Postcard from Biometric Security

When I was researching biometrics for my MSc a few years ago, I remember a conversation with my supervisor where I cast doubt on the inate security of a fingerprint as a means of determining identity. The outcome was what you'd hope for in that circumstance - if that's how you feel, then prove it.

I didn't do a prticularly good job with the proof, so the details were excised from the final draft. After all, conventional wisdom said that laptops often come with fingerprint sensors, and of course Apple have one front and centre on phones and iPads, so how could there be a problem?

My experience with the fingerprint reader on an HP laptop some years ago was far from happy, and certainly not unique. After registering by using the reader a number of times, I found that between 20% and 40% of attempts to login using the reader failed. Others in the company found the same thing. In the end, a lot of us by-passed it and used the more conventional username and password.

Part of the problem was easy to spot. It was a strip reader, so you had to pull your chosen finger over the sensor slowly and steadily. But it accumulated dust and crumbs in the corners which would affect the image. Then there's the software which had to compare the image it constructed this time with the stored template, knowing that they couldn't be exactly the same, just very similar.

Recently, a widely publicised hack of a US Government department and the theft of data initially omitted to mention the 5.6 million stored fingerprints that were also stolen. The FBI eventually claimed that there still wasn't a problem because using the stored prints was not practical. Then at the end of last year a group of academics showed how to make a copy of the stored print in a way that would fool a fingerprint sensor.

There's a hugely naive view that seems almost viral in it's tenacity. That somehow a fingerprint is inherently more secure than a password. Yes, there are many, many terrible passwords out there, but at least you can change them easily. As a result of the OPM hack, there could be 5.6 million users who can't reliably use that finger for authentication. Most of them will have 9 more options.

What happens after the tenth hack?

Further reading:

© 2015-2016 Woodbrook-Wilson   |   Postcards   |   Archive   |   Home page