Endpoint
6/2/2014
12:00 PM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How The Math Of Biometric Authentication Adds Up

Yes, it's true that if your authentication scheme only allows a single fingerprint you only have 10 choices. But there's no rule that says it has to be one, and only one.

I was at the European Identity Conference in Munich a couple of weeks ago, sitting in the audience listening to a presentation on future authentication methods in which biometrics played a prominent role. During the question time at the end of the presentation a couple of old canards were raised concerning fingerprints. Let's try to shoot them down.

First, a surprising number of people believe that the stored "fingerprint" can be lifted and placed at a crime scene to frame the finger's owner. But there is no "fingerprint" stored. It's just a value, the same as in a password or token system.

Nor can that value be reverse engineered to create an image of the fingerprint. When you swipe your finger, a series of arbitrary measurements are taken which are combined in a proprietary method by the application. To this value is applied a SALT (a random bit of data added to the calculated value) then it is HASHed (passed through a one-way function) and it is that resulting value which is transmitted and stored. The HASH is one-way, it cannot be reversed. Your fingerprint cannot be reconstructed.

The second fallacy was raised by a gentleman who insisted that if your fingerprint is compromised you can't change it. My immediate thought was "Oh, that poor man. He only has one finger."

Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another.

But wait, you say, that only means you can change nine times. What happens after that? While it's true that if your authentication scheme only allows a single fingerprint, then you only have 10 choices. But there's no rule that says it has to be one and only one. If we allow two fingerprints to be used, then there are 90 different possibilities, 100 if we can use the same finger twice. Three fingers would bring the number of possibilities to 270, without repeats.

Remember that the fingerprint image isn't what's transmitted across the network, but rather a number calculated from the fingerprint(s), then SALTed and HASHed. If the SALTed and HASHed value is compromised (say through a database breach) there's no need to change the fingerprint used to authenticate at all; just change the SALT value or HASH algorithm and the authentication is again secure.

Beyond that, though, I've thought of a method which will allow millions of possibilities for a fingerprint biometric. 

It's important to remember that when you offer your fingerprint for authentication, it isn't compared to all of the fingerprints in the database to find a match. (Neither are passwords, else we'd all need unique passwords.) Rather, it's value is matched against the recorded fingerprint value for a single account, the one you indicate with the account/user name. The value entered at authentication has to match the stored value.

Security expert Thomas Baekdal has postulated, and defended, the idea that a simple phrase ("This is fun.") is the most secure password you could use. We can adapt this idea to biometrics and consider using "fingerprint phrases." As far as I know, no one is using this method yet,  but the future isn't that far away.

Each hand has five fingers: pinky, ring, middle, index, and thumb. We could abbreviate these as P, R, M, I, and T. Add R for right and L for left and the ten become LP, LR, LM, LI, LT, RT, RI, RM, RR, and RP. From these we could create a simple phrase: LP RP LI RT. Thousands of possibilities there, using two to 10 fingers, right? But just as we can reuse letters and symbols in passwords, we can reuse fingers in our phrases: LP RP LP RI LI LP RT, for example.

I'm afraid my math skills on permutations and combinations are a bit rusty, so if someone more familiar with the formulae wishes to take on the challenge of calculating the number of possibilities, go for it. It's 10 things, with no limit on combinations or re-use. Millions and millions of possibilities I would think.

And, as someone reminded me when we were talking about this in Munich, we haven't even mentioned toes!

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
kuwacs
100%
0%
kuwacs,
User Rank: Apprentice
6/9/2014 | 3:44:38 PM
Re: No better than passwords
I see your point, Steve. If you have a line up of prints, it's not much different from typing in an order of characters. But, as the other commenter said, finger prints cannot be written down, or accidentally shared with someone. Also, phishing for a print isn't easy, because in order to use the value the phisher receives, they have to know the hash and salt of the program that they are trying to get into. Lifting and replaying prints is delicate work, from my understanding. And while it might seem easy to find and lift a print, imagine having to lift all ten, and then trying to figure out which ones to use, and what order to use them in, to get access. Passphrases can be typed, read, written down, guessed...etc. You can't do any of these with a fingerprint.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/6/2014 | 4:09:11 PM
Re: thought provoking -- toe-factor authentication
that's quite good, @DavidB199. LOL
DavidB199
100%
0%
DavidB199,
User Rank: Apprentice
6/6/2014 | 9:25:35 AM
thought provoking
Sir,


I really enjoyed reading your article....especially the last line about toes. Would that constitute 'toe factor authentication'? Haha..excuse my dry british humor.


Cheers!
dak3
50%
50%
dak3,
User Rank: Apprentice
6/5/2014 | 2:16:57 PM
Re: Actually Ardeun is ....
Interesting, I'll have to look into them (or have my Aussie colleagues do so).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 7:43:26 AM
Re: Actually Ardeun is ....
It's good to hear some real-world example that biometrics are working. I have TouchID on my iphone5 and its fast, simple and very reliable. Nothing is perfect, of course, but what we have now (passwords) is barely adequate to the task. I hope we see some progress in this area in the months and years to come.  
MarkA899
50%
50%
MarkA899,
User Rank: Apprentice
6/3/2014 | 8:57:21 PM
Actually Ardeun is ....
Great article and good commentary on the SALTed and HASHed values.

On the point of "fingerprint phrases" actually a company called Ardeun Biometrics does use this and other techniques in their Biometric Authentication solution. They encompass a number of modes of biometrics selected by the user or the company wanting to be secured, namely finger and face, or face and voice, or finger and voice etc etc. On the finger side of things, they also have combinations of fingers that can be used to authenticate. Likewise there is also a very simple single scan for fast and easy access where a lesser concern for security exposure exists yet true authentication is required.

I mention this because we use Ardeun in our company and it has been great. Fast access and also all staff are identifiable without question. 

 
avargas586
0%
100%
avargas586,
User Rank: Apprentice
6/3/2014 | 2:19:52 PM
Students
Parents who want to spend more time with their children
-Trailing military spouses
-Retirees
-Stay at home moms
-Students
-Retirees
-or anyone else needing supplemental income
We can help you... Visit us and sign up at our website and you can start earning from online work.

Start here>>>>>>> www.Bay91.Com
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/3/2014 | 11:39:29 AM
Re: Glad to see you shoot down a few biometric canards...
Well that's a new one for me: a biometric wristband that authenticates the identity of the wearer using their unique cardiac rhythm (electrocardiogram – ECG). Cool!



 

 

 

 

 

 

 

 

More in this bionym whitepaper 
dak3
50%
50%
dak3,
User Rank: Apprentice
6/3/2014 | 8:24:16 AM
Re: No better than passwords
Well, Steve, you  can't write down your fingerprints on a sticky note...
Steve_Lockstep
100%
0%
Steve_Lockstep,
User Rank: Apprentice
6/2/2014 | 6:23:13 PM
No better than passwords
So let me get this straight. Dave Kearns accepts that fingerprints can be stolen and replayed. So he suggests that a countermeasure to biometric identity theft is to have users memorise a secret sequence of fingers which only they know. Like "left pinky, right middle, left index, left index, right ring" - presto. 

And how is this better than a regular passphrase? 
Page 1 / 2   >   >>
More Blogs from Commentary
Dark Reading Radio: Data Loss Prevention (DLP) Fail
Learn about newly found vulnerabilities in commercial and open-source DLP software in the 7/30 episode of Dark Reading Radio.
The Perfect InfoSec Mindset: Paranoia + Skepticism
A little skeptical paranoia will ensure that you have the impulse to react quickly to new threats while retaining the logic to separate fact from fiction.
Weak Password Advice From Microsoft
Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.
Internet of Things: 4 Security Tips From The Military
The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. Itís time to take a page from their battle plan.
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-3025
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

Best of the Web
Dark Reading Radio