Daniel Berrange

a good post on why biometric based authentication is a dead end “There is no full third factor for authentication, because, given a sufficient amount of time, any use of biometrics will eventually degenerate into a non-factor……have you ever heard the argument that you should never use the same password on multiple websites because if it’s stolen on one, they have access to the others? Well, the same is true of your retina….The moral of the story is this: biometrics are minimally useful, since they are only viable until the first exposure across all sites where they are used.” http://securityblog.redhat.com/2013/10/02/we-are-not-who-we-are/

We are not who we are | Red Hat Security

David Megginson October 12, 2013 14:38

Biometrics could work only if it relied on generating a real-time hash from a (biological) dataset that is too large to copy, so that the physical presence of the person was always required.  Of course, Moore’s Law would eventually erode “too large to copy.”

Eugene Crosser October 12, 2013 14:48

My problem with this (common among security knowledgeable) line of reasoning it its basic assumption that things are the way the instruction says they should be. In reality, password is not something that the user knows. It is something written on a post-it note, hidden under the keyboard at best or stuck to the monitor bezel at worst. If you accept this, biometry suddenly looks much more useful, although worse than a token.

David Megginson October 12, 2013 15:20

Even worse are crooked vendors who dupe their customers (government, bank, etc.) into believing that a security question is a separate factor from a password.

Imported from Google+ — content and formatting may not be reliable