Did you know that a September 2015 US Office of Personnel Management (OPM) system breach resulted in 5.6 million leaked fingerprints?
“We’ve all seen movies that included a clever way to get someone’s fingerprints, and I never thought much about it,” Jimmy Pike, an analyst Moor Insights & Strategy, wrote in Forbes. “Now a huge number of these biometric signatures are in the dark side of society.”
Indeed, as HackADay’s Elliot Williams recently noted, fingerprints are even worse than passwords and should never be substituted for the former.
“Passwords are supposed to be secret. In contrast, you carry your fingers around with you out in the open nearly everywhere you go. Passwords also need to be revocable,” he explained. “In the case that your password does get revealed, it’s great to be able to simply pick another one. You don’t want to have to revoke your fingers. You [also] want your password to be hashable, in order to protect the password database itself from theft.”
According to Williams, fingerprints can be easily lifted from photos, effectively mimicked and are not hashable.
“Close matches are a fact of life with human flesh and real-world scanners. But a fingerprint with a tiny flaw will hash into something entirely different from the reference version,” he continued. “What this means is that fingerprints are not hashable. Hashing makes passwords strong and without it, fingerprint protection is much weaker.”
In addition, says Williams, fingerprint databases are inevitably a weak link.
“Anywhere your fingerprint is being stored, on your iPhone or PIV card or inside your electronic passport, there is a version of your fingerprint that someone could decrypt if they knew the master password,” he added.
However, emphasized Williams, electronic passports typically store an encrypted representation of fingerprint and iris images.
“For [Customs], your fingerprint is only really used to verify that you are you, and that’s hard to tamper with without breaking the hash that ties it to the rest of your information. You might think you could tweak one bit here and apply an offsetting tweak there, but the avalanche effect foils that plan.”
As Williams reiterates, fingerprints shouldn’t be used as if they were passwords.
“Being permanent and relatively-easily verified and obtained makes them great for criminal investigations or for certifying that you are who you say you are. But they’re not passwords because they’re not secret, they’re not revocable and they’re very difficult to store securely,” he concluded.
Paul Kocher, the Chief Scientist of Rambus’ Cryptography Research Division, expressed similar sentiments during an interview with Semiconductor Engineering earlier this year. According to the chief scientist, biometric security platforms may seem promising, although there are still clearly a number of fundamental challenges the industry needs to address.
“One of them is that there is not really anything secret about someone’s biometric attributes. You are constantly displaying your face, eyes, other physical traits, as well as leaving your fingerprints everywhere,” Kocher confirmed. “There is [also] really no way to ‘revoke’ a fingerprint. [True], there are claims made by vendors that they can prevent people from making prosthesis or duplicating biometric images. [However], those claims have not, generally, held up.”