I spent the last couple of years working for an advanced authentication infrastructure company that had biometrics as part of the solution...
There are multiple options in biometrics: facial, voice, fingerprint and iris are the most cost effective solutions AND non intrusive. Retinal scans are extremely accurate, but painful to the end-user. There are really two types of fingerprint systems, optical and IR-based. Optical is easy to fool and is basically two-dimensional when looking at minutia points. IR-based uses the saline between the layers of the skin to give more measurements and can include temperature, etc. For the purposes of physical access or even information access, a system that does not capture the actual image is far superior. The measurements are taken and stored as an algorithm which can not (to date) be reversed engineered to a viable fingerprint image. The algorithm is then encrypted (in some cases using 3-DES and Blowfish) and stored in a secure database. As for chopping off an individual's finger (a la "Alias" on ABC), that would work in most scenarios. Studies have shown the finger will provide a viable image for about two hours. Don't ask me how they did these studies -- I don't know and the thought of how kind of grosses me out! Hope this brief explanation helps. Jeff -----Original Message----- From: Kevin Brown [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 9:18 PM To: Daniel Ferguson; [EMAIL PROTECTED] Subject: RE: Physical Access Control No offense, but I think you've been watching too many spy movies. ;-) Realizing the millions invested in biometrics, someone has already considered this. Better biometric systems actually take into consideration things such as pulse, blood pressure, or body temperature. The bigger concern with biometrics is not the capturing of the biological data, but rather with how that information is stored on the computer. See, even though a fingerprint is very unique, the uniqueness of the fingerprint is not necessarily captured by the computer. If the biometric software only stores a dozen key points of reference, than cracking that becomes trivial. Also, if the database that the "digital fingerprint" is stored in is not well secured, it may be easy to capture and replicate that information. Of course, this is all hypothetical. I don't know of anyone actually exploiting these types of vulnerabilities. Think of it this way. If you don't mind a little cliché, a chain is only as strong as its weakest link. Your fingerprint is the strongest link in the biometric chain, so attack a different link. I'd be curious to hear from any folks on this list who work with biometrics to explain in better detail how these issues are addressed. These are concerns that were brought up to me at one time by another security professional. I'd be curious to hear someone help sort fact from fiction. Brownfox -----Original Message----- From: Daniel Ferguson [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: RE: Physical Access Control fingerprint access control, i cant help you much on where to find the products im afraid.... but i have to say the idea of fingerprint control frightens me. If people break into your building and demand entry to a room, instead of the employee handing over for instance... a swipe card, the attackers simply have to chop off the finger. I know what id rather hand over... :)