Fingerprint scans, as I've seen implemented, represent significantly
less entropy that the 14 character "complex" password. The grids are
pretty coarse.

Biometrics are maybe a good replacement for PINs, used to authenticate a
two-factor item, like a smartcard or time-based number token. In fact I
wish this were available! They're crap for password replacement. =20

There is a certain vendor selling fingerprint readers for Windows domain
logon. They are "stashing" a tough password behind a low-entropy
fingerprint. Business is good, because... "Hey! Biometrics!" =20

Microsoft - to their credit - is marketing a fingerprint reader only as
a store for low-grade, website passwords and IM logins.



> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com

[mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Marcus J. Ranum
> Sent: Thursday, April 14, 2005 6:21 PM
> To: Paul D. Robertson; Michael J. Tubby B.Sc. (Hons)
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: Biometrics (was Re: [fw-wiz] Username password VS

hardware
> token plus PIN)
>=20
> Paul D. Robertson wrote:
> >I don't think a wrist is that much more trouble than a finger to a
> >machette

>=20
> I know you're just being funny, but this all misses an important
> point: against an opponent that is willing to physically attack,
> threaten, or torture you ALL authentication systems
> are worthless. Especially if you assume a level of indirection
> can be added (I.e.: "log me into the system or your child dies.")
>=20
> There's only so good it's worth making these things. My problem
> with biometrics is that they're not even *that* good without a
> heck of a lot of extra mechanisms and tweakage. Biometrics
> are really only good if you, ummm.... sell biometrics.
>=20
> mjr.
>=20
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards