Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/2/2014
12:00 PM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How The Math Of Biometric Authentication Adds Up

Yes, it's true that if your authentication scheme only allows a single fingerprint you only have 10 choices. But there's no rule that says it has to be one, and only one.

I was at the European Identity Conference in Munich a couple of weeks ago, sitting in the audience listening to a presentation on future authentication methods in which biometrics played a prominent role. During the question time at the end of the presentation a couple of old canards were raised concerning fingerprints. Let's try to shoot them down.

First, a surprising number of people believe that the stored "fingerprint" can be lifted and placed at a crime scene to frame the finger's owner. But there is no "fingerprint" stored. It's just a value, the same as in a password or token system.

Nor can that value be reverse engineered to create an image of the fingerprint. When you swipe your finger, a series of arbitrary measurements are taken which are combined in a proprietary method by the application. To this value is applied a SALT (a random bit of data added to the calculated value) then it is HASHed (passed through a one-way function) and it is that resulting value which is transmitted and stored. The HASH is one-way, it cannot be reversed. Your fingerprint cannot be reconstructed.

The second fallacy was raised by a gentleman who insisted that if your fingerprint is compromised you can't change it. My immediate thought was "Oh, that poor man. He only has one finger."

Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another.

But wait, you say, that only means you can change nine times. What happens after that? While it's true that if your authentication scheme only allows a single fingerprint, then you only have 10 choices. But there's no rule that says it has to be one and only one. If we allow two fingerprints to be used, then there are 90 different possibilities, 100 if we can use the same finger twice. Three fingers would bring the number of possibilities to 270, without repeats.

Remember that the fingerprint image isn't what's transmitted across the network, but rather a number calculated from the fingerprint(s), then SALTed and HASHed. If the SALTed and HASHed value is compromised (say through a database breach) there's no need to change the fingerprint used to authenticate at all; just change the SALT value or HASH algorithm and the authentication is again secure.

Beyond that, though, I've thought of a method which will allow millions of possibilities for a fingerprint biometric. 

It's important to remember that when you offer your fingerprint for authentication, it isn't compared to all of the fingerprints in the database to find a match. (Neither are passwords, else we'd all need unique passwords.) Rather, it's value is matched against the recorded fingerprint value for a single account, the one you indicate with the account/user name. The value entered at authentication has to match the stored value.

Security expert Thomas Baekdal has postulated, and defended, the idea that a simple phrase ("This is fun.") is the most secure password you could use. We can adapt this idea to biometrics and consider using "fingerprint phrases." As far as I know, no one is using this method yet,  but the future isn't that far away.

Each hand has five fingers: pinky, ring, middle, index, and thumb. We could abbreviate these as P, R, M, I, and T. Add R for right and L for left and the ten become LP, LR, LM, LI, LT, RT, RI, RM, RR, and RP. From these we could create a simple phrase: LP RP LI RT. Thousands of possibilities there, using two to 10 fingers, right? But just as we can reuse letters and symbols in passwords, we can reuse fingers in our phrases: LP RP LP RI LI LP RT, for example.

I'm afraid my math skills on permutations and combinations are a bit rusty, so if someone more familiar with the formulae wishes to take on the challenge of calculating the number of possibilities, go for it. It's 10 things, with no limit on combinations or re-use. Millions and millions of possibilities I would think.

And, as someone reminded me when we were talking about this in Munich, we haven't even mentioned toes!

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
kuwacs
100%
0%
kuwacs,
User Rank: Apprentice
6/9/2014 | 3:44:38 PM
Re: No better than passwords
I see your point, Steve. If you have a line up of prints, it's not much different from typing in an order of characters. But, as the other commenter said, finger prints cannot be written down, or accidentally shared with someone. Also, phishing for a print isn't easy, because in order to use the value the phisher receives, they have to know the hash and salt of the program that they are trying to get into. Lifting and replaying prints is delicate work, from my understanding. And while it might seem easy to find and lift a print, imagine having to lift all ten, and then trying to figure out which ones to use, and what order to use them in, to get access. Passphrases can be typed, read, written down, guessed...etc. You can't do any of these with a fingerprint.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/6/2014 | 4:09:11 PM
Re: thought provoking -- toe-factor authentication
that's quite good, @DavidB199. LOL
DavidB199
100%
0%
DavidB199,
User Rank: Apprentice
6/6/2014 | 9:25:35 AM
thought provoking
Sir,


I really enjoyed reading your article....especially the last line about toes. Would that constitute 'toe factor authentication'? Haha..excuse my dry british humor.


Cheers!
dak3
50%
50%
dak3,
User Rank: Moderator
6/5/2014 | 2:16:57 PM
Re: Actually Ardeun is ....
Interesting, I'll have to look into them (or have my Aussie colleagues do so).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 7:43:26 AM
Re: Actually Ardeun is ....
It's good to hear some real-world example that biometrics are working. I have TouchID on my iphone5 and its fast, simple and very reliable. Nothing is perfect, of course, but what we have now (passwords) is barely adequate to the task. I hope we see some progress in this area in the months and years to come.  
MarkA899
50%
50%
MarkA899,
User Rank: Apprentice
6/3/2014 | 8:57:21 PM
Actually Ardeun is ....
Great article and good commentary on the SALTed and HASHed values.

On the point of "fingerprint phrases" actually a company called Ardeun Biometrics does use this and other techniques in their Biometric Authentication solution. They encompass a number of modes of biometrics selected by the user or the company wanting to be secured, namely finger and face, or face and voice, or finger and voice etc etc. On the finger side of things, they also have combinations of fingers that can be used to authenticate. Likewise there is also a very simple single scan for fast and easy access where a lesser concern for security exposure exists yet true authentication is required.

I mention this because we use Ardeun in our company and it has been great. Fast access and also all staff are identifiable without question. 

 
avargas586
0%
100%
avargas586,
User Rank: Apprentice
6/3/2014 | 2:19:52 PM
Students
Parents who want to spend more time with their children
-Trailing military spouses
-Retirees
-Stay at home moms
-Students
-Retirees
-or anyone else needing supplemental income
We can help you... Visit us and sign up at our website and you can start earning from online work.

Start here>>>>>>> www.Bay91.Com
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/3/2014 | 11:39:29 AM
Re: Glad to see you shoot down a few biometric canards...
Well that's a new one for me: a biometric wristband that authenticates the identity of the wearer using their unique cardiac rhythm (electrocardiogram – ECG). Cool!



 

 

 

 

 

 

 

 

More in this bionym whitepaper 
dak3
50%
50%
dak3,
User Rank: Moderator
6/3/2014 | 8:24:16 AM
Re: No better than passwords
Well, Steve, you  can't write down your fingerprints on a sticky note...
Steve_Lockstep
100%
0%
Steve_Lockstep,
User Rank: Apprentice
6/2/2014 | 6:23:13 PM
No better than passwords
So let me get this straight. Dave Kearns accepts that fingerprints can be stolen and replayed. So he suggests that a countermeasure to biometric identity theft is to have users memorise a secret sequence of fingers which only they know. Like "left pinky, right middle, left index, left index, right ring" - presto. 

And how is this better than a regular passphrase? 
Page 1 / 2   >   >>
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...