On 2006-06-28 Dan Shoop wrote:
> At 12:30 AM +0200 6/28/06, Ansgar -59cobalt- Wiechers wrote:
>> On 2006-06-27 Dan Shoop wrote:
>>> Or use some biometric as the "password" data.
>>
>> I usually recommend against using biometrics for authentication
>> purposes for two reasons:
>>
>> 1) FAR/FRR tradeoff
>> It's not possible to eliminate false rejects without dramatically
>> increasing false accepts (which would be a security risk).
>> 2) Compromised tokens
>> How do you handle situations where biometric tokens get
>> compromised (like an attacker manages to fake an employee's
>> fingerprint)? Remove the finger? You have only a very limited
>> amount of biometric tokens to chose from.
>
> A "biometric token" is something like my iris or my thumb. If it's
> compromised then that means someone else has my iris or thumb.
No. It just means that someone else has a copy of it.
> That means it no longer is mine
Non sequitur.
> and is no longer a token I can use so just like an other token it
> needs replaced.
True. However, the problem with replacing biometric tokens is that you
have very few to chose from.
> As for spoofing or false-positive issues this isn't the fault of the
> token but the authenticator. The token (e.g. my iris) is quite good
> enough already.
Of course FAR/FRR is an issue of the authenticator, but that doesn't
make the tradeoff between them go away.
As for the quality of tokens: they all have issues of their own. Some
(e.g. fingerprints) are easy to copy because everyone leaves them
everywhere, others (e.g. retina) aren't too easy to read out, but may
thus not be accepted too well by the users.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
