Fingerprints as authentication

  • Article

fingerprint Authentication is an interesting component of network security.  In order to be granted (or denied) access to a resource, a user must be uniquely identified. In other words, a user must be able to prove that they are who they say they are. 

This is critical in a business (and elsewhere) so that (amongst many reasons); confidential information is displayed only to users with permission to view the information, logs can affirmatively identify who has accessed specific data files, banks can ensure that the person requesting a funds withdrawal is on the list of approved users for the bank account, etc.

Authentication is separate from Authorization, which determines what an authenticated user is allowed to access.

Typically, authentication is based off of one or more of the following:

  • Something you have (Smart Card, Token, etc)
  • Something you know (Password, PIN, etc)
  • Something you are (Fingerprint, DNA, Retinal Patterns)

Authentication must be able to uniquely identify a user, using a shared secret.  The key word being secret...  Once your authentication credentials are no longer secret, they can no longer uniquely identify a user.  A password that is written on a sticky note and placed under a keyboard is no longer secret.  A smart card that is lost is no longer secret.

In this post, I would like to cover the last one.  Many new laptops are coming with Fingerprint readers that will allow you to log onto your computer without a password.  Just swipe your finger over the reader and you are logged in.

Great for convenience, horrible for security.  They work fine for Joe Home User with a computer used to store pictures of Fluffy the Cat, but should NEVER be used as the sole method of authentication in an enterprise environment.

You see, fingerprints are not secret.  You leave them around everywhere you touch.  Your "secret" is on your keyboard, on your iPod, on your door handle, on your table, on your car.  It is a relatively trivial task to lift a fingerprint and reproduce it.  Put that reproduction on a gummy bear or some ballistics gel, and as Mythbusters showed... you can now "authenticate" to most fingerprint scanners on the market.

There are a few other problems involved with using fingerprints as authentication...

  • They work just as well separated from their owners as they do when attached
  • Your options for revoking a fingerprint are quite limited
  • Your options for replacing a fingerprint are nonexistent

The solution?  Multi-factor authentication.  Use a smart card with a PIN.  The certificate on the smart card can be revoked if compromised, and the PIN can be changed.  A token along with a password will only allow login with both factors present.  Even passwords and passphrases are quite secure.  You can read more than you ever wanted to know here.