Marcus highlighted an "important point:"

> > [...] against an opponent that is willing to physically attack,
> > threaten, or torture you ALL authentication systems
> > are worthless. Especially if you assume a level of indirection
> > can be added (I.e.: "log me into the system or your child dies.")

Kevin Kadow (and ArkanoiD) pointed that some authentication systems offered
a duress PIN:

>There are relatively simple safeguards that can be added on to
>most systems to address this. For example, many ATM systems
>(and also the SecurID hardware token product) support what are
>called "duress PINs". Basically, enter your PIN backwards, and
>the system still grants you access, but also sets off a silent alarm.

I've always been intrigued that duress PINs were, for many years, on
everybody's initial check-list for pre-qualifying an 2FA system, but they
were seldom actually implemented outside of very high security government

I know that RSA, which made a big deal about the option in the 1980s and
early 1990s, basically stopped talking about it. RSA sales folk certainly
stopped using it to sell SecurIDs when they realized how few enterprise
system managers actually wanted to implement it. It's still in the code,
and it could be implemented upon request -- but I suspect the number of
actual implementations in recent years is tiny.

I always thought this was because -- as with the finger-risk in biometrics
being discussed here -- the cost/benefit ratio was out of wack. IT pros
had second-thoughts about asking employees to place themselves, or their
loved ones, at risk by telling them to bluff someone who was threatening
them with actual violence.

Variety store owners may get away with asking 20 year-olds to risk getting
cut in half by a shotgun to protect $74 in the cash register -- but can,
say, Intel or Fidelity get away with asking a VP to set off an alarm when a
bandit has a gun to his head, or the head of his wife? I don't think so.

Better to do what the guy with the gun wants you to do, and let the cops
deal with the crime. Isn't that what bank tellers are
told? Countermeasures or alarms should be systemic, or buried in the
delivery system -- not dependent on the valor or stupidity of some man or
woman facing the business end of a pistol.

As I recall, btw, both Intel and Microsoft sell fingerprint readers, but
they explicitly qualify the sale with a warning that these are devices
suitable only for minimal security home environments, and limited functions
like switching between multiple authorized users. I think Microsoft went
further and tried, in its code, to block the use of their device for server
authentication -- although I know that some Admins have jury-rigged their
servers to permit this unauthorized use.

RSA, where I am a consultant, still refuses to support anything beyond a
formally-labelled "pilot" application to explore the use of biometrics with
as a third factor its SSO app, SOM, or its extranet federation utility, FIM
-- although a couple RSA engineers track developments in the field closely
and collaborate with several biometric developers.


firewall-wizards mailing list