In general, I have to say that biometrics are useless for the majority of day to day authentication tasks I have to deal with, because the unit I'm authenticating from (say, my laptop computer) can simply lie to the counterparty at will about what it is measuring.
Biometrics are perhaps useful for things like ATM machines and similar situations where the system demanding authentication is composed entirely of trusted hardware under the complete physical control of the entities demanding the authentication. However, as soon as you lose physical control over the device doing the measurements or their communications path biometrics become worse than useless. As one example, they're useless for authenticating over-the-net bank account access -- the device on your desk that your bank helpfully provides to scan your eye might not even be attached when the cracker's software helpfully provides forged information down the line. "Liveness" tests are not useful if you don't even know if the biometric hardware at the other end is intact. Anything in a user's location is by definition untrustworthy in this sense. -- Perry E. Metzger [EMAIL PROTECTED] -- NetBSD Development, Support & CDs. http://www.wasabisystems.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
