From: Andrew van der Stock (vanderajgreebo.net)
Date: Fri Jun 30 2006 - 09:46:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 30/06/2006, at 4:03 PM, Tim wrote:

> the only way I see that you can accurately validate
> someone would be through biometrics (something you are)

This is not possible, as:

All devices in general are tamperable and not trustworthy when in the
hands of the attacker

Biometric devices have a long history of being little more than snake
oil or toys. The good ones are significantly more expensive than ANY
other form of actual 2FA authentication device

Many attacks against existing biometric devices are so trivial as to
be a complete joke. Check out this page:

http://www.heise.de/ct/english/02/11/114/

Lastly, trustworthy biometric registration requires an in-person
visit, thus negating any possibility of remote authentication.

No matter what 2FA device you use, evidence of identity is only as
strong as the registration process. I'd prefer to see the initial
registration (and recovery of registration) done only in-person.
Otherwise the process is open to abuse by definition.

thanks,
Andrew

• application/pkcs7-signature attachment: smime.p7s

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]