Thoughts on Fingerprint Authentication
Contributions by Manfred Bromba
(http://www.bromba.com/contacte.htm),
regarding the very nature of fingerprint authentication.
| # 1 |
Passwords, keys, and fingerprints |
First issue:
2007-10-11
|
| It is widely accepted to
divide the main personal authentication methods into knowledge ("what I
know), possession ("what I have"), and biometrics ("what I am"). For a
better understanding of security threats to fingerprint recognition, it
should be helpful to compare these three methods to see the common features
and the real differences. |
| 1. To start with the similarities,
we observe that each authentication method is based at least on a peace
of information. This authentication information is to be shared
between the person who wants to be authenticated and the authentication
appliance which performs the authentication check. For password authentication,
the password itself is the information to be checked. When using a key,
the information is given by the pattern of the key bit. This pattern decides
over success or failure during the authentication process which consist
of inserting the key into the appropriate lock. More generally, if you
are using a token like a smart card, the information is hidden in the card's
chip. In fingerprint authentication, the information is the specific pattern
of your finger's surface. Fingerprints may be viewed as keys with one important
exception: this biological key is a fixed part of your body and cannot
be removed without injury. By the way, there is also a relationship between
the password which has to be learned to be effective and the behavioral
part of certain biometric features, such as signature, keystroke dynamics,
or voice, which also have to be trained: A password kept in mind is the
limiting case of a biometric feature with 100% behavioral part! On the
other hand, a password which has been written down on a piece of paper
has a great relationship to a key. That is, it comprises information, tied
to a piece of hardware. But in contrast to an ordinary key, the password
can be taken up by any person who has a look at the sheet of paper, while
the key offers its information in a form which cannot easily be learned
by simple visual inspection of the key bit. |
| 2. From a physical point
of view, information cannot exist without energy. Practically, this is
identical to the connection to matter. All real-life systems I know use
matter to store authentication information. The kind of matter makes up
the difference between passwords, keys, and fingerprint: |
| Authentication method |
Information storage for
personal authentication |
| Password |
human brain |
| Key |
key hardware, usually a
piece of metal |
| Fingerprint |
finger as a fixed part of
the human body |
|
| If we scrutinize what kind
of authentication is best suited to personal authentication, we have to
state that fingerprint has a strong connection to the human body, memorized
passwords have a weak connection to the human body and keys have no direct
connection to the body at all. This is usually the argument to favor biometrics
as personal authentication method. (On the other hand, why should one favor
body over mind? Eventually, the password has the strongest connection to
mind. And individuality is to a great deal determined by psychological
features. But in contrast to psychological human characteristics, the password
is not really a steady feature of your individuality.) |
| 3. Authentication can only
work, if the authentication information (password, key pattern, fingerprint
pattern) is shared with the appliance which checks personal authorization.
However, to prevent fraud, the authentication information should be kept
secret against third parties which are not involved in the authentication
process. If a password gets compromised, it may be used by any other person
for fraud authorization. If the key pattern gets compromised, a second
key may be built with exactly the same pattern to obtain a fraud authorization.
The case of fingerprint is comparable to the key case, only the material
is different. If the authentication information is compromised, copying
of passwords is most simple. In the other two cases it is more cumbersome
to copy the authentication information as it needs special tools and storage
materials. |
| 4. To increase fraud resistance,
keys may be manufactured of special unique materials which are only available
for authorized key manufacturers and cannot be copied by unauthorized third
parties. The material composition has then to be examined with high reliability
by the authentication appliance. Such a kind of problem can easily be solved
by smartcards which may use cryptographic means to guarantee that the smart
card has been issued by a trusted third party which will not allow unauthorized
duplicates. If this method works perfectly, your
authentication information
may even be public. The combination between the unique authentication
information and the non-copyable carrier of this information allows
a better fraud resistance, if the carrier can be approved with high certainty.
Unfortunately, this will only guarantee the authenticity of the token but
not the authenticity of the person to be authenticated. That is, if you
lose your key or card, the finder may use it for authentication in your
stead - provided he knows, where the adequate lock or appliance is found. |
| For fingerprint, the situation
is quite similar to keys. If it is possible to check the material of the
finger, the authentication appliance (fingerprint sensor etc.) is able
to check authenticity of the finger (and hence the person if the finger
is connected to the original body). If it should prove that the finger
material cannot be reconstructed artificially but can be detected as authentic
and if fingerprints patterns cannot be changed artificially, the authentication
information does not even need to be kept secret! Only in this case,
copying of fingerprints even with assignment of the owner would not compromise
authentication! |
| 5. Certain fingerprint scanner
manufacturers state that their scanners are able to distinguish between
original and artificial fingers. Such statements are of little value unless
the method is revealed or unless independent certifications are available
which
quantify the ability to distinguish between original and copy
using accepted or documented measurement methods. |
| # 2 |
Are fingerprints secrets? |
First issue:
2007-09-21
|
| In his brilliant letter
from August 15, 1998, titled "Biometrics:
Truths and Fictions", Bruce Schneier states "Biometrics are unique
identifiers, but they are not secrets". I do only partly agree with this
statement. Here are my reasons: |
| 1. I define a secret
as a piece of information which is exclusively known to a limited group
of secret carriers and which is kept hidden to all other parties.
Here, a secret carrier may be a human person or an apparatus. My face as
biometric characteristic can only be kept secret, if I keep myself away
from the public or if I draw a curtain over. Furthermore, it's more and
less easy for us to remember faces or to take photographs of them. In this
sense I agree with Schneier, i.e., faces usually cannot be regarded as
secrets. But this shouldn't be generalized to all biometric characteristics.
For example, fingerprints require special efforts to become known. This
effort may not be indefinitely, but the amount does not matter in the definition
of a secret. There are secrets which can be easily revealed. If there is
nobody to reveal them, they remain secrets. Other secrets resist even strongest
attacks. |
| 2. Unlike faces, fingerprints
cannot easily be photographed using hidden cameras. Human beings have no
optimized receptors for fingerprints, they can hardly remember the unique
pattern of magnified fingerprint images. The reason for this may come from
the fact that humans prefer and are trained to recognize each other by
face, voice, size, sex, behavior etc. but not by fingerprints and not by
iris, retina, or vein patterns. Nevertheless, attackers my find ways to
reveal the fingerprint secret. They may do it in just the same way as it
is done for passwords, for example by simulating a trusted authentication
apparatus which wiretaps the biometric data without knowledge of the user. |
| 3. Fingerprints are left
as latent prints anywhere on every surface we touch with our fingers. Latent
prints remain secrets until they are uncovered. This again requires special
efforts and special skills. But even professional dactyloscopists, who
have a lot of experience in finding and preparing latent prints, mostly
find fingerprint fragments of questionable quality which are not suitable
for electronic authentication. And if they find a good fingerprint, they
do not know to whom it belongs. They can find out the owner of a fingerprint
only by comparing it with the fingerprints of suspicious but known persons. |
| 4. Biometrics can be used
for nearly perfect authentication, if it is possible to confirm the timely
and bodily connection between biometric characteristic and the individual
to avoid fraud authentications by copies. If this step can be performed
with certain reliability, we call it fake detection. Only with a good fake
detection, the authentication information which also has
to be checked, may be public. For many biometric characteristics, this
is essential. For biometric characteristics such as fingerprint, most known
and realizable copy/fake detection methods do not work with sufficient
reliability. In such a case, the secrecy of a biometric characteristic
becomes important. This is the main, but not the only reason why fingerprint
authentication works fine in practice, despite all the prophecies of doom.
To summarize: |
| •
If biometric characteristics cannot be regarded as secrets, fake
detection is essential |
| •
As long as a biometric characteristic can be regarded as secrets, fake
detection is less essential |
| 5. Every secret can be compromised,
so do biometric secrets. Once compromised, fake detection becomes essential.
Otherwise, if fake detection is imperfect, the concerned characteristic
shouldn't be used any more in sensitive security applications. But there
is no room for a black & white discussion. Rather, the transition between
secret and public is sliding, in a statistical sense. The better the fake
detection, the less effort against compromising the secret is acceptable
for a constant authentication strength. If both is great, authentication
strength increases! If not, fingerprint offers the chance of choosing between
10 fingers. When using certain mitigation strategies, this should be sufficient
for lifetime! |
| 6. I am aware that many
security experts will strongly oppose to the idea, authentication systems
could rely on biometric secrets. Finally, in the sense of security theory,
only the mean amount of damage to a value counts. For specific systems,
we can express this as a probability. Unfortunately, this probability cannot
be determined in advance unless the complete environment and constraints
are equal and measurements with numerous incidents have been made. For
that reason, it will still take many years to get a final decision! |
| # 3 |
Widespread use of fingerprint - a danger? |
First issue:
2007-10-11
|
| We start with the assumption
that fingerprints must be considered as secrets to allow a reliable authentication.
