Just read this interesting research paper published by Prof. Bobby Tait and Prof. Basie von Solms of the University of Johannesburg (South Africa), explains how a person’s biometric fingerprints/Iris scans can be used as a protocol to perform private key based encryption and digital signatures.  The paper describes a biometric middleware infrastructure (BioVault) which requires users to performs biometric authentication for generating or retrieving a random key from user’s keystore. The selected key is used to perform the required encryption or signature operation. If Alice and Bob exchanges messages using their secret key they are required to authenticate with biometrics. The only advantage of this process is the user don’t need to remember a password or carry a smartcard/PIN to support accessing their keystore – as it uses fingerprint or Iris pattern based authentication prior to initiating the operations.

I am not sure, how accurate the solution will be given the “False Acceptance Rate (FAR)” with Biometrics especially with Fingerprints.  With all the highest accuracy, as I noted…. Iris recognition’s FAR is 1 in 1.2 million and with Fingerprints FAR may occur 1 in 100,000.   And there is no guidance on …how reliable is the solution in case of a MITM attack that compromises the user’s biometric sample….? Still It is an interesting work – but in my opinion using a conventional PKI based solution has its own security advantages over the several inherent reliability issues with biometric authentication.