Fingerprint Login and Authentication

With Apple’s introduction of Touch ID for the new iPhone 5S, there’s been a lot of news coverage of their new fingerprint-based unlock system — and not just about its usefulness for cats. People want to know: is it secure? Can someone bypass it? Within moments of its release there was already a sizeable bounty being offered to someone who could “break” Touch ID. Of course, the Chaos Computer Club demonstrated a bypass in under a week.

But the thing about fingerprints is that they’ve been easy to bypass for more than 20 years. It’s not that hackers have figured it out “already”, rather spies figured it out decades ago. You dust the fingerprint, photograph the pattern, print it out with an impact printer (or, in a pinch, a laser printer with the toner on the heaviest setting to leave raised printing), pour plain old Elmer’s glue on it, let the glue dry until firm but not quite solid, and peel it off. Presto! Prosthetic fingerprint.

The problem with how fingerprints are being used is that fingerprints are a form of identification, not authentication. They quickly say who you are, but they don’t prove who you are — essentially, when trying to translate the traditional username/password paradigm to biometrics, a fingerprint is like a username, not like a password. Unfortunately, it’s being used as a password. It’s especially funny on the new iPhone because they’re using fingerprints to authenticate to a touchscreen device — that is, an object that has your fingerprints all over it! If someone wanted into such a phone it would be really easy to lift the user’s fingerprints off the screen, create a prosthetic, and unlock the device with the fingerprint reader. You can’t make a secure authentication method out of something that people leave everywhere.

On the other hand, I can’t bring myself to care that much. There’s a general rule in computer security: “If the adversary has unrestricted physical access to your computer, it’s not your computer.” If someone’s trying to bypass fingerprint lock on a phone, then they must have possession of the phone — and in that case there are many ways in, whether it’s locked with a fingerprint, a PIN, a password, or whatever. Fingerprint is more convenient than PIN and probably approximately as secure as a PIN. In either case, if the device storage isn’t encrypted getting access to it is trivial, and if it is encrypted the capability to perform an offline attack (a capability you have in a stolen-device scenario) means that bypassing a 4-digit PIN is equally trivial. You’re not really losing much, if any, security by going to a fingerprint.

The other problem with fingerprints as passwords — aside from the fact that you leave them everywhere — is that your fingerprint can’t be rotated. If your password gets stolen, you can change your password, but if your fingerprint is stolen, it’s stolen forever. There’s no way for you to change it. This is fine for an identifier (username), but not fine for an authenticator (password) — it puts you in the situation of “break once, break everywhere.” Once your fingerprint has been stolen by an adversary, they have it for the rest of your life. This also why fingerprints (or any biometrics) should never be used to generate cryptographic keys.

You’ll find fingerprint readers on a lot of enterprise-model laptop computers, too. On these, the fingerprint reader is just an alternate authenticator to Windows, so Windows will still let you log in with your password if the fingerprint reader doesn’t work. It does (by design) reduce your security a bit — but once again, not much, because if someone is trying to break in via the fingerprint reader then they must have physical possession of your computer, and they’re going to get in anyway. The only protection against that is to enable BitLocker in PIN mode — that is, full-disk encryption with a PIN code required at power-on to decrypt the hard disk, and even then you’re only really safe if your computer comes with a TPM (which most business laptops do, but most other PCs do not.) Most people don’t do this, which means fingerprint or password, your data is easily accessible to someone who has possession of your PC.

So all told, there’s not much reason not to use fingerprint unlock on a phone, since phone unlock is not normally a boundary where we expect much security (as our usual mechanisms — either “swipe to unlock” or a 4-digit PIN code with unlimited guesses allowed — provide very little security anyway.) But from a systems design perspective, if you want real security, fingerprint should not be treated as an authenticator, regardless of the technology being employed.

authentication, hardware, industry, risk

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.