Marcus J. Ranum wrote:
> Paul D. Robertson wrote:
>>I don't think a wrist is that much more trouble than a finger to a

> I know you're just being funny, but this all misses an important
> point: against an opponent that is willing to physically attack,
> threaten, or torture you ALL authentication systems
> are worthless. Especially if you assume a level of indirection
> can be added (I.e.: "log me into the system or your child dies.")
> There's only so good it's worth making these things. My problem
> with biometrics is that they're not even *that* good without a
> heck of a lot of extra mechanisms and tweakage. Biometrics
> are really only good if you, ummm.... sell biometrics.
> mjr.

I'm probably baying at the moon here, as well as underestimating the
difficulty of it all, but I have yet to hear anyone talk about voice
recognition systems with a randomized set of cues - repeat these six
words from the screen, please (out of say, 250/100/whatever that you've
pre-recorded) - along with perhaps a voice stress analyzer component
that would help detect coercion. I think this would prove most useful,
and most likely to keep the victim unharmed. It wouldn't necessarily do
a lot to prevent indirect threats, although I suppose for bank managers
and the like a protocol could be developed (first team goes to the home
and asks to see the family, then the second team visits the bank, or
something like that.)

firewall-wizards mailing list