My previous post refered to a new keyboard that Microsoft is now selling that has a fingerprint reader. The software and hardware in this package combine to allow fingerprint-based authentication to replace passwords for various systems. Apparently, the software stores encrypted copies of your password, and decrypts and enters them when require after the right fingerprint is observed on the reader. The key thing is that the software that comes with this device only authenticates the user to the local machine, it does not authenticate a user to the domain.
There has been a fair amount of conversation about fingerprints as authentication tokens inside Microsoft recently, and I would like to provide my 2 cents. Please remember that this is just me speaking on my behalf, and does not represent the views of Microsoft or anyone inside Microsoft.
There is some question whether finger prints are a really good form of biometric authentication. I’ve heard stories of Xerox copies of fingerprints actually being read. If you are really dedicated, you could cut off the target’s finger and thereby obtain his/her password (although if you are in a position to remove someone’s finger, perhaps you could just hold the target at knifepoint and have him/her authenticate for you!). We’ve all seen the scenes in the movies where someone lifts someone’s fingerprints and uses them for access to some “super secure” resource. I know that these are probably all fantasy scenarios, but fingerprint readers do seem among the easier to attack forms of biometric authentication.
That said, does this mean that fingerprint readers have no place in a moderate to highly secure environment? I’d say “no” for the following reasons. Fingerprints can be a good authentication factor when combined with other factors. For instance, fingerprints and a passphrase or fingerprints and a RFID token would be (IMO) a fairly good system, and certainly better than passwords alone (assuming password strength is the same in both scenarios). Certainly, fingerprints with two or more additional factors just keeps improving the authentication level. In addition, it’s easy to say that a bad guy could cut off the CEO’s finger or lift his fingerprint and use it to authenticate as him/her, but it’s harder to actually do. It’s a harder attack to pull off, and can thwart the mildly curious if not the experienced spy. Finally, reusable passwords are typically pretty crummy auth factors, but when combined with other factors, they aren’t so bad. Almost all two-factor auth systems rely on something you know, and this is not considered weak security. The same can hold true for fingerprints.
Are fingerprints the best biometric authentication type available? I don’t think so. I particularly am intrigued by a system called BioID from HumanScan (www.humanscan.de). The system uses voice recognition, face recognition, and mouth movement for authentication. Combine this with a RFID or password/phrase, and you may have something. Even still, one can think of theoretical ways to break this system.
So what is the future of biometrics? Should we just forget about them and stick with tokens or smartcards? What are your thoughts?