkovat_private]
    >  Don't expect  biometrics to be  all-it-takes. A real-life 
    > example.  A bank
    > had a dactiloscopic  scanner to authenticate users of  rented 
    > private vault
    > cells. A woman came to rent a  cell, but they simply could 
    > not establish an
    > account for her  because she was a  typist and her fingertips 
    >  were so soft
    > and papillar  pattern was so  blurry (very  thin skin) that  
    > scanner simply
    > could not identify her.
    
    An authentication policy of "finger print OR <some other biometric>" would
    solve this. For example, if the woman above could not enroll for the finger
    print device but she successfully enrolled for the facial recognition
    device, she could then satisfy an OR policy of "finger print OR face".
    
    >  Also, marketoids  of biometric  systems tend  not to  tell 
    > you  one really
    > important thing: you should  not assume that a part of  human 
    > body used for
    > auth will always remain and always be the same. A person can 
    > loose a finger
    > in  a  disaster, ditto  an  eye.
    
    Yes, these things can happen. But forgetting your password happens a *lot*
    more frequently. Forgetting your smart card at home probably also occurs
    more frequently than losing a body part.
    
    > Skin  tends  to change  
    > fast,  especially
    > fingertips, voices change, even adults' voices.
    
    I agree that the biometric enrollment would not last forever. But how often
    does a security policy dictate that you change your password? Every month, 3
    months, 6 months? Your biometric enrollment would certainly last longer than
    this. What about losing your smart card or your token?
    
    >  Provided that  biometric scanners  and recognition  software 
    > still  cost a
    > fortune,
    
    How much is a fortune? I've seen good fingerprint scanners that cost under
    US $200. Voice recognition is cheap because a microphone is often included
    in an average computer purchase. Some laptops come with built-in cameras
    that can be used for facial recognition.
    
    > and they  still have to be backed up  by traditional 
    > auth methods,
    
    Well, only some do. And those that do still require a password usually allow
    the biometric software to generate a long (sometimes very, very long) random
    password. This way, the user has no idea what there password is which means
    they can't forget it.
    
    > real advantage of biometrics is still questionable.
    
    Not true. Studies have been done on the cost of "forgotten passwords" and
    having to reset them. Removing the burden from the user of having to
    remember a password is certainly benefits companies by reducing this cost.
    Also, users no longer have to worry about leaving their smart cards at home.
    
    
    They also raise the bar. If your current authentication policy is "hardware
    token", which is strong. A policy of "hardware token AND finger print" is
    stronger in that it couples something you have with something you are.
    
    Marc
    
    > 
    > 
    > --
    > 
    >  ÌĤ¯Ç­¤ÏÁͤòÊá¤é¤Ì
    > 
    



    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 09:21:47 PDT