Saturday, May 16, 2009

(0) comments

Does one finger beat two pins?

This story from India about a bank installing biometric ATMs, purportedly so that senior citizens who have difficulty remembering their PIN could have their fingerprint read instead, got me to thinking.

I have two different ATM accounts with my bank, one business, one personal. I use different PINs for each. I don't know why I use different ones, perhaps it's a belief that if one is compromised I'd still have the other. But suppose my bank offered a biometric ATM? Would I choose to use the same finger for each account or two different ones?

After all, chances are that if one finger is "compromised" my entire hand would be also. And simply remembering which finger works which account could be problematic for this "senior citizen." Still, it's deeply ingrained in me that different accounts need different authenticators. Maybe I'd choose to use a "strengthened" method - fingerprint+PIN. Then I could use the same finger (but a different PIN) for each account. Or different fingers plus the same PIN.

Using different fingers with different PINs is right out, though. No way I could remember those combinations. I'd need to carry around a picture of the correct finger with the right PIN written on it!

And, with all those people, especially all those old people, swiping their fingers on the ATM - wouldn't that be a health hazard?

Labels: ,

Tuesday, April 28, 2009

(0) comments

Government nonsense

My Network World colleague Mitch Kebay points out that the National Institute of Standards and Technology's Computer Security Division has just published SP 800-118, “DRAFT Guide to Enterprise Password Management” which now awaits comments. Mitch suggests it needs those comments "for improvement," but that shipped has already sailed. The only improvement would have been to not waste the time to write and publish it.

Username/password for enterprise authentication is not only poorly implemented, not only passe but also very dangerous. The ONLY guideline NIST should issue for enterprise passwords is STOP USING THEM.

Of course, with the heavy government involvement in business that the current economic crisis is enabling, a simple ban on username/password or a requirement for strong authentication would make much more sense.

Labels: , ,

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]