BillCan's Place

Life at Microsoft

Blogs

Are Fingerprints a Good Authentication Factor?

  • Comments 12
  • Likes

My previous post refered to a new keyboard that Microsoft is now selling that has a fingerprint reader.  The software and hardware in this package combine to allow fingerprint-based authentication to replace passwords for various systems.  Apparently, the software stores encrypted copies of your password, and decrypts and enters them when require after the right fingerprint is observed on the reader.  The key thing is that the software that comes with this device only authenticates the user to the local machine, it does not authenticate a user to the domain.

There has been a fair amount of conversation about fingerprints as authentication tokens inside Microsoft recently, and I would like to provide my 2 cents.  Please remember that this is just me speaking on my behalf, and does not represent the views of Microsoft or anyone inside Microsoft.

There is some question whether finger prints are a really good form of biometric authentication.  I've heard stories of Xerox copies of fingerprints actually being read.  If you are really dedicated, you could cut off the target's finger and thereby obtain his/her password (although if you are in a position to remove someone's finger, perhaps you could just hold the target at knifepoint and have him/her authenticate for you!).  We've all seen the scenes in the movies where someone lifts someone's fingerprints and uses them for access to some "super secure" resource.  I know that these are probably all fantasy scenarios, but fingerprint readers do seem among the easier to attack forms of biometric authentication.

That said, does this mean that fingerprint readers have no place in a moderate to highly secure environment?  I'd say "no" for the following reasons.  Fingerprints can be a good authentication factor when combined with other factors.  For instance, fingerprints and a passphrase or fingerprints and a RFID token would be (IMO) a fairly good system, and certainly better than passwords alone (assuming password strength is the same in both scenarios).  Certainly, fingerprints with two or more additional factors just keeps improving the authentication level.  In addition, it's easy to say that a bad guy could cut off the CEO's finger or lift his fingerprint and use it to authenticate as him/her, but it's harder to actually do.  It's a harder attack to pull off, and can thwart the mildly curious if not the experienced spy.  Finally, reusable passwords are typically pretty crummy auth factors, but when combined with other factors, they aren't so bad.  Almost all two-factor auth systems rely on something you know, and this is not considered weak security.  The same can hold true for fingerprints.

Are fingerprints the best biometric authentication type available?  I don't think so.  I particularly am intrigued by a system called BioID from HumanScan (www.humanscan.de).  The system uses voice recognition, face recognition, and mouth movement for authentication.  Combine this with a RFID or password/phrase, and you may have something.  Even still, one can think of theoretical ways to break this system.

So what is the future of biometrics?  Should we just forget about them and stick with tokens or smartcards?  What are your thoughts?

Comments
  • For home use I think this device would be a real convenience.

    I'd say the big problem for any biometric device in a highly secure environment is that you have to trust the input device. Just like there exist keyboard loggers today, there will exist biometric data recorders tomorrow. The only way I would trust a biometric device in the general case (public terminals etc) would be if I had my own personal input device which encrypts data itself and communicates over a secure channel with the server against which it is authenticating.

  • We are on verge of starting to evaluate one of these systems (fingerprint, commercial) for a customer of ours. He would like to use biometric access for doors as well as for computers. So, I haven't made up my mind yet :) - But so far I think the current systems are probably fine for the door opening scenario as you can more easily steal a key/keycard and passwords are out of question here. Maybe a combination of a fingerprint and a PIN code is possible. I agree with you that the 'cut off someone's finger' argument probably is way off mark. Most problems arise from the fact that it is so easy to loose a key or to your keycard when for example your purse gets stolen. And we are not talking about high-security bank-type scenarios anyway. And there are so many new possibilities like not having to hand out keys to temps and restricting access to work hours etc. etc. The same is true for the computer scenario, so I certainly will look for hardware/software combo that allows me to authenticate against a domain as well. Would be a great application for using at home as well. Not all scenarios need full-scale, fort knox security especially when the alternative is either simple passwords or smartcards.

  • Fingerprints vs passwords? Neither has the advantage. If you can hold someone at knife-point to get them to put their finger on the reader, it's just as easy to hold them at knife-point to get their password.

    Fingerprints combined with password? Takes away the convenience of not having to remember the (supposedly `good' and convoluted) password. So you might as well just stick to password alone, given the previous paragraph.

    But -- say, more than one fingerprint, in an arbitrary order that _you_ (the user) choose? Takes away some convenience (i.e. you have to remember which fingers to use and in what order), but still it's better than remembering a password, I think.

