Wednesday, October 9, 2013

Fingerprints as Passwords

Have you ever wished you could gain access to a building or an online application using an iris scan or the swipe of a finger rather than a key, a card swipe or a passcode? 

Biometric authentication has long been the stuff of Hollywood movies, but real systems (some strong and some weak) are already in use for special purposes like access to secured rooms and buildings. Now a biometric access control mechanism is being made available to the masses: With their newest smartphone, the iPhone 5s, Apple has introduced a fingerprint access control technique called “Touch ID”

Much of our digital lives are stored on our iPhones, and everyone should use a passcode to help protect this important information and their privacy. Unfortunately, not everyone does; more than 50 percent of smartphone users don't use a passcode.”

That’s a great point. A passcode is an important part of protecting the content and capabilities of your smartphone, so yes, I agree that just about everyone should use a passcode. Apple goes on to say,
“Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike.”
That’s an interesting claim, and while most people would accept that “no two are exactly alike,” not everyone would agree that “your fingerprint is one of the best passcodes in the world.” Why not? Several reasons. 

One reason is that they are arguably too public, since you leave them on surfaces you touch. This caused Dustin Kirkland to claim that they are better as a user name than as a password, a point I think he makes quite well.

A second (related) reason is that fingerprints are a password you cannot change. If your conventional alphanumeric password gets compromised today, you change it. What do you do when your fingerprint gets compromised? Change your finger?

The details of the system that uses your fingerprint matter a great deal. "Public" and non-revocable fingerprints as passwords seems most worrisome if their public nature allows them to be trivially copied and used by other than the actual "owner." If my leaving them on the water glass in your office doesn't lead to a practical attack (because of the nature of the authenticated access reader for example), I may be less worried about using fingerprints as passwords. 

How did Apple do on this score? Decide for yourself whether this process is trivial or worrisome:

But of course, I don't have any assurances about the details of the implementation. Whether on an Apple iPhone or in some system implemented by my employer or my bank, the details are generally hidden from me. Does an image of my actual fingerprint get sent somewhere? Or does it get used in combination with other secret information?
Here's why this matters: If multiple services (my bank, my iPhone, my employer) all want to use my fingerprint and even one handles it poorly and allows my actual fingerprint (as opposed to, say, a one-way secret hash of my fingerprint) to get into the wrong hands (I really couldn't resist!) then the risks to me may be greater. Attackers may no longer need my water glass. 
A former colleague used to wonder whether a fingerprint in combination with a password (something you know plus something you are) could be a winner, with an algorithm that combines them generating the actual password to be used, but was always quick to point out that this approach still relies upon every implementation being a good (strong, attack resistant) one. 
So is Apple's use of your fingerprint a serious risk? Noted security expert Bruce Schneier sayshonestly, if some bad guy has [both] your iPhone and your fingerprint, you've probably got bigger problems to worry about.”
My own choice for now? Fingerprint access to my own smartphone sounds fine (even cool), assuming I can trust that the fingerprint is not ever being sent anywhere. But going the next step and using only my fingerprint to secure commerce on the web (e.g., swipe a finger to make an iTunes purchase) doesn’t sound like a great idea to me in these very early days.


Thanks for reading! A blog works best with active participation. If you enjoy this blog, please give it a +1 and leave a comment. Share it on Twitter, Google+, or Facebook. More readers will drive more discussion.