biometrics

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Sun Jan 27 17:07:27 EST 2002 

lets say you are replacing pin'ed magstripe card with a chip card needing
biometric ... say fingerprint (in place of a PIN) along with chip (in place
of magstripe).

there are two issues 1) effort to compromise the biometric is still
significantly more difficult that a normal 4-digit pin and 2) there seems
to be a large population that writes their 4-digit pin number on their card
(as well as numerous tricks of capturing the PIN).

biometric can work almost anywhere if the increment cost of the biometric
infrastructure is off-set by a corresponding decrease in fraud/compromise.
It doesn't have to be perfect.

Even if similar infrastructures used to capture large number of PINs &
magstripe values were used in a chip/biometric infrastructure ... the use
of the biometric would still be dependent of stealing the card ... compared
to the current pin/magstripe ... where both the pin & magstripe can be
captured with some of the techniques.

The issue then is that biometric represents a particularly difficult
shared-secret that doesn't have to be memorized compared to PIN values
which you find people writing on their cards. The biometric has the
advantage of not being written on the card .... so simply stealing the card
is not sufficient. Both the biometric value has to be acquired and the
specific card stolen.

Reversing the viewpoint ... rather than can I make a perfect authentication
system using various biometric implementations? ...  Can the addition of
biometrics reduce the current fraud rate in a cost effective manner (not
does it have to totally eliminate all forms of fraud)?



jamesd at echeque.com on 1/27/2002 10:35 am wrote:


Biometric id can only work when you control the hardware and
the adversary does not, and you can also control what
hardware the adversary can bring to fool your hardware.  This
is feasible in an security door, or security checkpoint





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list