Re: Biometrics

["David L. Wasley" <david.wasley () UCOP EDU>]

[I've changed the Subject line to reflect the new thread...]

-----
At 10:09 AM -0500 on 1/15/04, Gary Dobbins wrote:

> One particular biomet vendor became known for their catchphrase "dead
> thumbs don't work" in an attempt to allay that fear.
>
> Perhaps the biggest chink in the biomet armor is, as someone pointed
> out earlier, the risk of subject-pattern intercept which could create
> a playback opportunity.
Yes - "Minority Report".  Gotta keep the 'ball warm and the veins red...

My contention is that the appropriate use of biometric authentication
is where the scanner is directly connected to the relying party's
platform, e.g. the thumbprint reader is hard wired to the airport
security gate.  This makes replay much harder (see above :-).
Relying on a remote user's laptop to always take a new scan of the
thumbprint when asked and send it over the Internet to the RP doesn't
give me a warm fuzzy feeling.

You've undoubtedly seen the "helpful" browser prompt "Do you want me
to remember the password you have just entered for this site?"  Well,
how about "Do you want me to remember the retinal scan you've just
produced for this site?"

I do think that a PKI cert store, e.g. smartcard or USB device, with
a built in ("live"!) thumbprint scanner to unlock the cache would be
cool.  There the RP is the cert store so the wiring is right.  (I've
heard there is a Palm that does this.)  Sure would be convenient and
very hard to share or defeat.  Just avoid serious industrial
accidents...

       David

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.