Hashing Out the Next Step in Biometric Security

ergo98 writes "CNN is running a story about biometric hashing. Using this technique, biometric inputs (such as facial characteristics) are altered based upon individual characteristics in a hopefully one-way process. The goal is to continue to reduce the risk of a back-end data exposure."

Compromises?

[Poromenos1]

I don't like this. Say that someone discovers the "password" (the hash), then you're done. You can't change it (unless you grow a moustache). Same goes with fingerprints, etc. I think a password (passphrase) is much more practical.

Re:Compromises?

[Doug+Coulter]

Bruce Schneier (counterpane.com) has published on and linked to a lot of other publications on the implications of biometrics, and how easy they are in general to steal. Can't just change your password, you've only got 10 fingers (I hope!) and so on. The whole thing is a very bad idea, and most extant schemes are trivially cracked no matter how "secure" the backend. Pictures of retinas/faces have worked, lifted fingerprints translated to gummy silicone have worked, and so forth. No fancy skillz needed to get past any existing system.

What about equipment maintenance?

[antifoidulus]

Say what you will about passwords, the thing is the require *NO* extra equipment to keep running(well, a keyboard, but you probably need that for other purposes anyway) However, all sorts of biometric scanners need equipment to keep running, equipment that will fail one day, and of course it will be the day that you have to log into your account to fix a critical problem in a critical production system....

Re:More Misdirection from the Biometric Community

[Russ+Steffen]

The three mechanisms for authentication are generally grouped into, something you know (password), something you have (swipe card), and something you are (biometrics).

In reality, those groups are actually:

• something you can forget
• something you can lose
• something that can change as you age