Authentication with biometrics - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Authentication with biometrics

  1. #11
    Banned
    Join Date
    Oct 2001
    Posts
    590
    Biometrics suck, during HAL 2001 I whas at a presentation about Biometrics and we ended up discussing with PGPīs Phil Zimmerman on ways of exploiting it.
    The researcher who did the presentation said that there is a 75% chance that fingerprinting can be fooled. He had some fingerprints taken from people and made some moles with wax/latex and it worked in many cases.
    His research came to the conclusion that biometrics (for now) wonīt work 100%.
    There would have to be a human (guard)standing at the authorization pad to see if the person isnīt using someoneīs fingerprint. Phil Zimmerman said that with the right tools, if Proactive has a couple of drinks with me, I could take off his prints from the glass and have a 75% chance of rooting his system.
    I wil try and get you guys the Staroffice presentation, itīs really interesting.

  2. #12
    Senior Member BrainStop's Avatar
    Join Date
    Jan 2002
    Posts
    295

    No system will ever be 100% secure

    While I agree with Focmaester that fingerprinting will not be a 100% secure identification method, it must be said that no system is ever 100% secure.

    It's all a question of using combinations of systems. For example, you could add a retinal scanner to the fingerprint. Or you could ask for a password on top of it. So not only would you need to get Proactive's fingerprints on that beerglass, but you'd also need to steal his eye and get him to give you his password.

    There might also be ways to avoid the use of latex. Could a temperature sensor or such indicate the possibility that the fingerprint reader is not in direct contact with skin?

    Besides, many methods will fail against social engineering ...

    Anyway, security is always a complete package, not just one method.

    Just my take on it ...

    BrainStop

  3. #13
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716

    Thumbs up

    What's to keep me from having a file containing valid
    biometric data that I have created/hacked/stolen,
    and uploading it for validation.

    Once biometrics come into widespread use for
    access to protected sites, tools for bypassing
    the fingerprint scanner will be the first tools
    to appear.

    I can't see how they can tell whether you really
    put your finger on the scanner, or just uploaded the data.

    Then it's just a matter of stealing someone's fingerprints,
    or, once you know the format, generating plausable ones.
    I came in to the world with nothing. I still have most of it.

  4. #14
    Banned
    Join Date
    Oct 2001
    Posts
    590

    Re: No system will ever be 100% secure

    Originally posted here by BrainStop
    While I agree with Focmaester that fingerprinting will not be a 100% secure identification method, it must be said that no system is ever 100% secure.

    It's all a question of using combinations of systems. For example, you could add a retinal scanner to the fingerprint.
    BrainStop
    Retinal scan hasn't been proven to work 100%, if you used to wear contacts, you build up a certain scarring that wil heal and go away. But it's stil is inacurate.
    But the password idea, I think that's a lot better.

  5. #15
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Originally posted here by rcgreen
    What's to keep me from having a file containing valid
    biometric data that I have created/hacked/stolen,
    and uploading it for validation.
    That can be done, but it's very difficult. I don't think you would be able to create a valid fingerprint, that's sounds impossible. It's like figuring out a 200 character password. But of course you could hack my database and steal all it's contents. But actually I don't store images of fingerprints, what I do is use a technique that dissassembles the fingerprint and find the caracteristics of it. This is an old technique develped by the FBI in the 70s and it's improved further since then. The dissassemling is done on the server, so you have to send an image of a fingerprint.

    I guess you could try to reassemble the fingerprint from the caracteristics, reverese engingeer the technique, but that is a difficult task. But if this FBI teqnicue is going to be a standard for fingerprint biometrics, someone are going to make tools that will do this.
    ---
    proactive

  6. #16
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    The thing that everybody is forgetting here is that it is not just the fingerprint image that is doing the authentication. It is a combination of factors including heat and pressure sensitivity on the fingerprint scanner itself. Therefore, even if you were able to get a fingerprint image, and break the encryption, it would still not do you much good.

    There are still some improvements to be made in the biometrics arena, but most are not involved with the validity of the authentication method itself, but are related more to the speed of authentication since these images can get relatively large (compared to a password) and DB queries can take quite some time. Up to a minute or more in some cases.

    The other drawback of biometrics is that it requires client side hardware. There will probably never be a time where the world goes to all biometrics, but it does have a very good fit in some scenarios. For example, how about for verifying memberships at a health club instead of carrying around a card all the time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides