Re:Biometrics: lamest of all security protocols (Score 1)

While biometrics themselves are not "revocable", there are multiple technologies that allow creation of revocable tokens from them. Systems that use revocable biometric tokens (biotokens) can then have different representations in each database and when one is compromised it can be revoked and replace. They can have expiration dates and such much like a digital certificate. (And revoking is similar.. the data still exists it is just no longer used). These are all 2 factor (you at least have to enter an identity to verify against, so they can look up the "transform" data), and have a number of advantages. While password are easy to change, they are also easier to steal/crack.

All the people doing revocable biometric tokens (there are many, ask google) work to ensure one cannot recover data that that matches with the original. Biometrics companies that say the template is sufficient since it is not invertible to the image are technically correct, but misleading. It does not have to be the original, just match with it. Never trust a company that says it, or better yet call them on it publicly.

Of course biometrics can be compromised in other ways and no single-factor "biometric" solution should be viewed as security-- that is a pure convenience thing. When combined with other factors, and done so that neither factor is stored separately, then revocable biometric tokens do add to security.

Full disclosure: I'm leading a startup company in this space (http://www.securics.com/ -- we are looking for some good biometrics and software developers (embedded Linux anyone?). You can complain about these things or try to help make them better them. Complainers need not apply.