|
|
|
|
|
|
by Someone1234
4116 days ago
|
|
|
> biometrics are a username, not a password. Can you clarify what you mean by that. People like to parrot it, but few if any will explain why they feel that way. If you simply mean that you don't find it secure enough, wouldn't that really depend on the use-case? For example, what may not be secure enough to log into a DC, may be secure enough to let the secretary log into their computer which just has access to address books and calendars. It is all relative. Some biometric systems are fairly secure, like fingerprints. The cost and skill required to extract and reproduce a fingerprint so it is scannable make it a non-trivial affair. While the security services and a dedicated adversary could, for 80%+ of normal computer users it is a non-threat. Android's face unlock may have been trivially beaten but it reads like Microsoft are using multi-level photography (i.e. both IR for under-the-skin and visible light for on-the-skin) to extract a layered model of a person's face and head which could (maybe) prove harder to bypass with just a photograph. |
|
|
Biometric data are not secret (face, fingerprints, voice) nor can be changed.
That means they are easy to forge and hard to revoke when compromised, and at most they can be useful as identification, like your email, and not as password.
I wonder why none thought of biometric identification with an hardware token which plays a one time tone outside audible spectrum. That would be incredibly convenient for users and still quite resilient. Just throw in side channel auth like phone message for unknown position or devices and of you go.