About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Tokens mean credentials mean reputations | Main | Hard or soft? »

The myth of fingerprint authentication?

By davebirch posted Sep 25 2006 at 10:21 PM

[Dave Birch] Jerry Fishenden pointed me to this extract from Mythbusters.  My kids love Mythbusters, which is a show on the Discovery Channel where a couple of guys set up experiments to test "myths" like: would a penny dropped from a skyscraper kill someone?  I like the show because they design and build the experiments themselves: they don't take anyone's word for anything.  I wonder if they'll be showing Episode 59 at Biometrics 2006?

Technorati Tags:

Fingerprint authentication in at a door is attractive because of convenience, not security (remember the case of the Scottish jail that had to turn off it's new fingerprint access control system because prisoners could fool it at will).  But so far as customer convenience is concerned, there is a significant limitation on such biometrics.  It is one thing to use your fingerprint in a bank branch or social security office -- where the device is under supervision and might reasonably be assumed to have not been tampered with -- and quite another to use your fingerprint at a device in an insecure location (eg, a petrol station), a device that may have been subverted by criminals trying to capture fingerprints.  Using your fingerprint at home is a non-starter for the time being.  Apart from the issue of coercion, the fact is that PCs are very insecure and there is no possibility of trusting them or anything connected to them.  If a fingerprint reader attached to my PC tells the bank that my finger is on it, how does the bank know whether that is true or whether the reader has been tampered with? It may be replaying my fingerprint when actually a criminal is logging in.

One factor authentication in these circumstances is a bad idea, whether the one factor is a fingerprint or a password.  Two factor authentication, especially two factor authentication where one of the factors is tamper-resistant hardware (eg, a smart card) and the other factor is a convenient biometric (eg, a voice print) might be an optimal combination.

Comments

How precisely did they test the dropping the penny theory (which originally appeared in GK Chesterton by the way)? And did they kill anyone?

They worked out the terminal velocity of the penny then builta machine to fire a penny at exactly that speed. They fired it into gel first, then fired it at one of them.

i love mythbusters can i be won i am 12

The comments to this entry are closed.