biometrics

[Perry E. Metzger]

In general, I have to say that biometrics are useless for the majority
of day to day authentication tasks I have to deal with, because the
unit I'm authenticating from (say, my laptop computer) can simply lie
to the counterparty at will about what it is measuring.

Biometrics are perhaps useful for things like ATM machines and similar
situations where the system demanding authentication is composed
entirely of trusted hardware under the complete physical control of
the entities demanding the authentication.

However, as soon as you lose physical control over the device doing
the measurements or their communications path biometrics become worse
than useless. As one example, they're useless for authenticating
over-the-net bank account access -- the device on your desk that your
bank helpfully provides to scan your eye might not even be attached
when the cracker's software helpfully provides forged information down
the line. "Liveness" tests are not useful if you don't even know if
the biometric hardware at the other end is intact. Anything in a
user's location is by definition untrustworthy in this sense.

--
Perry E. Metzger		perry at wasabisystems.com
--
NetBSD Development, Support & CDs. http://www.wasabisystems.com/



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com