I just loaded up Microsoft.com, and right there on the front page is an image that says "Tired of remembering passwords? Replace them with your fingerprint". Arg, must Microsoft be told about the evils of using your fingerprint for authentication too, or will they just have to wait until a customer calls and says, "A worm just sniffed my fingerprint and credit card number and sent them off. Now my credit is out of whack, and I can't change my fingerprint!"
Even Microsoft warns against the use of it for financial activity, "The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities."
Lets reiterate: the only secure way to use a fingerprint is to place the reader on a smart card or USB key that does public-key encryption. That leaves no possibility of a man in the middle to sniff your fingerprint, and they can't even get at your public key. So why does Microsoft even try to sell a fingerprint scanner as a cure all to the password problem?
L'authentification par donn
TrackBack from Blog de Tiennou: