@nonDev said:
Isn’t that the ultimate “security by obscurity" security? Anyone knowing the username/password combination can get in.
Is there a fundamental difference between a login control and a secret url?
One measure that your security system is "secure" is that even if your enemy has a copy of your encoding machine, the messages sent are safe as long as the key used is unknown by the enemy. Or, think of a door. A login control would be like a lock that uses a key. A secret url would be more like knowing just how to wiggle/force the door to open it, without unlocking it (this is far more common than you'd believe, such as sliding windows/glass doors: lift up and it is off the tracks without needing to be unlocked).
As for fingerprints or iris scans being "secure..." There was a paper presented by some Japanese students on how they made false fingerprints with the same substance used to make gummi bears. They demonstrated that their techniques fooled every fingerprint reader on the market at that time. Most of the copies of the PDF of their presentation have been removed from the web. The same (or maybe following year), a couple Germans demonstrated how to get iris scanners to falsely accept counterfeit irises (hint: photgraphs of enrolled eyeballs, with a hole punched in them for the pupil.
Some of the other posters pointed out a critical factor about biometrics: you can always give me a new username/password, but you cannot give me a new finger.