Re: Biometrics

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-07-08 Trevor Jennings wrote:
> Hi,  I have a bank customer who wants to roll out a biometric
> (fingerprint) solution in an AD 2003 enviorenment for his branch
> sites.  His primary goal is to reduce password administration and
> secondary goal is to provide more secure authentication.  Does anyone
> know of any banks that have implemented such a solution?  Has anyone
> had experience with 'digital persona's product? Any thoughts on
> bio-metric vendors, reviews or even ideas about token based auth
> (remember password emimination Is the key).

Not an answer to your question, but some points you (and your customer)
might want to consider, since biometric authentication has various
security-related issues:

1. With biometrics you always have to find a balance between false
   accepts (wrong person get's access) and false rejects (valid user
   doesn't get access).
2. Fingerprints can be easily forged [1], and people leave their marks
   around everywhere they go.
3. How will you handle a biometric token (i.e. fingerprint), that gets
   compromised? People usually have only ten fingers.

[1] http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq