Came across this blurb this morning:
"Basically anytime you need to log into anything, you just simply will place your finger on the sensor, and a fingerprint match will occur on the server, and proceed to log you into the application"
Rather than storing the actual fingerprint, the company (DigitalPersona) stores a "300-byte template of some of the salient features of your fingerprint," which is apparently sufficient for identification purposes.
It's one of those concepts that both intrigues and worries me.
It certainly would simplify logins for users. The story suggests the average user has around a dozen "personas" online, and I have easily three times that; juggling all the passwords for my various accounts has been problematic, to say the least. Of course, in order to actually work, the systems to which you wish to connect have to modified to interface with the fingerprint scanner and template database. And, there's no guarantee that it will take hackers any longer to crack this new system than it takes them to defeat any of the other, existing security schemes.
Then there's the ever-present privacy issue. My passwords are just that: mine. I can change them whenever I want, to whatever I want, and when appropriate, I can share them with a business partner or a family member. I can set up applications to save my password and automatically log me in and execute lengthy tasks in the off hours, when I'm asleep. The various venues where I conduct online business transactions, have no way to cross-connect to my data at other sites using only my name and password. And rather than deterring identity theft, I think it more likely that malicious users will find a way to fake out the new system, leaving everyone vulnerable at an entirely new level.
Convenience versus freedom. It's a slippery slope.
Posted by thinkum at April 16, 2004 03:11 PMOnce again I find myself in the defensive techno-geek position. :) Okay, here we go.
(begin diatribe)
First, the fingerprint scanners and the associated software have been around for a while. I saw some of the first scanners and software more than 5 years ago; they reached their current state about 3 years ago. The security is fairly well proven.
In every implementation that I've seen, the fingerprint scan itself is not the password for the application or the website. Instead, the application associated with the scanner sends the user name and password that you set up to the application. You can still perform any login normally from another machine, and you can still change the ID or password any time you choose.
A hacker can break the system if he gets access to your machine. That's true of just about any security system. The password file and the fingerprint file are generally heavily encrypted to protect against the possibility as much as possible.
It's a matter of convenience, but it's a fairly secure convenience. It will get better as we move into systems with hardware-encrypted storage of one kind or another, like my current portable (Gateway 450XL). It has the scanner built-in, and the print records are stored in a protected static memory device on the systemboard. It won't even boot until it gets a successful scan -- or until I use the override password that I set up.
I do think some websites will start using biometrics for login in the near future. It won't be any less secure than text IDs and passwords, and for people with careless security habits it will be more secure.
(end diatribe)
They're quick, they're useful. I won't say their fun -- just try scanning your finger right after washing your hands -- but they're useful.
Posted by: PyeCat at April 19, 2004 04:47 AMYou actually have a fingerprint scanner on your computer?
Posted by: Thinky at April 19, 2004 04:01 PMI actually have a fingerprint scanner built right into my latest portable computer. Incredibly convenient.
On the other hand, I've had a USB fingerprint scanner for years that I acquired but never bothered to hook up to my desktop. Someday I will.
Posted by: PyeCat at April 20, 2004 04:54 AM