On Thu, 5 Dec 2002, Ken Chang wrote:
> biometric is a very long password you don't have to remember,
> but it's difficult to change when disclosed.
Not at all. Biometric data is completely different from, and unrelated
to, passwords.
In theory, it's supposed to be something you have that you can't
give away to someone else. In practice, that's generally far from
the case. Thus, the one area where it really would have an advantage
over "something you have," the fact that you can resist attacks by
the person who has the thing, doesn't really turn out to be an
advantage after all.
> one may attack the connection between the authentication software
> and the biometric sensor, say a Windows device driver, to record
> and feed the password.
Well, you could try to make the device secure and self-contained,
and prevent all but really, really expert attacks along these lines.
Smart cards often do this, though they too have succumbed from time
to time.
> so you need someone to monitor the process using a certificated
> device. may be a good idea for police or immigration officers.
> (don't forget to lick her finger to remove any coating first).
Yes, well, having a person supervising is definitely the most (and
perhaps only) reliable way of identifying a person. But if you're
going to do that, you don't need the device; you can just look at
the guy and compare with a photograph.
cjs
--
Curt Sampson <cjs_at_cynic.net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
Received on Fri Dec 6 02:15:56 2002