Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Dave Kearns
Dave Kearns
Connect Directly
E-Mail vvv

How The Math Of Biometric Authentication Adds Up

Yes, it's true that if your authentication scheme only allows a single fingerprint you only have 10 choices. But there's no rule that says it has to be one, and only one.

I was at the European Identity Conference in Munich a couple of weeks ago, sitting in the audience listening to a presentation on future authentication methods in which biometrics played a prominent role. During the question time at the end of the presentation a couple of old canards were raised concerning fingerprints. Let's try to shoot them down.

First, a surprising number of people believe that the stored "fingerprint" can be lifted and placed at a crime scene to frame the finger's owner. But there is no "fingerprint" stored. It's just a value, the same as in a password or token system.

Nor can that value be reverse engineered to create an image of the fingerprint. When you swipe your finger, a series of arbitrary measurements are taken which are combined in a proprietary method by the application. To this value is applied a SALT (a random bit of data added to the calculated value) then it is HASHed (passed through a one-way function) and it is that resulting value which is transmitted and stored. The HASH is one-way, it cannot be reversed. Your fingerprint cannot be reconstructed.

The second fallacy was raised by a gentleman who insisted that if your fingerprint is compromised you can't change it. My immediate thought was "Oh, that poor man. He only has one finger."

Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another.

But wait, you say, that only means you can change nine times. What happens after that? While it's true that if your authentication scheme only allows a single fingerprint, then you only have 10 choices. But there's no rule that says it has to be one and only one. If we allow two fingerprints to be used, then there are 90 different possibilities, 100 if we can use the same finger twice. Three fingers would bring the number of possibilities to 270, without repeats.

Remember that the fingerprint image isn't what's transmitted across the network, but rather a number calculated from the fingerprint(s), then SALTed and HASHed. If the SALTed and HASHed value is compromised (say through a database breach) there's no need to change the fingerprint used to authenticate at all; just change the SALT value or HASH algorithm and the authentication is again secure.

Beyond that, though, I've thought of a method which will allow millions of possibilities for a fingerprint biometric. 

It's important to remember that when you offer your fingerprint for authentication, it isn't compared to all of the fingerprints in the database to find a match. (Neither are passwords, else we'd all need unique passwords.) Rather, it's value is matched against the recorded fingerprint value for a single account, the one you indicate with the account/user name. The value entered at authentication has to match the stored value.

Security expert Thomas Baekdal has postulated, and defended, the idea that a simple phrase ("This is fun.") is the most secure password you could use. We can adapt this idea to biometrics and consider using "fingerprint phrases." As far as I know, no one is using this method yet,  but the future isn't that far away.

Each hand has five fingers: pinky, ring, middle, index, and thumb. We could abbreviate these as P, R, M, I, and T. Add R for right and L for left and the ten become LP, LR, LM, LI, LT, RT, RI, RM, RR, and RP. From these we could create a simple phrase: LP RP LI RT. Thousands of possibilities there, using two to 10 fingers, right? But just as we can reuse letters and symbols in passwords, we can reuse fingers in our phrases: LP RP LP RI LI LP RT, for example.

I'm afraid my math skills on permutations and combinations are a bit rusty, so if someone more familiar with the formulae wishes to take on the challenge of calculating the number of possibilities, go for it. It's 10 things, with no limit on combinations or re-use. Millions and millions of possibilities I would think.

And, as someone reminded me when we were talking about this in Munich, we haven't even mentioned toes!

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ...
View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Moderator
6/2/2014 | 5:46:20 PM
Re: Glad to see you shoot down a few biometric canards...
The future? Wearable biometrics...

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/2/2014 | 4:59:43 PM
Glad to see you shoot down a few biometric canards...
(And surprised that so many security believed them) But I'm even more curious to look into the crystal ball and find out what the future of biometric authentication will look like. Give us a peek, Dave. 
<<   <   Page 2 / 2
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a &quot;schwache Sandbox.&quot;
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.