Fingerprint Authentication – Just a Plain Bad Idea
A growing number of smartphones are adding fingerprint reading hardware, to attempt to add a differentiating factor in an increasingly crowded marketplace, and to attempt to offer users more convenient security features. The Motorola Atrix 4G stole the show at CES 2011, as the first modern smartphone to feature a fingerprint reader (there were previous generation Windows Mobile devices with fingerprint readers but these were never general consumer products). Since then, the Samsung Galaxy Alpha 4G, iPhone 5s, HTC One Max, Oppo N3 and Samsung Galaxy S5 (to name a few), have been released with fingerprint readers.
Despite the seeming surge to market fingerprint readers, however, they are not the security panacea they are often proclaimed to be. The fundamental problem we’re trying to achieve is that of authentication – ensuring the user is who it should be. We authenticate to services constantly – typically through usernames and passwords. In recent years, we’ve seen a rise in the use of 2-Factor Authentication, to require the use of “something you know”, as well as “something you have” (the token generator on your smartphone). The third classical authentication factor is “something you are”, which is where the field of biometrics comes in.
We see the limitations of popular authentication systems in the news regularly – every time a website is compromised, its users are cautioned to change their passwords, and remain vigilant. The reason for this is that most sites make use of what is termed “weak authentication”, where you prove to the service who you are, by disclosing a secret known only to you. You enter your username and password, and your computer or phone sends these to the server, which checks if they are correct. If they are, you get access. If not, you don’t. Simple!
Or maybe not? The idea of weak authentication is fundamentally flawed (hence the name) – the secret (i.e. password) you use to authenticate should be known only to you. For the service to be able to make a decision as to if you are correct or not, you disclosed the password to the server. There are now 2 parties knowing the secret – you, and the server! This means if the server is compromised, passwords can be logged. If users re-use their passwords, all their accounts are at risk, as the attackers also know their passwords.
The solution to this problem of weak authentication is what’s known as “strong authentication” (it makes sense, right). With strong authentication, rather than reveal your secret when identifying yourself, you prove to the service that you are who you say you are, but without disclosing the secret. This preserves its integrity, and prevents it being compromised by someone who attacks that service. Generally, this kind of strong authentication is technically based around the idea of “challenge-response” authentication, which is simply a process of questioning, where a new, unique question is asked to you each time you wish to log in. You reply to the question with knowledge derived from the password, which doesn’t reveal the password itself, but proves you know it. While precise technologies that achieve this are out of scope of this article, interested readers are advised to take a look at the Wikipedia page, and read about protocols such as Secure Remote Password.
Strong authentication has the obvious advantage in that if one service is compromised, user accounts on other services are not put at risk of unauthorised access as a direct result of that compromise. Strong authentication is therefore very good for user security. It’s in use for many important protocols which keep the internet going.
But you said fingerprints!
Now we are familiar with the concept of authentication, let’s consider the process of authentication by fingerprint. Every time you use your fingerprint, its full contents are disclosed to the reader. It has to convert your fingerprint into a digital representation, which can then be processed by the service. This means you’re disclosing your “secret” authentication credential every time you use it, making fingerprints a form of weak authentication. Furthermore, you also disclose your authentication credentials every time you touch something. That’s akin to walking around in a busy public place, unable to resist shouting your passwords out to the world!
That’s not the easiest way to break fingerprint authentication, though! As people become more and more used to supplying their fingerprint to log in, it will only make people more comfortable with authenticating to services using their finger. All it takes is one compromised fingerprint reader, which records the raw fingerprint observed, and your fingerprint is no longer secure. This is exactly how fraudsters compromise the “chip and PIN” EMV credit card security. If you can’t trust the terminal used, you can’t be sure your fingerprint isn’t being stolen. Just the same as how you wouldn’t be wise to type your password on a (possibly keylogged) internet cafe computer.
“Surely this is no worse than a password?”, though, I hear you ask. Actually, it’s much worse. If your password is stolen, you use the password reset process, recover your account, and change the password. Your account is once again secure (or as secure as the service is). Now imagine if your fingerprint is stolen. You can’t just change it. You can go around and inform your bank that it was compromised, and they can put this on file, but it doesn’t change the fact – it’s now compromised. It’s now useless for authentication. Sure, you could use another finger, but this is not exactly sustainable – there’s more than ten major site security breaches per year, these days!
In the future, users of fingerprint authentication have even more to worry about – recent research presented at the 31C3 conference showed how a German politician’s fingerprint was able to be copied (and a physical clone produced), based on nothing more than a regular high quality photograph taken of them while speaking at a conference. At this point, you might as well walk around with your password tattooed to your forehead.
While fingerprint authentication might well appear convenient, the concept is fundamentally flawed. You can change your password or PIN if someone finds it out. You can’t do the same with your fingerprints. Every time you authenticate to something via fingerprint (be that cashless catering in schools, or your own smartphone), you run the risk of your fingerprints being compromised by a piece of malicious software. And fingerprints aren’t like passwords; you don’t get the option of using better, more secure ones for your bank, and weaker ones for less important services. And more importantly, you’re stuck with them.
There’s no real solution to this problem. The best workaround is simply to not use fingerprint based authentication. This might well be difficult – many countries record their citizen’s fingerprints. The existence of such databases mean that if fingerprint-based login was ever to become popular, these databases would become immensely valuable targets for criminals, keen to gain immediate access to hundreds of millions of people’s accounts. And, like they say in the Black Friday sales, “once they’re gone, they’re gone!”