| > Only way is active activity? Or just the only way you can think of? https://www.defcon.org/images/defcon-13/dc13-presentations/D... http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10.... > For eliminating type 2 attacks, where a previously intercepted biometric is replayed, Ratha et al. [9] proposed a challenge/response based system. A pseudo-random challenge is presented to the sensor by a secure transaction server. At that time, the sensor acquires the current biometric signal and computes the response corresponding to the challenge (for example, pixel values at locations indicated in the challenge). The acquired signal and the corresponding response are sent to the transaction server where the response is checked against the received signal for consistency. An inconsistency reveals the possibility of the resubmission attack. Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics... > You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another. The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter. > It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact. How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind? |
Slide 44 has a long list of things other than active movement on the user end. Video liveness tests are effective, but there are more methods available than just activity, contrast to your previous statement.
> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10..... > Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...
When did i discredit replay attacks? It seems like you're setting up a straw man. You said the "only way to avoid this requires an active activity, at which case you've just duplicated the password". I refuted saying there's more than one, and you actually found a source that confirms that.
> The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.
I didn't claim you can't. The paper you linked (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10....) applies a relay attack to a known system.
In this case, the attack algorithm is building an optimization to determine a viable template - using some prior information of what type of template is acceptable (how it's stored, the features being used to build it, etc.) In real life, this type of information is not readily available, and at best, an attacker is going to be just guessing.> makes me seriously question your claims of authority on the subject matter.
I honestly don't care what you think, but questioning my credentials is your right.
> How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?
When did i ever state that an additional challenge wasn't needed? You're setting up another straw man instead of actually backing up your claims.
Many of my posts mention biometric key-binding as a good alternative to a pure biometric system. In a large scale operation i would never suggest or imply that a pure biometric is good enough - you should really read the rest of the thread. However, what MS implemented here is probably good for the average user.