replacing compromised biometric authenticators

Jörg Kost jk at
Fri Oct 13 13:24:02 CST 2017


in the case I mentioned, the datacenter provider (=Level3) removed hand 
geometry scanners from its facility and switched all users to card + 
pin. Also the provider is going to run this policy Germany- or even 
Europe-wide, as being told by Level3 account rep.

The mentioned facility does not have any tailgating prevention, e.g. a 
mantrap or turnstile access. The outside door, which is visible from the 
street, and the inside colocation doors are now sharing the same access 
method (card + pin). So now the card becomes valuable and transferable. 
Before it was: Parking lot: Card, Outside door: Card + pin, Inside door: 
Card + hand.

There is a security sub-sub-contractor on this site, but they are not 
responsible for access or any thing real :-], thats why I am interested 
how Level3 runs its others facility and I am still looking for feedback. 
 From contract side the access device is not exactly defined, hence you 
can accept, quit end of term or of course upgrade your suites, racks, 
… with a custom solution, as long as Level3 staff can enter, too.

To bring things back to the biometric topic:
The hand geometry scanner does not save fingerprints but hand sizes and 
shapes. From current mailings I understand, that people have a lot of 
different definition of biometric and may not count the hand scanner as 
"(full?) biometric" device.

Regards "bionic"

On 13 Oct 2017, at 13:03, Alain Hebert wrote:

>     Odd,
>     1. captcha(?)
>     In my millennia of experience I never saw a captcha used as a 
> mean for DC access control.  Just as a programmatic way to reduce 
> brute force for some website functions.
>     On my network janitor keychain I have (in order of hackability 
> from easiest to hardest)
>         1. keycard only
>         2. keycard + fingerprints
>         3. keycard + face (2d)
>         4a. keycard + eye
>         4b. keycard + top of hand mapping
>     But all the DCs, I deal with, have highrez cameras and 
> tailgating controls...  Biometrics are just a part of a wider system.
> -----
> Alain Hebert                                ahebert at
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
> Tel: 514-990-5911    Fax: 514-990-9443
> On 10/12/17 16:58, Rich Kulawiec wrote:
>> On Wed, Oct 11, 2017 at 05:04:08PM -0400, Ken Chase wrote:
>>> If the current best operating practice is to avoid biometrics, why 
>>> are they
>>> still in use out here?
>> (1) for the same reason some idiots still use captchas
>> (2) new hotness > old and busted, regardless of merits
>> (3) because they facilitate coerced risk transference away from the
>> people who are actually responsible (and are paid to be so) to the
>> people who shouldn't be responsible (and aren't paid to be)
>> ---rsk

More information about the NANOG mailing list