jump to navigation

Finger Prints as Passwords September 29, 2013

Posted by 7832johnsob in Security.
trackback

In the article “Password Security: A Case History”, good system security was described as one that “involves realistic evaluation of the risks of not only deliberate attacks but also of casual authorized access and accidental disclosure” [1].  This means that users shouldn’t make it easy for a hacker to access or guess their passwords for authentication. However, authentication should also provide “security at minimal inconvenience to the users of the system” which seems to be a challenge in the world of mobile devices [1].

Most mobile devices allow for applications to save usernames and sometimes even passwords for ease of use. While this makes it easy to quickly post Facebook statuses, check your email, manage your bills, etc., this also makes it simple for someone to take your mobile device and gain personal information. With this personal information, one could commit fraud, change your account passwords, and so on. Most mobile devices allow for a screen locking feature for those who want to prevent or deter situations previously mentioned from occurring. Yet, the authentication methods are usually a 4 digit pin which is not grueling to guess for someone with some time on their hands. An intruder can also look at a mobile device’s finger print marks on the screen in correspondence with the on screen keyboard to speed up the pin guessing process. One reason for the short password is that users unlock their screens many times throughout the day. Therefore, entering something longer becomes inconvenient for many people.

To strengthen the security of the screen lock, the new IPhone 5S has boasted a fingerprint authentication method which “scans the sub-epidermal layers of the finger to take the reading” [2] . However, a German research group demonstrated that with a high resolution picture of the fingerprint, the fingerprint scanner is just like having regular password authentication with the password written right on the device. This is because fingerprints can be found almost all over the place. The group accomplished the fake fingerprint by photographing “the print from a glass surface, laser-print[ing] the fingerprint image on a transparency sheet, then smear[ing] it with latex” [2]. Though the group made a strong point that the finger print as authentication was not as secure as expected, the finger print authentication could only be cracked after a clear finger print was photographed with a high resolution camera and laser printed effectively. This means that someone stealing a phone for information would need to have access to your fingerprint and some time to fake the finger print before you noticed your phone was missing. This would most likely deter casual attempts to unlock your phone, which would leave only intruders with a deliberate motive to worry about.

While many authentication schemes can be cracked if given enough time, resources, or some heuristic, is the fingerprint as a password authentication method a feasible approach for everyday users? What improvements could be made to make the fingerprint more difficult to fake? Does facial recognition have the same faking issues as fingerprints?

 

[1] K. T. Robert Morris, “Password Security: A Case History,” 1979.
[2] K. Zetter, “German Hackers Say They Cracked iPhone’s New Fingerprint Scanner,” Wired, 23 September 2013. [Online]. Available: http://www.wired.com/threatlevel/2013/09/iphone-fingerprint-cracked/. [Accessed 29 September 2013].

 

 

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: