|
Posted by Sebastian Gottschalk on May 1, 2006, 4:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Juergen Nieveler wrote:
>> But "eye" is a good keyword. Iris scanning actually fulfills the
>> "something you are" factor mantra.
>
> ....but at least some implementations are easily fooled by a colour
> printout of an iris :-)
It should be pretty hard to get a sufficient high-quality scan of the
retina in everyday.
|
|
Posted by Juergen Nieveler on May 2, 2006, 3:27 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> It should be pretty hard to get a sufficient high-quality scan of the
> retina in everyday.
All it takes is a camera with a telephoto lens, actually :-)
Juergen Nieveler
--
If God is watching us, the least we can do is be entertaining.
|
|
Posted by Sebastian Gottschalk on May 2, 2006, 3:47 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> It should be pretty hard to get a sufficient high-quality scan of the
>> retina in everyday.
>
> All it takes is a camera with a telephoto lens, actually :-)
Are there actually such lousy implementations out there that allow such
a low-quality input to be successfully authenticated?
|
|
Posted by Juergen Nieveler on May 2, 2006, 4:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Are there actually such lousy implementations out there that allow such
> a low-quality input to be successfully authenticated?
Yes. C't once published a test (IIRC last year) where they fooled
workstation-based iris scanners with a printout made on a common inkjet
printer. The printout wasn't even eye-sized, but 3 inches across :-)
Juergen Nieveler
--
You're *such* a mac person.
|
|
Posted by Anne & Lynn Wheeler on May 1, 2006, 3:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Not actually. It's neither a reliable or efficient improvement over one
> factor authentication and clearly doesn't reach two factor ~. Especially
> due to error rates.
>
> But "eye" is a good keyword. Iris scanning actually fulfills the
> "something you are" factor mantra.
some number of atm operators have been looking at both fingerprint
scanning and iris scanning, in place of PIN for two-factor
authentication.
from three-factor authentication model
http://www.garlic.com/~lynn/subpubkey.html#3factor
* something you have
* something you know
* something you are
PIN is a shared-secret "something you know" in conjunction with the
card "something you have".
http://www.garlic.com/~lynn/subpubkey.html#secret
the issue is that shared-secret "something you know" paradigm has been
grossly overworked ... as a result there are some statistics that at
least 1/3rd of debit cards have PINs written on them. there is
assumption with multi-factor authentication regarding whether they
are subject to independent vulnerabilities and exploits. obviously
writting PIN on the card defeats any assumptions about multi-factor
independent vulnerability related to lost/stolen card.
the argument allowing a user to choose fingerprint ("something you
are") in lieu of PIN ("something you know") authentication ... is
whether it easier for a crook with a lost/stolen card to "lift" a PIN
written on the card and replay the PIN at a terminal ... vis-a-vis
"lifting" some possible fingerprint on the card and replay the
fingerprint at a terminal (even allowing a customer to choose a finger
that is least likely to have been used in handling their card).
misc. past posts mentioning fingerprint vulnerability vis-a-vis
debit cards that have PIN written on them:
http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#167 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/aadsm10.htm#biometrics biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio2 biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio3 biometrics (addenda)
http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm19.htm#47 the limits of crypto and
authentication
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet
security hall of shame
http://www.garlic.com/~lynn/2002g.html#72 Biometrics not yet good enough?
http://www.garlic.com/~lynn/2002h.html#6 Biometric authentication for intranet
websites?
http://www.garlic.com/~lynn/2002h.html#8 Biometric authentication for intranet
websites?
http://www.garlic.com/~lynn/2002h.html#41 Biometric authentication for intranet
websites?
http://www.garlic.com/~lynn/2002o.html#62 Certificate Authority: Industry vs.
Government
http://www.garlic.com/~lynn/2002o.html#63 Certificate Authority: Industry vs.
