Educause Security Discussion mailing list archives
Re: Biometrics
From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Thu, 15 Jan 2004 09:11:37 -0800
[I've changed the Subject line to reflect the new thread...] ----- At 10:09 AM -0500 on 1/15/04, Gary Dobbins wrote:
One particular biomet vendor became known for their catchphrase "dead thumbs don't work" in an attempt to allay that fear. Perhaps the biggest chink in the biomet armor is, as someone pointed out earlier, the risk of subject-pattern intercept which could create a playback opportunity.
Yes - "Minority Report". Gotta keep the 'ball warm and the veins red... My contention is that the appropriate use of biometric authentication is where the scanner is directly connected to the relying party's platform, e.g. the thumbprint reader is hard wired to the airport security gate. This makes replay much harder (see above :-). Relying on a remote user's laptop to always take a new scan of the thumbprint when asked and send it over the Internet to the RP doesn't give me a warm fuzzy feeling. You've undoubtedly seen the "helpful" browser prompt "Do you want me to remember the password you have just entered for this site?" Well, how about "Do you want me to remember the retinal scan you've just produced for this site?" I do think that a PKI cert store, e.g. smartcard or USB device, with a built in ("live"!) thumbprint scanner to unlock the cache would be cool. There the RP is the cert store so the wiring is right. (I've heard there is a Palm that does this.) Sure would be convenient and very hard to share or defeat. Just avoid serious industrial accidents... David ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Biometrics David L. Wasley (Jan 15)