Are fingerprint scanners more secure than passwords?

Discussion in 'other security issues & news' started by Devinco, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Everyone,

    I read the interesting post about fingerprint scanners by ronjor here and the linked to article.
    The current crop of scanners are certainly more convenient than having to remember a password to access your password manager. They do increase the physical security of an unattended computer (at least superficially).
    Also, current key loggers would be ineffective at capturing the fingerprint.

    So besides the above points, are fingerprint scanners more secure than passwords?
    Here is why I ask:
    Sure a fingerprint is unique only to you, but in order to be used for authentication, it has to be digitized and stored in the computer in some kind of file. This file could be transported (courtesy of malware) to a third party and they could use the fingerprint file to impersonate you.
    Also, just like there are key loggers today, why wouldn't there be fingerprint loggers tomorrow? Of course, this assumes your computer has been compromised by malware, perhaps a root kit. Nowadays, unless you are security savvy (i.e. a Wilder's member ;)), your computer could be compromised relatively easy.

    So, what do you think?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Any type of input device connects into a system via physical connection and there is software of some sort on the system that monitors the device inputs so that they can be acted upon. In that regard there is no difference at all between a keyboard, a mouse or a fingerprint scanner. They are just different types of input devices, but they work very much the same from the persective of the software intercepting and acting upon the device signals.

    I see no reason why the input from a fingerprint device can't be "keylogged" (meaning captured, recorded and sent somewhere else for malicious purpose). And of course, you are correct that this argument assumes an already comprimised PC.

    Now, I'm less worried about how the resulting fingerprint data is stored on the PC. Passwords are often stored using one-way hashing mechanisms so you can't easily generate the original password just by having the stored value. So if I had developed the fingerprint recognition software, I would have implement the same type of secure storage capability for the finger print data. (Of course, I'm not talking about people getting the password file, or in this case the fingerprint hash storage file, and cracking it. Frankly, once you have physical access to a PC it's all over anyway. And if you have a rootkit already installed on a comprimised PC, then its even easier. You can intercept any internal communications on the box and grab it and use it as needed.)

    For normal PC workstations, I see no security advantage to a fingerprint logon device, only an efficiency (speed and ease of access) aspect for the authorized users. If a bad guy can get physical access to a system then whether it is a password input from the keyboard, or a fingerprint input from a scanner, the physical access trumps it all.
     
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    well I might just have to get out my welder and build a LWM proof case :D
     
  4. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Keep one other thing in mind about fingerprints (from a former law officer who did a lot of reading, especially after unexpected early retirement).

    While they're popularly believed to be absolutely unique, the reality is that they're "unique" only for most practical purposes, and within a finite (but quite large, like a couple of continents) population sample. The odds against someone else having the same fingerprints as you is several hundred million, perhaps a billion, to one -- but given today's world population, there could be half a dozen other people somewhere in the world with exactly the same fingerprints.

    The chances of two such people being relatively nearby in a common culture (even, say, the whole Christian world, or the whole English speaking world) are so infinitesimal that law-enforcement and judicial systems, even up to the Interpol level, consider the prints unique. But as you've probably heard, top-security operations are now mostly switching to retina scans for ID, or better yet the combination of retinas plus fingerprints.

    Hmm, so much for the "quick comment" I had in mind when I started this. :oops:

    Best,
    Mike
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    umm ya but I seen on tv shows that if you have retinal scans for security, if a perp wants to get into your computer he has to cut your eyes out. I'd rather just be able to give him a finger or better yet a password. :)
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Just giving him the finger might be the best way :D ;)
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you LowWaterMark! :)
    Your explanation was clear, to the point, and thorough.

    I've wondered about this since they first came out with the PC fingerprint scanners and it is great to be able to have these kind of questions answered.

    Much appreciated.
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Mike,

    Thanks for the info, I'll start looking for my 6 other fingerprint twins. Then I'll be able to be in 7 places at once. :)
     
    Last edited: Jul 11, 2004
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    But how can this (retina or retina/fingerprint scans) be considered "top-security" if they have the same basic vulnerability as a PC fingerprint scanner? Are they implemented in a more secure way? If so, what makes it better and could such a system be implemented on a PC level?

    Thanks
     
  10. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Sorry, Devinco, I haven't a clue about the technical details of retina scans -- I think the basic principle is that there's a few orders of magnitude more different kinds of retinal patterns than in fingerprints, so they're far more likely to truly be unique.

    But I got a little off topic bringing that up in the first place. LWM's point, and there seems to be general agreement with it, was that if there's physical access to your computer, then a major part of your security is lost.
     
Loading...
Thread Status:
Not open for further replies.