Why isn't a digital security fingerprint as bad as a fixed password?

[Fidcal]

Why isn't a digital security fingerprint as bad as a fixed password?

 

Fast forward 10 years. Suppose I join Amazon and have to input my fingerprint. Amazon would then have a digital representation of my fingerprint. Then I join Asda, fanfiction.net, Darkmod forums, credit card, bank account, whatever. After a few years there are scores, perhaps hundreds of copies of my fingerprint around the world. Now, it is recommended that you use a different password for every registration and even change it now and again, especially after a security breach. But we can't change our fingerprint. Should any hacker get a copy of my fingerprint then can they not upload that to hack into any of my accounts?

 

So... what am I missing here? Is it something to do with the fingerprint reader that authenticates itself as 'live'? What if that can be duplicated? I've bitten my fingernails down to the bone worrying about this!

[Destined]

I think, a digital fingerprint scan can work, if you transcribe the fingerprint into a password. That way, you create an individual password depending on the algorithm used. That way you do not really have the fingerprint itself stored, but a password. For increased security you could also change the algorithm with every login. That way the user changes the password everytime he uses it, without even knowing/realising it.

A similar way is used by a friend of mine. She creates her passwords including the use of it. That way she only needs to remember a key component, adds the use and still has an individual password for each service she uses. Of course with a transcrition algorithm the resulting password is way more complex, than what she does.

 

The only danger I can see here is, that you could recreate the fingerprint if you know the algorithm that was used to transcribe it. But that might also not be a problem, depending on which parts of the fingerprint is actually used. You could only recreate the points of the fingerprint used, but not the fingerprint itself. If one service always uses the same characteristics, but each other service a different set, you would need a lot of different services to recreate the whole fingerprint '(if at all possible)

 

So in short: as long as you do not store the whole fingerprint itself, but only use some key features for a password creation, it should be safe.

[Melan]

Remember that puzzle from the first System Shock where you have to activate a retina scanner with some guy's severed head?

 

Yeah.

[161803398874989]

Service with proper security measures never store their passwords in plain text. They store their passwords hashed. A hash is a function that scrambles a string uniquely, meaning the same string always becomes the same scramble, and no two strings have the same scramble. So rather than sending the password to the server, you sent your scrambled password to the server, which then compares it to the scrambled password it has stored in its database, all the while never knowing your actual password. Then also you want each hashed password to be salted, which means it uses a piece of unique info (like the website name) to influence the hashing function, so that even if two different users have identical passwords, they end up with a different scramble.

[Fidcal]

So, Destined, the fingerprint scan is only local to the pc or device to authenticate the sending of a password and not the fingerprint itself? And the pc/device will only accept the fingerprint scan direct from the scanner.

 

So... a trojan reads that scan and uploads it to the hacker who stores it in his own fake scanner to trick Windows into thinking its a direct scan.

[SteveL]

So, Destined, the fingerprint scan is only local to the pc or device to authenticate the sending of a password and not the fingerprint itself? And the pc/device will only accept the fingerprint scan direct from the scanner.

 

So... a trojan reads that scan and uploads it to the hacker who stores it in his own fake scanner to trick Windows into thinking its a direct scan.

 

Hang on, you just moved the goalposts quite a bit there! If all those sites have a copy of your fingerprint, then it's far less secure than a password, agreed. But if they don't have a copy, they just have a unique one-way hash of your fingerprint that's generated by your own software, then your example problem is solved: someone hacking one of those sites will not have a copy of your FP and won't have access to any other of your logins.

 

Your original point is still a problem though: Identity theft is always incredibly hard to repair but biometric data theft is impossible to repair.

 

I have no idea how these systems work in reality, but (throwing out random ideas) suppose the fingerprint scanner is hardwired and non-programmable, so it's unhackable and only outputs hashes made using a public key supplied by each site. Problem solved?

 

None of this will stop someone stealing your finger or eye as suggested by Melan

[jaxa]

two-factor authentication is the ideal security model. just don't lose your phone/dongle

[Destined]

So, Destined, the fingerprint scan is only local to the pc or device to authenticate the sending of a password and not the fingerprint itself? And the pc/device will only accept the fingerprint scan direct from the scanner.

 

So... a trojan reads that scan and uploads it to the hacker who stores it in his own fake scanner to trick Windows into thinking its a direct scan.

 

I would agree with SteveL: As long as the scanner does not save the fingerprint itself, but only reads out the data it needs, it is not possible to save/reconstruct your print.

If a trojan (or keylogger) is in play here, you would have the same problem with any authentification. As soon as you enter your password, the third party can get it. It would not make the fingerprint scan less safe than any other password, but also not any safer. The only upside then is convenience: You would not have to type in your password and could make the generated password longer than most people would make it, if they have to type it in (and as afar as I know password safety is mostly dependent on password length).

The question now is: should we use biometric data for passwords? As SteveL said: If this data is stolen at any point, the damage is irreparable. So we might just stick with our "old style" passwords. But the problem is: people are lazy. And if the fingerprint scan is more convenient, I believe that there will be quite a lot of people who would risk the security of their biometric data for a bit of comfort.

 

All in all, I think any security measure can be circumvented if you are creative (or ruthless) enough and have the skills needed.

[wesp5]

So how do Apple and Samsung handle this with their phones? Do they store the whole fingerprint or use the password approach you recommend?

Edited February 19, 2015 by wesp5

[Destined]

That is a good question. As far as I know, in these cases they only use the fingerprint to unlock the phone and that is why it is stored on the phone itself and not in any cloud. But that is as far as my knowledge goes. I have no idea how it is stored or how easy or hard it is to steal the fingerprint from the phone. Most likely it is stored in some encrypted way. Anything else would be more than carless.

[Professor Paul1290]

I think the only time I've seen fingerprints being commonly used on their own is to unlock a device, and in those cases it doesn't go anywhere.

 

In almost every other case I've seen fingerprints being used to access sensitive data or applications, they were not used on their own. Instead I've almost always seen them being used in addition to something else (such as a password) as part of some form of multi-factor authentication.

Edited February 20, 2015 by Professor Paul1290