jaime_lion Posted December 5, 2016 Share Posted December 5, 2016 So I am curious what is everyone's thoughts on Bio-metric password systems? Also on Bio-metric payment systems? I have used a few and I love them. The one I used had a UV light and a pulse sensor so you could not use a fake finger and it had to be alive. Quote Link to comment Share on other sites More sharing options...
Dec100 Posted December 5, 2016 Share Posted December 5, 2016 There are pros and cons, same as everything. One thing to consider is the moral aspect. For example, what if a retina scan detected signs of disease? Should the company check for things like that and warn people, or is that a breach of privacy? Also, what if the data is compromised? You can change a password or token easily enough, but you can't change your fingerprint. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted December 5, 2016 Share Posted December 5, 2016 In my opinion Biometrics should not be used for authentication, but for identification. They are a username, not a password. Fingerprint + pin / password? Absolutely. Quote Link to comment Share on other sites More sharing options...
jaime_lion Posted December 5, 2016 Author Share Posted December 5, 2016 1 hour ago, Dec100 said: There are pros and cons, same as everything. One thing to consider is the moral aspect. For example, what if a retina scan detected signs of disease? Should the company check for things like that and warn people, or is that a breach of privacy? Also, what if the data is compromised? You can change a password or token easily enough, but you can't change your fingerprint. The system I used the bio-metric data was not stored on servers or such. It would read your fingerprint and send the information to the servers and get the code assigned to it. If the servers were hacked the codes could not be turned into fingerprints or anything useful. 54 minutes ago, Sebkinne said: In my opinion Biometrics should not be used for authentication, but for identification. They are a username, not a password. Fingerprint + pin / password? Absolutely. Will just say I have never forgotten my fingerprint at home or had a case of stupid and misspelled it or lost it. Also this is a big reason you guys get paid the big bucks to make sure to secure against the "bad guys". I practice martial arts and one of the big reason I liked the finger print payment system I used was cause no one could get my wallet from me. Also the system was not set up so you could get money from it. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted December 5, 2016 Share Posted December 5, 2016 9 hours ago, jaime_lion said: Will just say I have never forgotten my fingerprint at home or had a case of stupid and misspelled it or lost it. Also this is a big reason you guys get paid the big bucks to make sure to secure against the "bad guys". This is true, which is why it is arguably a good username. The big drawback is that if someone DOES get ahold of your fingerprint, palm print, retinal data, etc it is practically impossible to replace or reset them. You don't all of a sudden grow a new hand just because the other was compromised. This is why this data should only be used as a sort of "username". 9 hours ago, jaime_lion said: I practice martial arts and one of the big reason I liked the finger print payment system I used was cause no one could get my wallet from me. Also the system was not set up so you could get money from it. Lifting prints can be surprisingly easy if you aren't super careful. Having seen the work of a few teams on defeating biometric security, it's doubtful that they'll fight you for the information. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 5, 2016 Share Posted December 5, 2016 There are some pretty interesting ways to get fingerprints. ;-) Trust me. In short, fingerprints SHOULDN'T BE PASSWORDS! If anything, they should be equated to a user ID. What happens when your in a breach dump? Change your password. How do you change a fingerprint besides what was done in the movie M.I.B. Quote Link to comment Share on other sites More sharing options...
Dec100 Posted December 6, 2016 Share Posted December 6, 2016 I totally agree that bio-metrics should be for identification only, but, unfortunately, that's not what businesses want to hear when they raise it. They want to replace passwords. Incidentally, I recently saw a presentation from a company that is looking to replace passwords with a "profile" of user traits built up by many different aspects. For example, your phone's ID, fingerprint, how you swipe, how you hold it, where you are in the world, what time it is, etc, etc. The idea is that it takes all this input to give you a risk score, and if you don't make the set grade, you are prompted for a password or directed to call support (or whatever you choose based on the data you are protecting). It looked interesting, though we only saw controlled demos. Quote Link to comment Share on other sites More sharing options...
jaime_lion Posted December 6, 2016 Author Share Posted December 6, 2016 (edited) This is the device I used. http://www.welivesecurity.com/2013/10/24/new-fingerprint-id-system-scans-for-living-blood-and-is-solution-to-cybercrime-makers-claim/ Also if someone broke into the servers because fingerprint data is not stored on them there is nothing they could get. The reader reads the fingerprint and assigns a set of numbers to it. The numbers are what is stored in the server and you can not recreate a fingerprint from it. https://ebblink.com/ Here is there website they have switched gears a little and are focused on 2FA and secure sign on for IOT. The big thing I see with this stuff is it is way more secure than what we use now and pretty much everyone is ok with what we use now. Edited December 6, 2016 by jaime_lion Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.