The essential problem I've always seen with biometrics (and one that Dorothy Denning acknowledged in her recent op ed piece without seriously examining) is the question of whether it's as efficient to deploy and manage biometrics safely as it is to deploy and manage some keyed alternative like smart cards or other tokens.
Once you start embedding crypto secrets into your biometric reader, you are no longer managing biometrics. You're now managing BOTH biometrics AND a bunch of crypto keys. Why not just save yourself the administrative headache, deploy tokens, and use that crypto key for authentication? I'm sure there are applications where biometrics make sense (ATMs, door security, and other closed systems like that) but I just don't see them working in an open system where your main problem is to associate the endpoint with a person. If you also need to separately authenticate the endpoint, and that's what everyone recommends, then the system costs go up even more. My favorite biometric implementation is the "fingerprint as PIN" token, which several vendors make. There's the Sony Puppy, a credit card calculator sized token with a USB cord and an embedded public key pair. There are also various PCMCIA readers that (apparently) you can plug in to your laptop to provide a biometric lock. My impression, however, is that these readers provide a PIN-like resistance to attack. Once you've cranked the false rejections down to the point that it's convenient, the false positives are approaching PIN levels (2^13 guesses on average). A nice feature of the "fingerprint as PIN" tokens is, of course, that the print never leaves the card. You still have to worry about images of fingerprints or rubber fingers, of course. The print is a back-up for physical possession. Rick. [EMAIL PROTECTED] roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]