At 11:37 AM 12/1/97 -0800, Paul Pomes wrote:
Thomas J. Drury walks up to the automated-teller machine in his suburban office and swipes his bank card. Instead of punching in a secret code, however, he stares straight ahead. The machine verifies his identity by looking at his eyes.
If Mr. Drury, chief executive officer of Sensar Corp., and his colleagues have their way, this eye-scanning technology will become standard equipment on ATMs around the world. It is being tested by NCR Corp. and Citicorp, among others.
As wonderful as eye scanning technology may sound, it promises to offer very weak identification and only be reliable in the short run. This is based on the premise that a reproduction of an eye will work as well. Just as a reproduction of a driver's license seems to work for check forgery. PINs offer security based on the fact that they are a secret. Not a shared secret. For comparison, take a look at the authentication procedure of the SSA and Wells Fargo bank. Over the internet, both want Social Security Number Date of Birth Mother's Maiden Name Imagine a bank machine requesting the same info as the only prerequisite for dispensing cash! This info might have been a method of secure authentication about the time I was born, but today, such info is almost common knowledge. This no longer is a secret, too many people have the info. Widespread use of eye scanners will provide the same results. As databases are built, and sold, the raw info becomes available and automated tellers become excellent targets for fake authentications. If you get it wrong, you just walk away. Eye scans may help aid authentication, but they should not take the place of PINs. -- Robert Costner Phone: (770) 512-8746 Electronic Frontiers Georgia mailto:pooh@efga.org http://www.efga.org/ run PGP 5.0 for my public key