Technorati Tags: biometrics
Fingerprint authentication in at a door is attractive because of convenience, not security (remember the case of the Scottish jail that had to turn off it’s new fingerprint access control system because prisoners could fool it at will). But so far as customer convenience is concerned, there is a significant limitation on such biometrics. It is one thing to use your fingerprint in a bank branch or social security office — where the device is under supervision and might reasonably be assumed to have not been tampered with — and quite another to use your fingerprint at a device in an insecure location (eg, a petrol station), a device that may have been subverted by criminals trying to capture fingerprints. Using your fingerprint at home is a non-starter for the time being. Apart from the issue of coercion, the fact is that PCs are very insecure and there is no possibility of trusting them or anything connected to them. If a fingerprint reader attached to my PC tells the bank that my finger is on it, how does the bank know whether that is true or whether the reader has been tampered with? It may be replaying my fingerprint when actually a criminal is logging in.
One factor authentication in these circumstances is a bad idea, whether the one factor is a fingerprint or a password. Two factor authentication, especially two factor authentication where one of the factors is tamper-resistant hardware (eg, a smart card) and the other factor is a convenient biometric (eg, a voice print) might be an optimal combination.