> "Biometrics are unique identifiers, but they are not secrets. You
> leave your fingerprints on everything you touch, and your iris
> patterns can be observed anywhere you look. "
That statement may be a bit misleading. The better (although certainly not
all) biometric devices look for information other than the visible points.
Such scanners routinely check for body heat as a backup verification that
there is a warm body behind the validation attempt, and some advanced
retinal scanners check for minute changes over a few seconds indicating
blood flow through the blood vessels in the eye.
Sure, you can spoof either method using a very advanced technology to
simulate this stuff, but the spoofer would need to get a nearly perfect
specimen of what he is trying to duplicate. Of course we leave fingerprints
everywhere, but you have to get enough matching points to duplicate it.
This is often difficult unless you are trained and know exactly where to
look, how to lift them, and how to transfer them. Retinal images are even
more difficult. You're talking about getting an exact image of a surface
maybe an inch wide looking through an opening ranging from a quarter to
three eighths of an inch wide. Getting that at close range is difficult
enough. Trying to get that from long range is nearly impossible.
However, encryption of the readings by the scanner are important. I know
that the current generation of fingerprint scanners does not transfer the
image of the print, but instead an encrypted string that encodes the points
of the fingerprint by an established algorithm. This algorithm is
strengthened or weakened based on how accurate you need the scanner to be.
At the highest setting, you can spend five minutes trying to use that method
to log in (assuming you don't give up and just switch to passwords) if you
haven't washed your hands, the scanner is dirty, you've nicked your finger,
or any of a number of other things. At the lowest setting, it's supposed to
be fairly easy to spoof. Picking a range in the middle allows for some
speed and accuracy, at the cost of security. Your choice, and as always,
YMMV.