This assumption is reasonable in view of the weak performance of present
fake detection methods and the extraordinary creativity of attackers. Furthermore,
we suppose that the internal technical realization of the authentication
provides perfect data protection. Then hacking fingerprint verification
systems without fake detection have to attack the fingerprint sensor and
must overcome at least the following hurdles: |
| •
Acquire
appropriate fingerprint image |
| •
Assemble
a fingerprint copy suitable to fool the fingerprint acquisition system |
| •
Apply
the fingerprint copy to the fingerprint acquisition system |
| The step Acquire
is only easy for my own fingerprint. If an anti-cooperative person is attacked,
this requires the skill of a dactyloscopist and delivers a set of images
with often questionable quality and from which I don't know which one is
most promising. The step Assemble requires knowledge of the fingerprint
sensor (swipe or flat, capacitive or optical or thermal or pressure, etc.)
and prepares the best material for the finger copy. Finally the step Apply
tries to fool the sensor (and the system behind) with the copy made in
the last step. The success of the last step depends on the number of allowed
trials, on the correct fingerprint window, on the correct fingerprint angle,
and on the correct treatment (pressure, speed, etc.). Altogether there
are a lot of parameters which must fit. Finally, the attacker may fail
due to the wrong fingerprint image. (Here we assume that a direct injection
of an electronic fingerprint image into the target system is prevented
by suitable and proven IT measures.) |
| Only the step Acquire
is dedicated to the revelation of the fingerprint secret. Fingerprints
may come from latent prints or may be acquired directly, e.g., by taking
a photograph during sleep, by force, or using a manipulated sensor device.
With an increasing number of fingerprint authentication applications, it
may become unavoidable that a black sheep application collects the acquired
raw images to allow its operator to access foreign systems. |
| As a result of the 9/11
incidents, several countries began to collect fingerprints of foreign travelers.
In principle these fingerprints could be used by a secret service to assemble
fingerprint copies to fool a fingerprint authentication used, e.g., for
physical access control. |
| Phishing, which is related
today to passwords, could be extended in the future to fingerprint authentication
systems. Certainly, phishing with passwords is easier than extended phishing
with biometrics. But this will not prevent biometrics phishing. |
| A further problem to be
solved is that different applications show different provisions against
theft of biometric data. Applications which are hardly hurt by the publicity
of biometric characteristics may neglect data protection. This could seriously
harm other applications where secrecy of a biometric characteristic is
essential. This shows that data protection is of highest importance for
all
systems. In this case the weakest link in the chain may really influence
the authentication strength in other systems. |
| Last but not least, it is
to be expected that the knowhow to attack biometrics systems will become
increasingly common knowledge. If biometrics would become the main authentication
method, it makes more sense for a fraudulent attacker to focus on biometrics.
It's simply too expensive to develop malicious tools for uncommon authentication
methods. We know this effect from operating systems, browsers and credit
cards: It's always the mainstream which is disproportionately high affected
by attack trials. (Even if the successful attacks prevail, this does not
necessarily mean that the concerned system is less protected!) |
| How can we prevent biometrics
from losing more and more performance? The solution sounds quite simple:
Finally, with increasing dissemination, sophisticated fake detection efforts
must be pushed. This would effectively impede the use of fingerprint copies.
Up to then it must be guaranteed that all biometric systems fulfill
highest data protection requirements. |
| # 4 |
Fingerprint identifiers and fingerprint
verifiers |
First issue:
2007-12-26
|
| Most authentication systems
use the concept of identifiers and verifiers. A well known example is login
to a computer or network where you have to enter or select a user name
("identifier") and then to confirm your identity with a password ("verifier").
Another example is your credit card where the card with its bulky number
is the identifier and your signature is the verifier. To get a deeper insight
into the concept of fingerprint authentication it is useful to define an
authentifier: |
| •
A
(personal)
authentifier is defined as the combination of all entities
you need to authenticate |
| For example, a key, an authentication
token, or the combination of user name and password may be an authentifier.
