The Difference Engine: Dubious security
Authentication of a person is usually based on one of three things: something the person knows, such as a password; something physical the person possesses, like an actual key or token; or something about the person’s appearance or behaviour. Biometric authentication relies on the third approach. Its advantage is that, unlike a password or a token, it can work without active input from the user. That makes it both convenient and efficient: there is nothing to carry, forget or lose.
The downside is that biometric screening can also work without the user’s co-operation or even knowledge. Covert identification may be a boon when screening for terrorists or criminals, but it raises serious concerns for innocent individuals. Biometric identification can even invite violence. A motorist in Germany had a finger chopped off by thieves seeking to steal his exotic car, which used a fingerprint reader instead of a conventional door lock.
Plus, you can also fake out scanners with digits made from play-doh or gelatin (after which, especially for the latter, you could eat the evidence). Still waiting for that one to show up on CSI.
Missing from the article is another downside of the biometric authentication: the inability to change the authentication once it is compromised (by a play-doh finger or whatnot). I can always change my password or get a new key; I can’t change my fingerprint.