Re: Biometrics

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-07-12 Eduardo Kienetz wrote:
> On 7/12/05, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
> > 1. With biometrics you always have to find a balance between false
> >    accepts (wrong person get's access) and false rejects (valid user
> >    doesn't get access).
> > 2. Fingerprints can be easily forged [1], and people leave their marks
> >    around everywhere they go.
> > 3. How will you handle a biometric token (i.e. fingerprint), that gets
> >    compromised? People usually have only ten fingers.
>
> Just a clarification here...
> This is not a problem anymore... there are new fingerprint (even whole
> hand) scanners that not only scan your finger/hand, but also measure
> temperature/pulse (to make sure the hand is alive :).

You haven't read the article I mentioned, have you?

> Besides that if you use password-based auth, the "thief" would just
> need to threat you that... for example he'll cut your finger if you
> don't tell him the password... ;) etc.

And you would consider this to be easier than getting someone's finger-
print from e.g. a bottle or glass in a restaurant, because ... ?

> One could even combine the scanning of BOTH hands to authorize.

That would not only fail to solve the inherent problem, but also reduce
the pool of available tokens from 10 to 1.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq