Last year I wrote about fingerprint biometrics for authentication. In that piece, I discussed making fake fingerprint patterns. Now a student has taken that one step further and created random pattern fake fingerprints one can slip on the end of a finger. The iPhone and other devices recognize these patterns as fingerprints.
Good question! The idea behind biometrics is that they provide authentication tokens that can be directly traced directly to a single, real person. That is what the fake fingertips are designed to subvert. I cannot change my finger, but I could remove something from the end of it. If I found that the fingerprint was somehow compromised, I could just “change fingers.” That sounds handy.
But it could be used in another way. If authorities wanted me to unlock a device secured with a fingerprint biometric, using a random fingertip, I would be unable to do so if I destroyed the fingertip. Now these aren’t described as edible, but that could be an intriguing next step.
Well, it’s not going to kill fingerprint biometrics. For one thing, the technique may not work for all readers (in fact, I’m certain that it won’t). For example, higher-end readers measure heat and blood flow along with scanning the print. For another, fingerprint readers have been defeatable for some time, as I noted before.
The device could help keep one’s actual fingerprint confidential, but then the loss of the false fingerprint could make authentication very difficult. Consider using a fingerprint to log into a computer or open a physical lock. While each of those devices needs a work-around, those are often forgotten or misplaced.
A stolen fake fingerprint is like any stolen token that does not require a PIN to activate – it makes impersonation easy. This is why fingerprints – and many other biometrics – should be combined with a PIN or other factor. Unfortunately, many fingerprint-enabled locks and similar devices lack that multi-factor aspect. As usual, it is a tradeoff between ease-of-use and security. Who wants to swipe a finger and enter a PIN on a smartphone? Fingerprint readers were added to make secure access quick.
The random print fingertip was developed to defeat a particular attack: that of using stolen prints. As the author of the article I mentioned above points out, people’s fingerprints are everywhere. In fact, they can even be captured from a distance with a photograph.
It will always be a “Red Queen’s race” for security professionals. From the cyber security professional’s perspective, the goal is to create:
1) a fingerprint reader that will detect various forms of false prints,
2) an affordable multi-factor authentication system to use with biometrics,
3) ways to deal with compromised biometrics including stolen fingerprint databases or copied images of fingertips.
I don’t believe these are insurmountable, and these are good areas for ongoing research. (Are you listening PhD candidates looking for dissertation topics?)
When (or if) these new “fake fingerprints” become available, will you use them? Why or why not?
To your safe computing,