Fingerprint scans, as I've seen implemented, represent significantly
less entropy that the 14 character "complex" password. The grids are
pretty coarse.

Biometrics are maybe a good replacement for PINs, used to authenticate a
two-factor item, like a smartcard or time-based number token. In fact I
wish this were available! They're crap for password replacement. =20

There is a certain vendor selling fingerprint readers for Windows domain
logon. They are "stashing" a tough password behind a low-entropy
fingerprint. Business is good, because... "Hey! Biometrics!" =20

Microsoft - to their credit - is marketing a fingerprint reader only as
a store for low-grade, website passwords and IM logins.

> -----Original Message-----
> From:

>] On Behalf Of Marcus J. Ranum
> Sent: Thursday, April 14, 2005 6:21 PM
> To: Paul D. Robertson; Michael J. Tubby B.Sc. (Hons)
> Cc:
> Subject: Re: Biometrics (was Re: [fw-wiz] Username password VS

> token plus PIN)
> Paul D. Robertson wrote:
> >I don't think a wrist is that much more trouble than a finger to a
> >machette

> I know you're just being funny, but this all misses an important
> point: against an opponent that is willing to physically attack,
> threaten, or torture you ALL authentication systems
> are worthless. Especially if you assume a level of indirection
> can be added (I.e.: "log me into the system or your child dies.")
> There's only so good it's worth making these things. My problem
> with biometrics is that they're not even *that* good without a
> heck of a lot of extra mechanisms and tweakage. Biometrics
> are really only good if you, ummm.... sell biometrics.
> mjr.
> _______________________________________________
> firewall-wizards mailing list

firewall-wizards mailing list