Biometrics Are NOT Passwords, Dammit!

Today in Stupid Extensions of Biometric Authentication: this item from Sophos.  Brainprints will apparently be the new fingerprints.

Here is what the press (and from the looks of it, half the security industry) seems unable or unwilling to get: you cannot change your biometrics.  You cannot ever change your fingerprints.  Nor can you ever change your iris, your retina, your "brainprint," or any of the other too-clever-by-half schemes researchers may yet dream up for biometric authentication.

In fact, the whole idea of two-factor authentication has traditionally been based on "Something you know, something you have, something you are... pick two."  We need to drop the last, and go with "Something you know and something you have" - period.

Fingerprints are already easier to steal than a password ever was.  Digital photography is probably good enough by now that iris patterns are equally easy, and retinal scans from afar cannot be that far behind.  What was that twinkle?  Oops, too late.  Once the "brainprint" technology is usable, its targets will be equally pilferable.

Just because it looked cool in 1970's SciFi does not mean it's truly going to be valuable in this century.