Usually, an authentifier comprises a public part (e.g., a name) and a secret
part (e.g., the cryptographic key within a smartcard). Biometrics even
promises the chance to get along without any secret.
Although identification and verification parts often are not dividable
perfectly, we do so as if this would be possible and define identifier
and verifier in the following way throughout this contribution: |
| • |
|
A (personal) identifier
is a public entity which is assigned to a specific member of a closed user
group such that this member can be distinguished from all other members
of this group. |
| • |
|
A (personal) verifier
is an entity which can be used to prove the claim that a person is a specific
member of a closed user group. |
| As public we denote
information which may be known to everybody without impairing the objective
of an application. A piece of information is called secret when
it is not known to a potential attacker. |
| While an identifier must
be unique within the closed user group, a verifier need not when it is
applied in combination with an identifier. The concept of dividing an authentifier
into an identifier and a verifier has several advantages. In large user
groups, identifiers become large for the sake of uniqueness. For that reason
this part of an authentifier should be easy to memorize. Publicity is important
for administration purposes and to initiate a contact between users. For
verification, often much less information would be sufficient, e.g., a
four-digit number. It has proven useful to be able to change the secret
part of an authentifier independently from the identifier part. Even different
levels of trust are simply manageable by using secrets of different strengths. |
| Normally, if two members
of the user group plan an individual transaction, the knowledge of the
identifiers would be sufficient. In an evil world where identity fraud
is a real challenge, an identifier may not be a proof for the real identity
of a user. Here, the additional use of a verifier is a solution. In compliance
with our definition, verifiers may be shared secrets between users or between
a user and a trusted third party which usually provides the authentication
system. The use of verifiers is most important in applications where a
damage to any value is to be prevented. In other words: mainly the verifier
is responsible for security. |
| For a better understanding
of the difference between identifier and verifier, let us consider two
examples what can happen, when identifiers are (mis)used as verifiers.
Social Security numbers (SSN) are launched in the United States to track
individuals for taxation purposes. The SSN is unique for each citizen and
its determination was to be an identifier. Unfortunately, certain services
take the knowledge of this number as verification for the identity of a
person. This is a frequent source for identity fraud since the knowledge
of a public number does not testify anything about the relationship between
the SSN and a person who uses it. Interestingly, instead of combating the
misuse of the SSN as verifier, it is sometimes advised to keep this number
secret - completely disregarding that it then would lose its manageability. |
| Another example are credit
cards. Credit cards have an identifier (the card number) and uses your
(public) signature as verifier. Additional trust is created by using a
difficult to fake card as token and sometimes using your face image as
second verifier. With the emergency of the internet, this established security
scheme has been flawed. Most credit card based internet transactions have
no chance for a verification, instead, the public identifier, combined
with certain other public information such as the name is used as verifier.
By offering strong encryption for transmitting a public number, nothing
but the feeling of security is simulated. The result is a rapidly increasing
credit card fraud for online transactions. Up to now, the main reaction
was the advice to keep the credit card data secret. As a consequence, you
have to trust all shops where you have to reveal this "secret". As a side
effect, the online theft of public credit card data has become more attractive.
(If we call the financial damage caused by identity fraud leakage,
there is no need for action, as long as leakage does not eat up the benefit
for the credit card company!) |
| The use of fingerprints
as verifiers and authentifiers becomes more and more common in security
applications. Due to the open nature of fingerprints - they are not really
public, but to widely accept them as secret, scientific
investigations about the success rate of identity fraud with latent prints
in the realistic case of non-cooperative victims are still missing - many
security experts are still refusing fingerprint as a recommended method
for verification. No such problems occur when using fingerprints as identifiers. |
| Fingerprints as identifiers.
The advantage of fingerprints as identifiers is their high degree of distinguishability
which expresses in a very low FAR (False Accept Rate) at moderate
FRR (False Reject Rate). Using a single finger, it should be possible
to separate more than 10 million members of a closed user group with a
single-trial FRR of only 2% for an office worker population. (In security
applications, a password or another biometric characteristic such as face,
signature, or even another finger may then serve as verifier.) Faking an
identifier theoretically makes little sense as security is focused on the
verifier. The greatest advantage in using fingerprint as identifier is
that no token is needed nor lengthy numbers or names are to be remembered
and entered into a key pad. The procedure can be fast and the user cannot
forget anything. |
| Fingerprints as verifiers.
