The key phrase in your post was "I know how most of these systems work." There are state-of-the-art fingerprint matchers which are in production now, which obviously lie outside your familiarity.
Adding a second or third factor (Combinations): Good point - you are correct that adding additional verification checks such as skin chemistry, blood vessel, etc raise the bar even further, but your expectation of timing is a little off. There are readers less than 1 year from large scale production which bring at least two of those additional verification components to the market, at prices even lower than the cheapest fingerprint-only scanners now. Still, the model for the use of these technologies remains to first ID the person based on their fingerprint, then confirm that ID with the second and third factors. The reason is that fingerprint searching is much more accurate and scalable that any of these additional factors. Companies that want to start with fingerprint technology can do so now, if they use a state-of-the-art technology which will allow complete portability to any of these new readers, without re-enrolling.
Misconceptions of accuracy of state of the art fingerprint matchers: Your characterization, which I expect is based on the capabilities of the major AFIS fingerprint vendor technology being used by PayByTouch (which is only accurate to 1 in 10,000 for a single finger), is not reflective of the state of the art in production-deployed fingerprint identification systems, which offer single finger accuracy of over 1 in 200 million, by extracting 50 times more data from the same fingerprint image than these older systems. These state of the art systems also index data using COTS databases such as Oracle, and run on data center friendly platforms such as Windows and Linux. These indexing systems allow a single finger to be presented to databases of - yes - millions of prints, returning a single 1 in 200 million accuracy match. So, if the search is a 1 to many ("with no other information provided, is this person in my db?"), it can be found among millions.
Why PayByTouch uses a separate "key" such as tel. number The reason for having consumers enter their phone number or other unique identifier, is to allow the back end matcher to retrieve a single record from a traditional DB such as Oracle, containing the biometric template of record for that individual, then performing a "1 to 1" match between the print at the POS with the print from the DB. These types of matches can be performed at huge throughput volumes, which allows the system to scale. Performing "1 to Many" searches are CPU intensive, and so cannot be used in a centralized processing model. Here again, state of the-art-systems have built "cascading search" capabilities, which automate the process of first searching from a local context ("has this person been in this store before?"),then only moving up to larger scale 1 to many searches when a person is not found locally. Leveraging context results in a distributed processing model which scales very well. Cisco is working with the state-of-the-art vendor I'm describing to build the biometric equivalent of DNS, built directly into their new AON switches, to allow the cascading search to be completely transparent, like the DNS process.
New Crime Type - would not work: The trial and error attack you described would never succeed if a highly accurate matcher is used - and is the reason that consumers should ask what the accuracy (False Accept Rate) of the system being used to match their finger to their record. If the answer is 0.0001 (1::10,000), then it would still take you over 10000 random attempts to have a chance of matching someone else. However, if it's a state-of-the-art system, offering more like 0.000000005 (1::200,000,000), then you simply could never match anyone else's prints. Additionally, these systems perform internal alias/duplicate checks to determine if any two prints are the same (in which case, the person is the same)
So, PayByTouch does have a weak algorithm in place now, but they are likely to move to something more accurate, as they learn the shortcomings of the technology they chose.
I can't get over all the FUD and BS that the anti-biometric crowd comes out with, so predictably, when confronted by the reality that existing authentication methods don't work, or are too inconvenient to be practical. This stuff works, and is much more convenient, lower cost, and secure than the alternatives - get over it.
To the poster who said they use it at work and it doesn't match: You are using crappy technology. The state of the art not only doesn't need a PIN, it can match using any of over 20 different readers, against a population of millions. There are two components to a quality system - the scanner, and the software to perform extraction and matching. If either is inferior, the entire system appears to stink. For example, mating a great engine to a crappy transmission results in poor performance. There are many scanners which ship with crappy software for free, and many ISVs use that crappy software, and give the industry a bad name. Add a quality software matcher to a quality reader and you have an entirely different experience.
To the poster who thinks that the bad guys will cut your finger off: Modern readers don't allow dead fingers to work, so stop worrying. Plus, we are talking about retail POS usage, where a cashier *might* notice a bum holding a dead finger on the sensor...
To the poster who thinks that if he uses a finger to ID, that if he loses his finger, it's "game over": Do you really think that they would be so stupid as to make the *only* way to ID you be your finger, without any alternative, albeit less convenient way? Every system has to handle the unenrollable, just like if you lost your smart card.
To the poster who thinks that if the hash for the fingerprint (not how it works, by the way) is cracked, he can't get another finger (this one always cracks me up): The fingerprint is not the key - the finger is. The best systems don't *rely* on the fingerprint being kept a secret, despite the misconception that if compromised, you're toast. They create a binding from the sensor to the matching server that assures that no fingerprint can be inserted into that pipe. Again, your finger is the key, not your fingerprint. Fingerprints are public data for any quality finger matching system.
Before you start talking about latex overlays and gummi fingers (I read your mind, right?), know that the new readers also prevent gummi fingers from working, and the advanced software systems in the matchers require a much higher quality image than the weak algorithms that were fooled by earlier gummi attempts.
Slashdot Mirror
The key phrase in your post was "I know how most of these systems work." There are state-of-the-art fingerprint matchers which are in production now, which obviously lie outside your familiarity.
Adding a second or third factor (Combinations):
Good point - you are correct that adding additional verification checks such as skin chemistry, blood vessel, etc raise the bar even further, but your expectation of timing is a little off. There are readers less than 1 year from large scale production which bring at least two of those additional verification components to the market, at prices even lower than the cheapest fingerprint-only scanners now. Still, the model for the use of these technologies remains to first ID the person based on their fingerprint, then confirm that ID with the second and third factors. The reason is that fingerprint searching is much more accurate and scalable that any of these additional factors. Companies that want to start with fingerprint technology can do so now, if they use a state-of-the-art technology which will allow complete portability to any of these new readers, without re-enrolling.
Misconceptions of accuracy of state of the art fingerprint matchers:
Your characterization, which I expect is based on the capabilities of the major AFIS fingerprint vendor technology being used by PayByTouch (which is only accurate to 1 in 10,000 for a single finger), is not reflective of the state of the art in production-deployed fingerprint identification systems, which offer single finger accuracy of over 1 in 200 million, by extracting 50 times more data from the same fingerprint image than these older systems. These state of the art systems also index data using COTS databases such as Oracle, and run on data center friendly platforms such as Windows and Linux. These indexing systems allow a single finger to be presented to databases of - yes - millions of prints, returning a single 1 in 200 million accuracy match. So, if the search is a 1 to many ("with no other information provided, is this person in my db?"), it can be found among millions.
Why PayByTouch uses a separate "key" such as tel. number
The reason for having consumers enter their phone number or other unique identifier, is to allow the back end matcher to retrieve a single record from a traditional DB such as Oracle, containing the biometric template of record for that individual, then performing a "1 to 1" match between the print at the POS with the print from the DB. These types of matches can be performed at huge throughput volumes, which allows the system to scale. Performing "1 to Many" searches are CPU intensive, and so cannot be used in a centralized processing model. Here again, state of the-art-systems have built "cascading search" capabilities, which automate the process of first searching from a local context ("has this person been in this store before?"),then only moving up to larger scale 1 to many searches when a person is not found locally. Leveraging context results in a distributed processing model which scales very well. Cisco is working with the state-of-the-art vendor I'm describing to build the biometric equivalent of DNS, built directly into their new AON switches, to allow the cascading search to be completely transparent, like the DNS process.
New Crime Type - would not work:
The trial and error attack you described would never succeed if a highly accurate matcher is used - and is the reason that consumers should ask what the accuracy (False Accept Rate) of the system being used to match their finger to their record. If the answer is 0.0001 (1::10,000), then it would still take you over 10000 random attempts to have a chance of matching someone else. However, if it's a state-of-the-art system, offering more like 0.000000005 (1::200,000,000), then you simply could never match anyone else's prints. Additionally, these systems perform internal alias/duplicate checks to determine if any two prints are the same (in which case, the person is the same)
So, PayByTouch does have a weak algorithm in place now, but they are likely to move to something more accurate, as they learn the shortcomings of the technology they chose.
I can't get over all the FUD and BS that the anti-biometric crowd comes out with, so predictably, when confronted by the reality that existing authentication methods don't work, or are too inconvenient to be practical. This stuff works, and is much more convenient, lower cost, and secure than the alternatives - get over it.
To the poster who said they use it at work and it doesn't match:
You are using crappy technology. The state of the art not only doesn't need a PIN, it can match using any of over 20 different readers, against a population of millions. There are two components to a quality system - the scanner, and the software to perform extraction and matching. If either is inferior, the entire system appears to stink. For example, mating a great engine to a crappy transmission results in poor performance. There are many scanners which ship with crappy software for free, and many ISVs use that crappy software, and give the industry a bad name. Add a quality software matcher to a quality reader and you have an entirely different experience.
To the poster who thinks that the bad guys will cut your finger off:
Modern readers don't allow dead fingers to work, so stop worrying. Plus, we are talking about retail POS usage, where a cashier *might* notice a bum holding a dead finger on the sensor...
To the poster who thinks that if he uses a finger to ID, that if he loses his finger, it's "game over":
Do you really think that they would be so stupid as to make the *only* way to ID you be your finger, without any alternative, albeit less convenient way? Every system has to handle the unenrollable, just like if you lost your smart card.
To the poster who thinks that if the hash for the fingerprint (not how it works, by the way) is cracked, he can't get another finger (this one always cracks me up):
The fingerprint is not the key - the finger is. The best systems don't *rely* on the fingerprint being kept a secret, despite the misconception that if compromised, you're toast. They create a binding from the sensor to the matching server that assures that no fingerprint can be inserted into that pipe. Again, your finger is the key, not your fingerprint. Fingerprints are public data for any quality finger matching system.
Before you start talking about latex overlays and gummi fingers (I read your mind, right?), know that the new readers also prevent gummi fingers from working, and the advanced software systems in the matchers require a much higher quality image than the weak algorithms that were fooled by earlier gummi attempts.