4

According to what I've read and heard, multi-factor authentication is supposed to use multiple different types of authentication factors, rather than just different instances of the same kind (e.g. multiple passwords.) One of the most frequently-mentioned types of factors is "something you are," usually biometrics such as your fingerprint, retinal scan, voiceprint, etc.

However, any practical implementation of "something you are" requires that the authentication take place by comparing the user's fingerprint, retina etc. with some sort of known master copy, established beforehand.

Doesn't this, in effect, turn the "something you are" into "something you know," i.e. a shared secret, with all of the vulnerabilities traditionally associated therewith? The fingerprint scan (or whatever it is) can be intercepted, copied, acquired from a compromised server, etc. Admittedly, it's not as vulnerable to social engineering attacks because the user doesn't "know" his or her own fingerprint, at least not in a way that can be used by a third party.

I realize that if the verification process is by computer, then the "something you are" will be converted into "something knowable" (information) at some point. My question: is there a way of doing this that mitigates the vulnerability? I'm thinking of something similar to the way a private key stored on a smart card is effectively "something you have," even though the key itself is still technically information.

I'm not trying to implement such a system, I'm just asking out of curiosity.

Joseph Montanaro
  • 510
  • 2
  • 8
  • 1
    The theory of biometrics is that you have to present your actual finger/face/retina/whatever - not just something that looks like it. In a supervised environment (e.g. US border) this is enforceable. But with devices like smart phones it isn't, hence [this](http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/). – paj28 Oct 03 '16 at 19:37
  • @paj28 That's always been one of my biggest concerns about smartphones with fingerprint sensors. Given the high potential value of compromising someone's smartphone (bank accounts, primary email accounts, etc) the possibility of breaking into one would be well worth the few hours required to build a fake fingerprint. I guess the real question is, does it take more or less effort to fake a fingerprint than it would to crack the kind of 4-digit passcodes that most people use on their phones? – Joseph Montanaro Oct 03 '16 at 22:52
  • Both are difficult (remember [this](https://www.theguardian.com/technology/2016/sep/19/fbi-iphone-lawsuit-hack-san-bernardino-associated-press)?) - but possible by a determined attacker. Faking the fingerprint is probably easier. The point of the fingerprint scanner is that it offers reasonable security that is more convenient than a passcode. – paj28 Oct 04 '16 at 03:19
  • all authentication can be reduced down to something something knows. – dandavis Oct 04 '16 at 17:50

3 Answers3

5

Just because it is stored somewhere doesn't make it "something you know". You don't ever really "know" your fingerprint or iris layout as it is too complex to know or remember. But that is really just semantics, I wouldn't try to over-think the terminology.

As you correctly point out though, that doesn't mean someone else doesn't know it. The server keeps a (hopefully) encrypted copy.

In addition, it may be possible indeed for an attacker to gain a sufficiently detailed "copy" of your biometric to be able to replay it.

This is particularly problematic for a fingerprint as you tend to leave copies of them everywhere!

That is why fingerprints in particular should never be considered as replacements for an id/password but rather as complementary too them. Fingerprint logins are a convenience not a high security feature. They are relatively low security, better than users not being bothered to use any password but nowhere near as good as a strong passcode. Remember that, in particular, biometrics cannot ever be changed, once compromised they are always compromised.

Julian Knight
  • 7,092
  • 17
  • 23
2

That's the reason why you should never use biometrics alone as authentication except in secured environments. You fingerprint is indeed private in the sense it only belongs you, but as an information it is not: you leave a copy each time you drink a beer in a bar...

What is worse, is that you have no way to revoke your fingerprint. If your password or even a highly complex private key was to be stolen, you can easily change it. But once an evil guy has taken the glass you have just left, he can build an image of your fingerprint. Not even speaking of the case where he has stolen the phone and the identity card with the fingerprint... And he will able to use it on any smartphone or laptop that you have secured with a fingerprint all along your life.

That being said in secured environment meaning when a guard see you passing you finger on the reader, a fingerprint alone is a very nice authentication sytem...

To come back to your initial question, the something you know, have or are is on your side. On the controller side, it is always something that is registered somewhere and compared with what you used as credentials. The comparison can be direct if a copy of the information is stored (for biometrics or other imprecise credentials) or indirect if only a hash is kept (for passwords or numeric keys).

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

Yes, if a 'something you are' can be captured in a form that can be used with a service, that effectively reduces it to a 'something you know'. However, that's not necessarily the case - consider a fingerprint scanner/door system. If you get hold of the database that contains the fingerprints, they are likely hashes of digitizations of the actual fingerprint. Even if you have that, that doesn't mean when confronted by the physical fingerprint scanner, you can reproduce a fingerprint (provided that they use appropriate physical security on the scanner and ensure that the 'brains' of the scanner, where the digitization and hashing take place are on the OTHER side of the door - if they are on the same side of the door, it is possible that you could get the hash in there, unless there are further precautions)

crovers
  • 6,311
  • 1
  • 19
  • 29
  • 2
    Can a digitized fingerprint be reliably hashed, though? It's my understanding that even the slightest difference in the input to a hashing function results in a completely different output, and no two fingerprint scans are going to be exactly, to-the-bit identical. Is there a way to reliably hash fingerprints, or otherwise verify them in a way that doesn't require having the original fingerprint? – Joseph Montanaro Oct 03 '16 at 19:09
  • My understanding (and I'm not even remotely a biometrics expert) is that they use something called minitia and that there is a standard format for that that could potentially be hashed. However, a quick google shows more speculation about that than actual answers. – crovers Oct 03 '16 at 19:36
  • 2
    Fingerprints cannot be hashed: http://security.stackexchange.com/questions/43587/is-iphones-fingerprint-signature-a-one-way-hash – paj28 Oct 04 '16 at 03:34