Government
http://www.garlic.com/~lynn/2002o.html#64 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#65 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#67 smartcard+fingerprint
http://www.garlic.com/~lynn/2003o.html#44 Biometrics
http://www.garlic.com/~lynn/2005g.html#54 Security via hardware?
http://www.garlic.com/~lynn/2005i.html#22 technical question about fingerprint
usbkey
http://www.garlic.com/~lynn/2005i.html#25 technical question about fingerprint
usbkey
http://www.garlic.com/~lynn/2005m.html#37 public key authentication
http://www.garlic.com/~lynn/2005o.html#1 The Chinese MD5 attack
http://www.garlic.com/~lynn/2005p.html#2 Innovative password security
http://www.garlic.com/~lynn/2005p.html#25 Hi-tech no panacea for ID theft woes
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005
Make Sense
other past posts about skimming exploits of magstripe plus PIN (or any
other relatively static authentication data that can be subject to
replay attack) ... also invalidating any assumptions about
multi-factor authentication independent vulnerabilitys/exploits/threats
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#25 Single Identity. Was: PKI
International Consortium
http://www.garlic.com/~lynn/aadsm17.htm#42 Article on passwords in Wired News
http://www.garlic.com/~lynn/aadsm18.htm#20 RPOW - Reusable Proofs of Work
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet
security hall of shame
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a desktop
near you
http://www.garlic.com/~lynn/aadsm22.htm#33 Meccano Trojans coming to a desktop
near you
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#45 Court rules email addresses are not
signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm22.htm#47 Court rules email addresses are not
signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm23.htm#2 News and Views - Mozo, Elliptics, eBay
+ fraud, naïve use of TLS and/or tokens
http://www.garlic.com/~lynn/2003o.html#37 Security of Oyster Cards
http://www.garlic.com/~lynn/2004g.html#45 command line switches [Re: [REALLY
OT!] Overuse of symbolic constants]
http://www.garlic.com/~lynn/2004j.html#12 US fiscal policy (Was: Bob Bemer,
Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#13 US fiscal policy (Was: Bob Bemer,
Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#14 US fiscal policy (Was: Bob Bemer,
Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#35 A quote from Crypto-Gram
http://www.garlic.com/~lynn/2004j.html#39 Methods of payment
http://www.garlic.com/~lynn/2004j.html#44 Methods of payment
http://www.garlic.com/~lynn/2005o.html#17 Smart Cards?
http://www.garlic.com/~lynn/2005p.html#2 Innovative password security
http://www.garlic.com/~lynn/2005p.html#25 Hi-tech no panacea for ID theft woes
http://www.garlic.com/~lynn/2005q.html#11 Securing Private Key
http://www.garlic.com/~lynn/2005t.html#28 RSA SecurID product
http://www.garlic.com/~lynn/2005u.html#13 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006d.html#41 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail message?
http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail message?
http://www.garlic.com/~lynn/2006e.html#10 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005
Make Sense
http://www.garlic.com/~lynn/2006g.html#38 Why are smart cards so dumb?
http://www.garlic.com/~lynn/2006h.html#13 Security
http://www.garlic.com/~lynn/2006h.html#15 Security
http://www.garlic.com/~lynn/2006h.html#33 The Pankian Metaphor
--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
|
| Similar Threads | Posted | | registry keys for virus scanners | February 3, 2005, 2:59 pm |
| Using multiple virus scanners on the same system? | November 22, 2008, 7:22 am |
| Biometric fingerprint door locks here | September 25, 2006, 10:28 pm |
| fingerprint scan : roll to dab (flat) image | May 27, 2007, 12:48 pm |
| Defending ARP Spoofing | November 6, 2005, 9:10 pm |
| TCP Spoofing Details | January 4, 2006, 12:19 pm |
| Tunneling newbie? | February 21, 2005, 8:52 pm |
| Newbie... need basics | August 10, 2006, 8:01 pm |
| NAT routers - is IP spoofing a risk? | November 20, 2005, 9:38 am |
| ARP spoofing detection tool XArp 2 | July 26, 2006, 2:37 pm |
|
XML site map