

Pay by Person: What Biometrics Means to PayPa - palibra
http://blogs.mcafee.com/consumer/pay-by-person-what-biometrics-means-to-paypal

======
therobot24
Disclaimer: I'm currently doing my PhD in biometrics so i'm a bit biased.

Retinal scan is invasive, difficult to separate users, and just unnecessary
given current tech to ever be used ever again. Face recognition is doing very
well, and latent fingerprint is getting better than better, so using one or
the other (IMHO) doesn't really matter at this point. What does bother me is
that mcafee doesn't address larger issues:

\- How are you preventing spoofing? What kind of live-ness tests are done? (I
guess not wanting to reveal this could be security protocol and the absence of
evidence is not the evidence of absence, but i'm assuming that more than the
average person would come to the conclusion that a fingerprint or face can be
spoofed)

\- two-factor authentication is good, but 2 layer security is bad - if people
have to use their fingerprint AND a pin, they'll get lazy and revert to one or
the other. There are several papers on biometric key generation where a
biometric is used to build a certificate-key authentication. Heck there are
even papers where the key is embedded into the biometric template. Biometrics
are already walking a fine line between privacy and security, an easy and
positive experience will go a long way in continued use and development.

\- scaring people that hackers are going to steal your fingerprint - templates
do not need to be stored as a raw image/minutiae points/facial features/etc. I
think this goes back to the certificate-key relationship - use biometrics to
build these, storing a raw template doesn't make much sense unless it's on an
NSA server behind TS/SCI walls.

