Unhashable: Why Fingerprints Are Weaker Security Than Passwords
"Fingerprints aren't terribly secure; you leave them on almost everything you touch. Many people won't realize that fingerprints can be captured and reproduced from casual photographs. It's actually worse than that. The very method with which fingerprints are stored is much weaker than passwords. Fingerprints cannot be hashed. By their very nature, each read of your fingerprint will be a little different, which breaks the hashing method. They can only be stored using encryption, which requires the same master password each time a new print read is compared to the stored key — a much weaker method than salted hashes. This more easily opens fingerprint credentials up to theft and brute forcing." -- source: http://it.slashdot.org/story/15/11/10/228223 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Wed, 11 Nov 2015 14:12:22 +1300, Peter Reutemann wrote:
"Fingerprints aren't terribly secure; you leave them on almost everything you touch."
-- source: http://it.slashdot.org/story/15/11/10/228223
There seems to be this perception that fingerprints either match or don’t match. That’s because their use started before the widespread development of 20th-century statistical techniques. In reality, they can only match more or less on a sliding scale of probabilities, just like DNA. I like Bruce Schneier’s summary: there are 3 kinds of authentication factors you can use. * Something you know (e.g. a password) * Something you have (a physical key, or a device like a YubiKey, or even your mobile phone) * Something you are (biometrics, including fingerprints, iris prints etc) Two-factor authentication is based on using two different kinds of factors together.
There seems to be this perception that fingerprints either match or don’t match. That’s because their use started before the widespread development of 20th-century statistical techniques. In reality, they can only match more or less on a sliding scale of probabilities, just like DNA.
I like Bruce Schneier’s summary: there are 3 kinds of authentication factors you can use.
* Something you know (e.g. a password) * Something you have (a physical key, or a device like a YubiKey, or even your mobile phone) * Something you are (biometrics, including fingerprints, iris prints etc)
Two-factor authentication is based on using two different kinds of factors together.
Simply using biometrics is not very safe. Even pop culture shows that, as there are plenty of movies where body parts were "borrowed" to get into secure facilities... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Wed, 11 Nov 2015 14:38:43 +1300, Peter Reutemann wrote:
Simply using biometrics is not very safe.
You wouldn’t use it for remote authentication, but it can work well, for example, in the physical presence of a security guard who has just checked your ID. Remember, it’s all about using more than one authentication factor at a time.
Simply using biometrics is not very safe.
You wouldn’t use it for remote authentication, but it can work well, for example, in the physical presence of a security guard who has just checked your ID.
Remember, it’s all about using more than one authentication factor at a time.
Absolutely. Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
In an access control context "secure" sites that use biometrics use a three factor authentication. 1 your biometric auth 2 a password/pin 3 Personnel verification, either an ID check by a guard or something such as the U.S federal FIPS protocol. Access control using just biometric authentication is only considered to be a low security solution. The same as just using contactless cards even ones such as Mifare Desfire protocols. Regards Paul On 11/11/2015, at 3:22 PM, Peter Reutemann <fracpete(a)waikato.ac.nz> wrote:
Simply using biometrics is not very safe.
You wouldn’t use it for remote authentication, but it can work well, for example, in the physical presence of a security guard who has just checked your ID.
Remember, it’s all about using more than one authentication factor at a time.
Absolutely.
Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/ _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
participants (3)
-
Encode -
Lawrence D'Oliveiro -
Peter Reutemann