    So, to log on to Windows (say), you use left hand index finger, left hand thumb, and right hand pinky (or any other combo).

    This is pretty good. If someone wanted to access your system, even if they cut off and took all your fingers (eww, I know), they'd still have to figure out the `pressing sequence'. Obviously the more fingers you use in the sequence (and given that you can use each finger more than once in a sequence), the larger the `key space' (so to speak) and the more combinations the cracker has to try. So theoretically the key space can be as big as you want to or are willing to remember. So this pretty much parallels the safe combos of yore, except fingerprints are obviously a bit more unique than decimal numbers.

    What are the problems with this? The only thing I can think of atm is, anyone observing you can see which fingers you use. But this depends on the design of the fingerprint reader, doesn't it? What if it's covered so that what finger (and if you put both hands in the covering, then what hand) is being used can't be seen? I don't see any reason why someone like that can't be made.

    Food for thought! Man, I can't wait for biometrics to take over.

  • I like the concept of multiple fingerprints in order. However, does this mean you need to have an account lockout to prevent the bad guy from exhaustively trying every combination of your severed fingers?!

    Bill

  • The problem with fingerprints as an authentication factor is that you can't change 'em and you can't hide 'em. Why would you want to change the token you use to authenticate? Well, the suthentication software isn't actually using your fingerprints to authenticate against... they're using a stream of digital signals derived from them. If someone can get a copy of that stream, and a compromised scanner, they can use them in a replay attack. If someone can get a picture of your fingerprints, they can scan it and try and reproduce that stream.

    If you're giving them a revokable password, you can change your password, but how do you change your fingerprints?

    The idea of a personal input device is a good one, but rather than using the biometric information as the authentication token, keep your certificates and other cryptographic keys in that device, and use your fingerprint as a mechanism for unlocking it. That way you can revoke a compromised certificate while still have biometric security for the "keychain" device.

    Unlike a conventional smartcard, the "keychain" device would not be the token itself: you would load keys into it at an appropriate station (for example, you could copy your bank keys at an ATM, or the ones to unlock your computer at the computer itself). You could copy your keys into one for your purse, one for your glovebox, one in your desk at work, so you wouldn't have to worry about losing it, or having stacks of cards to carry around, or worry about your keys being compromised if someone got the card...

  • Easy, we can file them off like we can MAC addresses on NICs.

  • How about an Assprint with the Xerox AssJet.

  • I think all the "what-if" Mission Impossible scenarios with bioprint devices are just that. I can "what-if" any security countermeasure to death. I think the greatest value lies in battling the casual/semi-casual snoop. Doing any of the proveable thwarts for biometricts takes a lot of work and clearly crosses the boundaries from a "whoops" to "I meant to do that." You are crossing a clear-cut line.
    I also like the idea that has been gaining ground about using "pass phrases" or being presented with 20 faces or colors and having to choose them in the right order to get in (like the old "Simon" game). There is also a company that has a password front where you graphically dial a bank-safe type knob until it points to your passcode instead of entering the characters themsevles. (http://www.bharosa.com/technology.html)

  • You just cant use a SINGLE auth technique on its own, you have to use them in combination to reflect the required target application or risk.

    What may fit youre requirements maybe overkill for mine etc etc

  • I was recently fingerprinted (not for a crime but rather for my CCW) and the person doing it said that it is harder to fingerpring elderly people since some of their fingerprints are worn down somewhat.



    It was interesting that no ink was involved in my recent experience. It was all done with an optical scanning machine. The results were fantastic.

  • I think authentication can be based on primarily three kind of tokens: who-you-are, what-you-have and what-you-know. Typical examples would be a fingerprint/retina-scan, smartcard/RFID fob and a password/passphrase respectively.

    Depending on the application, ease of use and mission-criticalness, you may want to employ one or more of these techniques in combination. As someone already mentioned, for a homePC a simple fingerprint auth should suffice, whereas for getting access to a data centre, probably all three would be used, with multiple methods each (a smartcard AND laser-cut key for lock).

    To answer Peter's concern about someone getting access to the stream etc. - you can have encryption for data travelling between each (scanning) device and recipient system (use PKI etc.). The data stream per se would be irrelevant unless the attackers can manage to crack encryption, plus even if they are able to compromise the scanner/device, it is the system which would be compromised, not your fingerprints.

  • Here is an interesting video (in German with sub-titles) about how simple it is to outsmart single-factor fingerprint-based authentication: ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg

    Bill