Apropos to my last post (and, actually, inspired by a discussion of the same article), my fellow Microsoftie Alun Jones had the following to say, which I think does better than I ever could at highlighting some of the misconceptions around biometrics and authentication:
[We need to make the distinction between] using biometrics as the “claim” of identity, rather than the “proof” of identity.
Connecting to a secured resource requires both claim and proof. The claim is something non-revokable and public; the proof is something revokable and private. For instance, in your regular logon, the claim is the username, and the proof is the password. Your username does not need to be revoked if a security violation occurs, and its knowledge by others is not a security problem (it shouldn’t even contribute anything to a wider security problem); your password will need to be revoked (changed, usually) if a security violation occurs.
Similarly, with a fingerprint, hand measurement, face recognition or voiceprint, everything that biometrics measures there is public information (unless you’re in the habit of wearing gloves and a mask everywhere you go, in which case, I’m sure you have other problems), and non-revokable (if someone figures out how to make an exact copy of your fingerprints, you cannot be issued with another set; if you have a doppelganger somewhere, you cannot reasonably be expected to change your face).
There are other situations where a claim and a proof are paired together – subscribing to a mailing list, for instance, will require a claim of identity (“please subscribe someemailaddress to your wonderful mailing list”), followed by a proof of identity (“we have received a request to add your email address to our mailing list; please click the link below to allow this”).
Note that there are some schemes where the concept of claim and proof are intermingled to a point that they become inherently flawed – credit cards are the big example of this. To prove you are the holder of an account, you give over the account number. The account number is accepted as proof, and is revokable, but it’s public (you give it out to everyone you buy stuff from), and is a significant inconvenience to revoke.
I think Alun’s absolutely right, and folks who think that a thumbprint reader alone can provide authentication need to think again, preferably before they move forward with implementation. 🙂