| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by therobot24 4112 days ago

> https://www.defcon.org/images/defcon-13/dc13-presentations/D....

Slide 44 has a long list of things other than active movement on the user end. Video liveness tests are effective, but there are more methods available than just activity, contrast to your previous statement.

> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10..... > Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...

When did i discredit replay attacks? It seems like you're setting up a straw man. You said the "only way to avoid this requires an active activity, at which case you've just duplicated the password". I refuted saying there's more than one, and you actually found a source that confirms that.

> The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.

I didn't claim you can't. The paper you linked (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10....) applies a relay attack to a known system.

  "we propose a system that can attack a minutia-based fingerprint matcher"

In this case, the attack algorithm is building an optimization to determine a viable template - using some prior information of what type of template is acceptable (how it's stored, the features being used to build it, etc.) In real life, this type of information is not readily available, and at best, an attacker is going to be just guessing.

> makes me seriously question your claims of authority on the subject matter.

I honestly don't care what you think, but questioning my credentials is your right.

> How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?

When did i ever state that an additional challenge wasn't needed? You're setting up another straw man instead of actually backing up your claims.

Many of my posts mention biometric key-binding as a good alternative to a pure biometric system. In a large scale operation i would never suggest or imply that a pure biometric is good enough - you should really read the rest of the thread. However, what MS implemented here is probably good for the average user.