On Friday, Dec 6, 2002, at 09:05 Asia/Tokyo, Curt Sampson wrote:
> In theory, it's supposed to be something you have that you can't
> give away to someone else. In practice, that's generally far from
> the case. Thus, the one area where it really would have an advantage
> over "something you have," the fact that you can resist attacks by
> the person who has the thing, doesn't really turn out to be an
> advantage after all.
To be precise, biometrics is "something you are" as opposed to
something you have (e.g. plastic credit card) or something you know
(e.g. PIN), but your argumentation still stands.
On Thu, 5 Dec 2002, Ken Chang wrote:
> biometric is a very long password you don't have to remember,
> but it's difficult to change when disclosed.
In addition to what has already been said: Yes, there are issues
pertaining to replacement of biometric data (the "get a new finger"
problem), however disclosure isn't really the issue here. There is not
always a reason to keep the data secret, just like a hand-written
signature is publicly available. What must not be possible is using
the, say publicly available information by itself to impersonate an
individual. The problem occurs when someone else is able to generate
the biometric data to obtain access like the authorised user is, i.e.
by copying a person's physical properties and just normally using the
reader. This has nothing to do with disclosure.
Actually I mostly agree with Curt overall, and you will find numerous
security folks out there with the same or similar opinion.
Dirk
Received on Wed Dec 11 06:22:34 2002