When using fingerprints a verifiers, being a part of an authentifier, this
requires at least one of two assumptions to be reliable: |
| • |
|
The fingerprint pattern
can be regarded as secret
information, i.e., revealing this secret may compromise security. |
| • |
|
The fingerprint pattern
can be regarded as public, but additional measures during capturing ensure
that the fingerprint pattern does not come from a fingerprint copy. |
| Obviously, the easiest way
would be to regard fingerprint patterns as public. This would be no problem
if the capturing system comprises a copy and liveness detection. For credit
card purchases in a shop copy and liveness detection is done by the seller
by viewing the process of signature. Unfortunately, today no automatic
fingerprint system is known which can be certified to have a lower bound
for the probability resp. effort to get circumvented. Moreover, I assume
that it would not be possible to ever prove such a lower limit. Does this
prove fingerprint to be unusable for security? No, this situation is quite
similar to encryption. Most methods used today have no proven lower limit.
Even for applications using the "unbreakable" one-time pad [Wikipedia],
security is not provable. Although the algorithm can be proved to be unbreakable,
the problem to keep the key secret remains and is difficult to quantify.
But nobody doubts about the usefulness of encryption schemes in daily life. |
| Secrecy of the fingerprint
pattern is the most simple assumption as it would map the properties of
fingerprint to an entity which is familiar from passwords. The challenge
of this assumption is the availability of accepted statistical facts about
how easy it is to spy out fingerprint patterns of non-cooperative persons.
Otherwise, the flaws of using secrets are well known. As for ATMs [Wikipedia]
and similar services I have to trust my counterparty not to misuse or to
reveal my secret data. The latter requirement comes from the potential
necessity to serve multiple applications with a limited stock of 10 fingerprints.
From a user's perspective it seems to be reasonable to limit fingerprint
authentication to a few trusted parties only. Only then, revocability of
fingerprints becomes feasible. If one fingerprint is compromised, another
one can be used. When using fingerprint exclusively for vocational applications
this would mean that about every 5 years one fingerprint is allowed to
become compromised. |
| For real-life systems where
fingerprints are used as verifiers, one has to consider both assumptions,
secrecy and publicity of the fingerprint pattern. Both parts influence
fraud resistance. The effort to reveal a specific fingerprint of a non-cooperative
victim is nonzero as well as the effort to successfully present a suitable
copy to a fingerprint capturing device. For a security consideration, always
the whole system including (non-perfect) fraud prevention measures have
to be taken into account. For a successful system it is not essential to
have the leakage being exactly zero. However, it is essential that leakage
is smaller than the cost saving by introducing fingerprint. |
| When using fingerprints
as verifier, distinguishability is not a problem. For that reason the recognition
threshold can be reduced to the common FAR value of 0.01% for one trial.
In this case, FRR can be low enough to allow at most 3 trials before temporarily
disabling the user account. |
| Fingerprints as authentifiers.
Many fingerprint identification systems on the market use fingerprint as
identifier and verifier without other authentication means. This
is mainly done for user convenience purposes. Since in the case of identification
failures, the cause cannot clearly be attributed to a specific user who
normally is represented by the identifier, such systems can only take limited
measures against fraud (such as a limitation of the number of authentication
trials). For that reason, only low protection requirements can be met when
mainly relying on the secrecy of fingerprint patterns. |
| No rule without exception.
So far we considered the identifier to be a unique but public information.
Security was completely shifted to the function of the verifier. But this
is only one side of the medal because this does not include certain attack
methods which may also generate a damage. Denial of Service (DoS [Wikipedia])
is such an attack we know from web sites which are not available because
of continued malicious requests. Another example is web banking. In the
past, certain banks used the public account number as identifier and the
password as verifier. To mitigate brute force attacks on the password,
the number of unsuccessful attempts is limited (usually you reach this
limit when entering the wrong password 3 times in a row). This could animate
attackers to deactivate the web access to known bank accounts by simply
entering a wrong password multiple times! It is at least cumbersome for
the account owner to get the account reactivated. For that reason, advanced
banking schemes do not use the account number but another unique number
which is not known to the public! |
|