I know...
... many other people have said this already. And said it a lot better than I ever could. But what the heck - I'm an Idiot. So I'll try anyway.
A fingerprint is not a password.
Note: I did not say a fingerprint cannot be _used_ as a password. I said it isn't one, because it fails most of the most (yes, I know I used most twice :-P) basic 'good practice' rules for a password. So what might they be:
1: Most security guidelines will tell you to implement a policy whereby passwords are subject to changes over time.
Fingerprint: FAIL.
2: Most security guidelines will tell you to use complex passwords.
Fingerprints overall are complex patterns: POTENTIALLY NON-FAIL.
Caveat: Many fingerprint readers and software use N-significant-point pattern reduction. N is potentially a low number, probably unknown to the user and outside the user's control. LOGICAL FAIL.
3: It should be possible to reliably reproduce a password when required. Fingerprint pattern reproduction (paper, fingerprint scanner etc) can and does have variable degrees of 100% reproduction, depending on temperature, finger pressure, scarring and the presence of the greasy remnants of late night finger food. Partly because of this, readers often reduce the complexity of the recognition problem with N-significant-point pattern reduction.
Fingerprint: See Point 2 - possible LOGICAL FAIL.
4: Most security guidelines will tell you not to write your password down on a real or metaphorical yellow sticky, and leave it where A N Other can find it. We write our fingerprints all over the bloody shop, whether we like it or not.
Fingerprint: FAIL.
For the sake of not appearing _too_ tin-foil hat-y, I'm going to ignore the ways widespread use of such a recognition process, coupled with Security Service, Police, Local Council and the nosy neighbour down the road access to such a system could be used to build a backdoor national fingerprint register.
To leave where I came in - if a fingerprint tells you anything, it may give you a confidence level that the mechanism presenting the fingerprint artifact is a specific individual. But while the level of confidence to assign, and the associated risk acceptance, is a matter for service providers - a fingerprint still isn't, or at least by any guidelines I ever came across, suitable as a BLOODY PASSWORD!
Yes. I'll shut up now. After all, I'm an Idiot.
Biting the hand that feeds IT
