biometrics

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Mon Jan 28 19:06:52 EST 2002 

at least part of the fingerprint as a PIN ... isn't the guessing issue &/or
false positives .... it is the forgetting issue (and the non-trivial number
of people that write their PIN on the card).




rick_smith at securecomputing.com on 1/28/2002 4:00 pm wrote:

The essential problem I've always seen with biometrics (and one that
Dorothy Denning acknowledged in her recent op ed piece without seriously
examining) is the question of whether it's as efficient to deploy and
manage biometrics safely as it is to deploy and manage some keyed
alternative like smart cards or other tokens.

Once you start embedding crypto secrets into your biometric reader, you are

no longer managing biometrics. You're now managing BOTH biometrics AND a
bunch of crypto keys. Why not just save yourself the administrative
headache, deploy tokens, and use that crypto key for authentication?

I'm sure there are applications where biometrics make sense (ATMs, door
security, and other closed systems like that) but I just don't see them
working in an open system where your main problem is to associate the
endpoint with a person. If you also need to separately authenticate the
endpoint, and that's what everyone recommends, then the system costs go up
even more.

My favorite biometric implementation is the "fingerprint as PIN" token,
which several vendors make. There's the Sony Puppy, a credit card
calculator sized token with a USB cord and an embedded public key pair.
There are also various PCMCIA readers that (apparently) you can plug in to
your laptop to provide a biometric lock.

My impression, however, is that these readers provide a PIN-like resistance

to attack. Once you've cranked the false rejections down to the point that
it's convenient, the false positives are approaching PIN levels (2^13
guesses on average).

A nice feature of the "fingerprint as PIN" tokens is, of course, that the
print never leaves the card. You still have to worry about images of
fingerprints or rubber fingers, of course. The print is a back-up for
physical possession.


Rick.
smith at securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list