Fingerprints as authentication

fingerprint Authentication is an interesting component of network security.  In order to be granted (or denied) access to a resource, a user must be uniquely identified. In other words, a user must be able to prove that they are who they say they are. 

This is critical in a business (and elsewhere) so that (amongst many reasons); confidential information is displayed only to users with permission to view the information, logs can affirmatively identify who has accessed specific data files, banks can ensure that the person requesting a funds withdrawal is on the list of approved users for the bank account, etc.

Authentication is separate from Authorization, which determines what an authenticated user is allowed to access.

Typically, authentication is based off of one or more of the following:

  • Something you have (Smart Card, Token, etc)
  • Something you know (Password, PIN, etc)
  • Something you are (Fingerprint, DNA, Retinal Patterns)

Authentication must be able to uniquely identify a user, using a shared secret.  The key word being secret...  Once your authentication credentials are no longer secret, they can no longer uniquely identify a user.  A password that is written on a sticky note and placed under a keyboard is no longer secret.  A smart card that is lost is no longer secret.

In this post, I would like to cover the last one.  Many new laptops are coming with Fingerprint readers that will allow you to log onto your computer without a password.  Just swipe your finger over the reader and you are logged in.

Great for convenience, horrible for security.  They work fine for Joe Home User with a computer used to store pictures of Fluffy the Cat, but should NEVER be used as the sole method of authentication in an enterprise environment.

You see, fingerprints are not secret.  You leave them around everywhere you touch.  Your "secret" is on your keyboard, on your iPod, on your door handle, on your table, on your car.  It is a relatively trivial task to lift a fingerprint and reproduce it.  Put that reproduction on a gummy bear or some ballistics gel, and as Mythbusters showed... you can now "authenticate" to most fingerprint scanners on the market.

There are a few other problems involved with using fingerprints as authentication...

  • They work just as well separated from their owners as they do when attached
  • Your options for revoking a fingerprint are quite limited
  • Your options for replacing a fingerprint are nonexistent

The solution?  Multi-factor authentication.  Use a smart card with a PIN.  The certificate on the smart card can be revoked if compromised, and the PIN can be changed.  A token along with a password will only allow login with both factors present.  Even passwords and passphrases are quite secure.  You can read more than you ever wanted to know here

Comments (8)

  1. Shirish Goyal says:

    Please check the link…/design-and-implementation-of-fingerprint-authentication-system-image-enhancement for my latest posts on fingerprint acquisition and authentication and send me your feedback.

  2. RED says:

    Beijing on June 10 morning news, according to Bloomberg survey report GTM Research and the American Solar Energy Industries Association released the first quarter of this year, US home solar power system capacity increase of 76% over last year, to 437
    megawatts (MW) ,Solar Batteries the nation’s new generating capacity, more than half of which is a photovoltaic power generation. The report shows that a quarter of the US solar power capacity by
    1.3 gigawatts (GW), the sixth consecutive quarterly increase of over 1 GW. The total annual installed capacity is expected to reach 7.9 GW, Solar Power Penerator , Solar Power Pack representing an increase of 27%.
    The report predicts that by 2016 solar power will meet the electricity needs of about 800 million households in the United States to offset 45 million metric tons of carbon emissions, equivalent to removing 10 million cars. energy storage system

  3. wlp says:

  4. za says:

    Call ZUHI . We provide High quality Escorts service in Mumbai. Here you will get fantastic Escorts Girls, Service offering by our beautiful escorts models. 3/5/7 Star hotel and home 24 hrs service in all Mumbai.

  5. wa says:

    Call PIYA: Mumbai Escorts. If you wish to obtain escorts in Mumbai, is the place for you, your source for different type of College girls, Models, Airhostess, Housewife, Russian, Mumbai call girls and independent call girls in Mumbai.

  6. sa says:

    Call SARA: we provide High quality Escorts service in Mumbai city. Here you will get fantastic Escorts Girls like College girls, Models, Airhostess, Housewife, Russian, Mumbai call girls and independent call girls in Mumbai for full service.

  7. da says: offers you the finest escort’s in Mumbai. Call 24 hrs Ms Nimita to find quality Mumbai escorts service like Airhostess, Models, College girls, Housewife, working girls, Russian and more.

  8. qa says:

    Call Prachi for 24/7 sexy Mumbai escorts direct to your room in 20 minutes or less. Pink Angels of Mumbai have girls who come from a range of backgrounds and include glamour, fashion and young students. They are all beautiful, elegant, sexy, warm, fresh,
    sweet, young and stunning.

Skip to main content