IMO, the big problem with biometric is that it is non revokeable.

SoftwareMaven · on Jan 18, 2013

Sure it is, the same way a password is revocable: pull e "hash" out of the database you compare against.

jrockway · on Jan 18, 2013

How does IT issue you a new fingerprint?

bonaldi · on Jan 18, 2013

Well, in most cases there are nine other digits you can use. That's probably a reasonable amount of redundancy.

jrockway · on Jan 18, 2013

I change my password more than 9 times a year, and I plan to live for more than one year.

bonaldi · on Jan 19, 2013

That's not IT issuing you a new password, that's you changing it. The point is that biometrics are perfectly feasible as one of the two factors (instead of something you know) and can still be revoked.

jrockway · on Jan 19, 2013

I also don't leave my password on everything I touch.

Biometrics are a terrible idea. Password + token is much safer and infinitely revokable. And the server can even tell when an HOTP device has been cloned.

SoftwareMaven · on Jan 19, 2013

That, and not the revocability, is the core of the problem. It also comes back to a foundation of security: something you have and something you know.

Personally, I think most biometrics are bunk, unless you use multiple (fingerprint, iris, etc) along with some kind of password.

DigitalJack · on Jan 18, 2013

Super Glue and Silly Putty

pyre · on Jan 18, 2013

A white-hot knife to the finger?

tedunangst · on Jan 18, 2013

It's really only workable when authing to the device. Not over a network. I'd basically assume that anyone can forge your biometric info, so it's only applicable in scenarios where the forgery is hard to execute.

kamjam · on Jan 18, 2013

And it also leads to issues like Minority Report, where instead of someone stealing your wallet, they steal your eye balls :(

hnriot · on Jan 18, 2013

of course it is, you use the biometric signature to sign certificates that you can revoke.