Endpoint

6/2/2014
12:00 PM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How The Math Of Biometric Authentication Adds Up

Yes, it's true that if your authentication scheme only allows a single fingerprint you only have 10 choices. But there's no rule that says it has to be one, and only one.

I was at the European Identity Conference in Munich a couple of weeks ago, sitting in the audience listening to a presentation on future authentication methods in which biometrics played a prominent role. During the question time at the end of the presentation a couple of old canards were raised concerning fingerprints. Let's try to shoot them down.

First, a surprising number of people believe that the stored "fingerprint" can be lifted and placed at a crime scene to frame the finger's owner. But there is no "fingerprint" stored. It's just a value, the same as in a password or token system.

Nor can that value be reverse engineered to create an image of the fingerprint. When you swipe your finger, a series of arbitrary measurements are taken which are combined in a proprietary method by the application. To this value is applied a SALT (a random bit of data added to the calculated value) then it is HASHed (passed through a one-way function) and it is that resulting value which is transmitted and stored. The HASH is one-way, it cannot be reversed. Your fingerprint cannot be reconstructed.

The second fallacy was raised by a gentleman who insisted that if your fingerprint is compromised you can't change it. My immediate thought was "Oh, that poor man. He only has one finger."

Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another.

But wait, you say, that only means you can change nine times. What happens after that? While it's true that if your authentication scheme only allows a single fingerprint, then you only have 10 choices. But there's no rule that says it has to be one and only one. If we allow two fingerprints to be used, then there are 90 different possibilities, 100 if we can use the same finger twice. Three fingers would bring the number of possibilities to 270, without repeats.

Remember that the fingerprint image isn't what's transmitted across the network, but rather a number calculated from the fingerprint(s), then SALTed and HASHed. If the SALTed and HASHed value is compromised (say through a database breach) there's no need to change the fingerprint used to authenticate at all; just change the SALT value or HASH algorithm and the authentication is again secure.

Beyond that, though, I've thought of a method which will allow millions of possibilities for a fingerprint biometric. 

It's important to remember that when you offer your fingerprint for authentication, it isn't compared to all of the fingerprints in the database to find a match. (Neither are passwords, else we'd all need unique passwords.) Rather, it's value is matched against the recorded fingerprint value for a single account, the one you indicate with the account/user name. The value entered at authentication has to match the stored value.

Security expert Thomas Baekdal has postulated, and defended, the idea that a simple phrase ("This is fun.") is the most secure password you could use. We can adapt this idea to biometrics and consider using "fingerprint phrases." As far as I know, no one is using this method yet,  but the future isn't that far away.

Each hand has five fingers: pinky, ring, middle, index, and thumb. We could abbreviate these as P, R, M, I, and T. Add R for right and L for left and the ten become LP, LR, LM, LI, LT, RT, RI, RM, RR, and RP. From these we could create a simple phrase: LP RP LI RT. Thousands of possibilities there, using two to 10 fingers, right? But just as we can reuse letters and symbols in passwords, we can reuse fingers in our phrases: LP RP LP RI LI LP RT, for example.

I'm afraid my math skills on permutations and combinations are a bit rusty, so if someone more familiar with the formulae wishes to take on the challenge of calculating the number of possibilities, go for it. It's 10 things, with no limit on combinations or re-use. Millions and millions of possibilities I would think.

And, as someone reminded me when we were talking about this in Munich, we haven't even mentioned toes!

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
kuwacs
100%
0%
kuwacs,
User Rank: Apprentice
6/9/2014 | 3:44:38 PM
Re: No better than passwords
I see your point, Steve. If you have a line up of prints, it's not much different from typing in an order of characters. But, as the other commenter said, finger prints cannot be written down, or accidentally shared with someone. Also, phishing for a print isn't easy, because in order to use the value the phisher receives, they have to know the hash and salt of the program that they are trying to get into. Lifting and replaying prints is delicate work, from my understanding. And while it might seem easy to find and lift a print, imagine having to lift all ten, and then trying to figure out which ones to use, and what order to use them in, to get access. Passphrases can be typed, read, written down, guessed...etc. You can't do any of these with a fingerprint.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/6/2014 | 4:09:11 PM
Re: thought provoking -- toe-factor authentication
that's quite good, @DavidB199. LOL
DavidB199
100%
0%
DavidB199,
User Rank: Apprentice
6/6/2014 | 9:25:35 AM
thought provoking
Sir,


I really enjoyed reading your article....especially the last line about toes. Would that constitute 'toe factor authentication'? Haha..excuse my dry british humor.


Cheers!
dak3
50%
50%
dak3,
User Rank: Moderator
6/5/2014 | 2:16:57 PM
Re: Actually Ardeun is ....
Interesting, I'll have to look into them (or have my Aussie colleagues do so).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 7:43:26 AM
Re: Actually Ardeun is ....
It's good to hear some real-world example that biometrics are working. I have TouchID on my iphone5 and its fast, simple and very reliable. Nothing is perfect, of course, but what we have now (passwords) is barely adequate to the task. I hope we see some progress in this area in the months and years to come.  
MarkA899
50%
50%
MarkA899,
User Rank: Apprentice
6/3/2014 | 8:57:21 PM
Actually Ardeun is ....
Great article and good commentary on the SALTed and HASHed values.

On the point of "fingerprint phrases" actually a company called Ardeun Biometrics does use this and other techniques in their Biometric Authentication solution. They encompass a number of modes of biometrics selected by the user or the company wanting to be secured, namely finger and face, or face and voice, or finger and voice etc etc. On the finger side of things, they also have combinations of fingers that can be used to authenticate. Likewise there is also a very simple single scan for fast and easy access where a lesser concern for security exposure exists yet true authentication is required.

I mention this because we use Ardeun in our company and it has been great. Fast access and also all staff are identifiable without question. 

 
avargas586
0%
100%
avargas586,
User Rank: Apprentice
6/3/2014 | 2:19:52 PM
Students
Parents who want to spend more time with their children
-Trailing military spouses
-Retirees
-Stay at home moms
-Students
-Retirees
-or anyone else needing supplemental income
We can help you... Visit us and sign up at our website and you can start earning from online work.

Start here>>>>>>> www.Bay91.Com
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/3/2014 | 11:39:29 AM
Re: Glad to see you shoot down a few biometric canards...
Well that's a new one for me: a biometric wristband that authenticates the identity of the wearer using their unique cardiac rhythm (electrocardiogram – ECG). Cool!



 

 

 

 

 

 

 

 

More in this bionym whitepaper 
dak3
50%
50%
dak3,
User Rank: Moderator
6/3/2014 | 8:24:16 AM
Re: No better than passwords
Well, Steve, you  can't write down your fingerprints on a sticky note...
Steve_Lockstep
100%
0%
Steve_Lockstep,
User Rank: Apprentice
6/2/2014 | 6:23:13 PM
No better than passwords
So let me get this straight. Dave Kearns accepts that fingerprints can be stolen and replayed. So he suggests that a countermeasure to biometric identity theft is to have users memorise a secret sequence of fingers which only they know. Like "left pinky, right middle, left index, left index, right ring" - presto. 

And how is this better than a regular passphrase? 
Page 1 / 2   >   >>
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.