Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Dave Kearns
Dave Kearns
Connect Directly
E-Mail vvv

How The Math Of Biometric Authentication Adds Up

Yes, it's true that if your authentication scheme only allows a single fingerprint you only have 10 choices. But there's no rule that says it has to be one, and only one.

I was at the European Identity Conference in Munich a couple of weeks ago, sitting in the audience listening to a presentation on future authentication methods in which biometrics played a prominent role. During the question time at the end of the presentation a couple of old canards were raised concerning fingerprints. Let's try to shoot them down.

First, a surprising number of people believe that the stored "fingerprint" can be lifted and placed at a crime scene to frame the finger's owner. But there is no "fingerprint" stored. It's just a value, the same as in a password or token system.

Nor can that value be reverse engineered to create an image of the fingerprint. When you swipe your finger, a series of arbitrary measurements are taken which are combined in a proprietary method by the application. To this value is applied a SALT (a random bit of data added to the calculated value) then it is HASHed (passed through a one-way function) and it is that resulting value which is transmitted and stored. The HASH is one-way, it cannot be reversed. Your fingerprint cannot be reconstructed.

The second fallacy was raised by a gentleman who insisted that if your fingerprint is compromised you can't change it. My immediate thought was "Oh, that poor man. He only has one finger."

Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another.

But wait, you say, that only means you can change nine times. What happens after that? While it's true that if your authentication scheme only allows a single fingerprint, then you only have 10 choices. But there's no rule that says it has to be one and only one. If we allow two fingerprints to be used, then there are 90 different possibilities, 100 if we can use the same finger twice. Three fingers would bring the number of possibilities to 270, without repeats.

Remember that the fingerprint image isn't what's transmitted across the network, but rather a number calculated from the fingerprint(s), then SALTed and HASHed. If the SALTed and HASHed value is compromised (say through a database breach) there's no need to change the fingerprint used to authenticate at all; just change the SALT value or HASH algorithm and the authentication is again secure.

Beyond that, though, I've thought of a method which will allow millions of possibilities for a fingerprint biometric. 

It's important to remember that when you offer your fingerprint for authentication, it isn't compared to all of the fingerprints in the database to find a match. (Neither are passwords, else we'd all need unique passwords.) Rather, it's value is matched against the recorded fingerprint value for a single account, the one you indicate with the account/user name. The value entered at authentication has to match the stored value.

Security expert Thomas Baekdal has postulated, and defended, the idea that a simple phrase ("This is fun.") is the most secure password you could use. We can adapt this idea to biometrics and consider using "fingerprint phrases." As far as I know, no one is using this method yet,  but the future isn't that far away.

Each hand has five fingers: pinky, ring, middle, index, and thumb. We could abbreviate these as P, R, M, I, and T. Add R for right and L for left and the ten become LP, LR, LM, LI, LT, RT, RI, RM, RR, and RP. From these we could create a simple phrase: LP RP LI RT. Thousands of possibilities there, using two to 10 fingers, right? But just as we can reuse letters and symbols in passwords, we can reuse fingers in our phrases: LP RP LP RI LI LP RT, for example.

I'm afraid my math skills on permutations and combinations are a bit rusty, so if someone more familiar with the formulae wishes to take on the challenge of calculating the number of possibilities, go for it. It's 10 things, with no limit on combinations or re-use. Millions and millions of possibilities I would think.

And, as someone reminded me when we were talking about this in Munich, we haven't even mentioned toes!

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ...
View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Moderator
6/2/2014 | 5:46:20 PM
Re: Glad to see you shoot down a few biometric canards...
The future? Wearable biometrics...

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/2/2014 | 4:59:43 PM
Glad to see you shoot down a few biometric canards...
(And surprised that so many security believed them) But I'm even more curious to look into the crystal ball and find out what the future of biometric authentication will look like. Give us a peek, Dave. 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.