Udostępnij za pośrednictwem

Are Fingerprints a Good Authentication Factor?

  • Artykuł

My previous post refered to a new keyboard that Microsoft is now selling that has a fingerprint reader.  The software and hardware in this package combine to allow fingerprint-based authentication to replace passwords for various systems.  Apparently, the software stores encrypted copies of your password, and decrypts and enters them when require after the right fingerprint is observed on the reader.  The key thing is that the software that comes with this device only authenticates the user to the local machine, it does not authenticate a user to the domain.

There has been a fair amount of conversation about fingerprints as authentication tokens inside Microsoft recently, and I would like to provide my 2 cents.  Please remember that this is just me speaking on my behalf, and does not represent the views of Microsoft or anyone inside Microsoft.

There is some question whether finger prints are a really good form of biometric authentication.  I've heard stories of Xerox copies of fingerprints actually being read.  If you are really dedicated, you could cut off the target's finger and thereby obtain his/her password (although if you are in a position to remove someone's finger, perhaps you could just hold the target at knifepoint and have him/her authenticate for you!).  We've all seen the scenes in the movies where someone lifts someone's fingerprints and uses them for access to some "super secure" resource.  I know that these are probably all fantasy scenarios, but fingerprint readers do seem among the easier to attack forms of biometric authentication.

That said, does this mean that fingerprint readers have no place in a moderate to highly secure environment?  I'd say "no" for the following reasons.  Fingerprints can be a good authentication factor when combined with other factors.  For instance, fingerprints and a passphrase or fingerprints and a RFID token would be (IMO) a fairly good system, and certainly better than passwords alone (assuming password strength is the same in both scenarios).  Certainly, fingerprints with two or more additional factors just keeps improving the authentication level.  In addition, it's easy to say that a bad guy could cut off the CEO's finger or lift his fingerprint and use it to authenticate as him/her, but it's harder to actually do.  It's a harder attack to pull off, and can thwart the mildly curious if not the experienced spy.  Finally, reusable passwords are typically pretty crummy auth factors, but when combined with other factors, they aren't so bad.  Almost all two-factor auth systems rely on something you know, and this is not considered weak security.  The same can hold true for fingerprints.

Are fingerprints the best biometric authentication type available?  I don't think so.  I particularly am intrigued by a system called BioID from HumanScan (www.humanscan.de).  The system uses voice recognition, face recognition, and mouth movement for authentication.  Combine this with a RFID or password/phrase, and you may have something.  Even still, one can think of theoretical ways to break this system.

So what is the future of biometrics?  Should we just forget about them and stick with tokens or smartcards?  What are your thoughts?

Comments

  • Anonymous
    November 23, 2004
    For home use I think this device would be a real convenience.

    I'd say the big problem for any biometric device in a highly secure environment is that you have to trust the input device. Just like there exist keyboard loggers today, there will exist biometric data recorders tomorrow. The only way I would trust a biometric device in the general case (public terminals etc) would be if I had my own personal input device which encrypts data itself and communicates over a secure channel with the server against which it is authenticating.

  • Anonymous
    November 23, 2004
    The comment has been removed
  • Anonymous
    November 23, 2004
    The comment has been removed
  • Anonymous
    November 23, 2004
    I like the concept of multiple fingerprints in order. However, does this mean you need to have an account lockout to prevent the bad guy from exhaustively trying every combination of your severed fingers?!

    Bill
  • Anonymous
    November 23, 2004
    The problem with fingerprints as an authentication factor is that you can't change 'em and you can't hide 'em. Why would you want to change the token you use to authenticate? Well, the suthentication software isn't actually using your fingerprints to authenticate against... they're using a stream of digital signals derived from them. If someone can get a copy of that stream, and a compromised scanner, they can use them in a replay attack. If someone can get a picture of your fingerprints, they can scan it and try and reproduce that stream.

    If you're giving them a revokable password, you can change your password, but how do you change your fingerprints?

    The idea of a personal input device is a good one, but rather than using the biometric information as the authentication token, keep your certificates and other cryptographic keys in that device, and use your fingerprint as a mechanism for unlocking it. That way you can revoke a compromised certificate while still have biometric security for the "keychain" device.

    Unlike a conventional smartcard, the "keychain" device would not be the token itself: you would load keys into it at an appropriate station (for example, you could copy your bank keys at an ATM, or the ones to unlock your computer at the computer itself). You could copy your keys into one for your purse, one for your glovebox, one in your desk at work, so you wouldn't have to worry about losing it, or having stacks of cards to carry around, or worry about your keys being compromised if someone got the card...
  • Anonymous
    November 23, 2004
    Easy, we can file them off like we can MAC addresses on NICs.
  • Anonymous
    November 23, 2004
    How about an Assprint with the Xerox AssJet.
  • Anonymous
    November 23, 2004
    The comment has been removed
  • Anonymous
    November 23, 2004
    The comment has been removed
  • Anonymous
    November 24, 2004
    I was recently fingerprinted (not for a crime but rather for my CCW) and the person doing it said that it is harder to fingerpring elderly people since some of their fingerprints are worn down somewhat.



    It was interesting that no ink was involved in my recent experience. It was all done with an optical scanning machine. The results were fantastic.
  • Anonymous
    November 25, 2004
    The comment has been removed
  • Anonymous
    December 03, 2004
    Here is an interesting video (in German with sub-titles) about how simple it is to outsmart single-factor fingerprint-based authentication:ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg

    Bill