Monday, 22 August 2016

Are fingerprint sensors really secure?

Many years ago when fingerprint sensors first started to appear on the market, it seemed a really useful security feature.

The company I worked for (RM plc) made PCs, notebooks and tablets for schools. The use of passwords was a common problem in schools. The password needed to be long enough and complex enough to be secure, but also easy to remember. Also, the crafty kids would often watch a teacher type in their password and so learn their admin password. The kids would also forget their passwords, which meant that teachers or the IT admin guys were constantly having to reset their passwords and create new ones for them. Kids would write down their password and other kids could find them and copy their homework, etc. Passwords were a real headache.

So fingerprint scanners seemed to present an ideal solution and as everyone's fingerprint is unique - so it is foolproof, right?

As you probably know, when a fingerprint is scanned, the ridge patterns have to be condensed or 'hashed' into a bunch of numbers which are then stored in a database. Also, several fingers are normally 'learnt', in case one of your fingers is damaged (e.g. scratched, blistered, etc.), this is quite common with kids (even broken fingers in plaster!).

The dilemma that the fingerprint scanner manufacturer/developer has, is that they need to accept only matching fingerprints, however the scan does not always return exactly the same information each time. So there has to be a degree of 'fuzzy matching'. If the user has to scan his finger ten times before he can login, then that is NOT satisfactory and no one will use it.

So, the matching algorithm has to be 'tight' enough to only allow the correct fingerprint to be recognised, but 'loose' enough to allow for the subtle variations that you get each time you scan.

Now in a school, we could have the situation where we could have Tablet PC which belongs to the Head Master or Head of IT and which contains confidential information. If a pupil could log into that Tablet PC, the consequences could be catastrophic!

Also, in a school, we have literally thousands of different fingers available.

So I devised a test. I got everyone in the office to press each of their ten fingers onto a Tablet PC that I had pre-registered with both of my index fingers. The result was that one of the my colleagues fingers was accepted and they logged in to my Tablet PC!

Obviously, the matching algorithm that was being used was not strict enough!

I asked the manufacturers to improve the software, but after several tries, it became obvious that it was impossible to get the correct balance. Either the software was too 'strict' and I had to try ten or more times to login, or the matching algorithm was too 'loose' and several of my office colleagues could log in to my Tablet PC using their fingers!

Now this was about 10 years ago and things have, no doubt, improved since then.

If you have one of these devices, why not try the same experiment. Pass round all your devices and get everyone to try all their fingers. If you ask enough people, maybe someone will be able to login to your device!

Now ask yourself this, if one person in (say) 30 can log in to your device, is it really as secure as you thought? Try it in the office or pub with friends and let me know how many people tried it before one of them was able to login.

For a more 'balanced' view on fingerprints in the real world (and not on CSI) see here. In the real world, experts will study a fingerprint to try to determine which finger of which hand made the print. This greatly reduces the likelihood of a false positive. This cannot be done when using a scanner.