> -----Original Message----- > From: KuroiNeko [mailto:evpopkovat_private] > Don't expect biometrics to be all-it-takes. A real-life > example. A bank > had a dactiloscopic scanner to authenticate users of rented > private vault > cells. A woman came to rent a cell, but they simply could > not establish an > account for her because she was a typist and her fingertips > were so soft > and papillar pattern was so blurry (very thin skin) that > scanner simply > could not identify her. An authentication policy of "finger print OR <some other biometric>" would solve this. For example, if the woman above could not enroll for the finger print device but she successfully enrolled for the facial recognition device, she could then satisfy an OR policy of "finger print OR face". > Also, marketoids of biometric systems tend not to tell > you one really > important thing: you should not assume that a part of human > body used for > auth will always remain and always be the same. A person can > loose a finger > in a disaster, ditto an eye. Yes, these things can happen. But forgetting your password happens a *lot* more frequently. Forgetting your smart card at home probably also occurs more frequently than losing a body part. > Skin tends to change > fast, especially > fingertips, voices change, even adults' voices. I agree that the biometric enrollment would not last forever. But how often does a security policy dictate that you change your password? Every month, 3 months, 6 months? Your biometric enrollment would certainly last longer than this. What about losing your smart card or your token? > Provided that biometric scanners and recognition software > still cost a > fortune, How much is a fortune? I've seen good fingerprint scanners that cost under US $200. Voice recognition is cheap because a microphone is often included in an average computer purchase. Some laptops come with built-in cameras that can be used for facial recognition. > and they still have to be backed up by traditional > auth methods, Well, only some do. And those that do still require a password usually allow the biometric software to generate a long (sometimes very, very long) random password. This way, the user has no idea what there password is which means they can't forget it. > real advantage of biometrics is still questionable. Not true. Studies have been done on the cost of "forgotten passwords" and having to reset them. Removing the burden from the user of having to remember a password is certainly benefits companies by reducing this cost. Also, users no longer have to worry about leaving their smart cards at home. They also raise the bar. If your current authentication policy is "hardware token", which is strong. A policy of "hardware token AND finger print" is stronger in that it couples something you have with something you are. Marc > > > -- > > ÌĤ¯Ç¤ÏÁͤòÊá¤é¤Ì >
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 09:21:47 PDT