7

If someone has access to your fingerprints then using your finger print as a password on your phone or other device is obviously compromised. But assuming they do not have access to your finger prints, are there any known or potential security concerns?

For example: How unique and complex is a fingerprint compared to a password? Can an average hacker with full access to your phone try guessing "passwords" that represent your finger print? Are fingerprints easily recoverable from the cases of phones?

TruthOf42
  • 835
  • 1
  • 7
  • 12
  • 3
    Just curious... Google is not working? Or a minimal research requirement has been dropped from StackExchange? – techraf Oct 05 '16 at 14:37
  • 3
    Have you looked at the case of your phone? Easy to recover - trivial. The worst issue though is that, once compromised, there is no changing a fingerprint! Unless you want to try self-harm. Fingerprint scanners are a convenience not a security feature. They are better than no password but that's all. – Julian Knight Oct 05 '16 at 14:47

3 Answers3

9

assuming they do not have access to your finger prints

I belive this assumption is wrong. Fingerprints can be extracted from many things you touch or even from photos.

But let's assume "they" can't do that:

A password is digital. It is exact. If your password is "IiL1l", its trivial to check that it isn't "1iLlI". Fingerprints are not digital. Every device that validates your fingerprint is only able to compare the scan you make to some model how your fingerprint looks.

This sounds like no big deal, but this has huge consequences. For encrypting things, passwords are converted into keys (using something called a key derivation function). If you change just a single letter of your password, a entire different key is derived. The key is never stored on the device. Every time you decrypt something, the key is derived from your password again. The key is not stored anywhere. Because your password is always exactly the same and the key derivation is deterministic, the key is always the same and decryption works.

For fingerprints, that can't work. Fingerprint sensors work differently, but in the end you always get something that resembles a black and white/greyscale image. Try a simpler experiment: put a single sheet of paper on your desk. Take a camera. Take two pictures that are exactly the same. You won't be able to do that, and for a fingerprint this is a lot harder!

Because of that, it isn't possible to derive a key from your fingerprint. Your fingerprint and the key are stored on the device. The device checks if your fingerprint looks like the stored one and then releases the key already stored on the device.

Because of this, a fingerprint will always be less secure than a strong password.

Josef
  • 5,903
  • 25
  • 33
  • can you provide a source about the storage of your fingerprint data on the phone? – TruthOf42 Oct 05 '16 at 14:59
  • 1
    @TruthOf42 Here's a link to [Apple's iOS Security Guide](https://www.apple.com/business/docs/iOS_Security_Guide.pdf) [PDF) which talks about Touch ID fingerprint storage and interaction with device encryption keys on pages 7-9. – PwdRsch Oct 05 '16 at 15:40
  • Fingerprint isn't less secure than password (at least not because it can't be converted). Fingerprint can be used to authorize user, but not converted to key. Password can be used for both. Fingerprint is secure (at least as much as PIN/password), when used with proper adversary model (there has to be a trusted party which will verify fingerprint). It's like saying PK crypto is more secure because it can do more - it isn't. – axapaxa Oct 05 '16 at 15:46
  • @axapaxa a trusted party that is in the phone that got stolen? I am interested how that will work out. Sure there are secure elements and whatnot. But once the phone is stolen, your fingerprint and your key are on it. – Josef Oct 05 '16 at 17:35
  • But what about the case when the password is not used to derive a key? – Anders Oct 05 '16 at 21:25
  • @Josef - this really depends on your adversary model. Read about TPM, this gives some idea what can be done. – axapaxa Oct 06 '16 at 11:27
  • @axapaxa Independend of whatever TPM (TPM is not used on mobile devices, there is ARM TrustZone and other things) you use, If you can unlock using your fingerprint, the fingerprint is stored on the device! Do you disagree? – Josef Oct 07 '16 at 13:54
  • @Andres if your phone is not encrypted, a thief can always get the data stored on the phone. He doesn't even need to break the fingerprint protection then! – Josef Oct 07 '16 at 13:55
  • @Josef fingerprint isn't stored on device. Only some data that allows you to check if correct fingerprint was given is. So I do disagree. And You still didn't define under which threat model fingerprint is inherently weaker than password. It isn't - it has other pros/cons. – axapaxa Oct 07 '16 at 21:34
3

Let' s first take a look at the effectiveness of biometrics

Biometrics technologies are evaluated on three basic criteria:

The false reject rate

Percentage of authorized users who are denied access;

False accept rate

Percentage of unauthorized users who are granted access;

Crossover error rate

The level at which the number of false rejections equals the false acceptance.

Among all possible biometrics, only three human characteristics are usually considered truly unique:

Fingerprints, retina of the eye, iris of the eye

The crossover error rate is the point at which false reject and false accept rates intersect, it's the possibly the most common and important overall measure of accuracy for a biometric system. Adjustment to one extreme creates a system that requires perfect matches and result in a high rate of false rejects, but excessive false accepts. The trick is to find a nice balance between the two(near the point at the two error rates are equal).

Most of the technologies that scan human characteristics convert these images to some form of minutiae Each subsequent access attempt result in a measurement that is compared with an encoded value to verify the user's identity. A problem with this method is that the human body change due to illness, injuries, etc.

Fingerprints doesn't change but can be hard to read if a person has big wear on fingers.

Fingerprints:

Universitaly: Medium, Uniqueness: High, Permanence: High, Collectability: Medium, Performance: High, Acceptability: Medium, Circumvention: High

Question:

are there any known or potential security concerns?

Yes. A system that uses biometrics as a security solution needs to have a good TCB(trusted computing base) to enforce security policy. This refers to the rules of configuration for a system. TCB is made up of the hardware and software that has ben implemented to provide security for a particular informations system. (Operating system kernel and specified set of security utilities, such as the user login subsystem.) Weak hardware and software == weak login system that can be bypassed.

Are fingerprints easily recoverable from the cases of phones?

Not easy, but possible

Can an average hacker with full access to your phone try guessing "passwords" that represent your finger print?

Depends on the TCB(hardware and software). In a weak software, sure it's possible.

How unique and complex is a fingerprint compared to a password?

Fingerprints are considered truly unique.

Source: Micheal E. Whitman(ph.D, CISM, CISSP), Principles of Information Security, 2015

JoakimE
  • 135
  • 7
  • 2
    *"The trick is to find a nice balance between the two"*: This sentence is really important in your answer. In high security environments, the security prefer legitimate people to be refused entry than getting the risk of unauthorized access, so the balance goes in favor of FRR. On consumer products like cellphones however, the manufacturer does not want to be blamed by consumer because of its "always broken" digital fingerprint reader ("broken" meaning here legitimate users failing to unlock their phone), so I suspect the balance will largely in favor of FAR, reducing the security even more. – WhiteWinterWolf Oct 06 '16 at 13:02
3

The problem of a phone protected by a fingerprint, is that the phone glass is likely to have your fingerprint on it, unless you always wear gloves. So if an attacker can isolate one fingerprint from the phone, he can build an image of it and pass it on the scanner. It does require specific technology (think of TV Experts...), but IMHO it is much simpler than guessing a correct password. I acknowledge that for stealing what lies on my personnal phone, the gain/cost ratio is sill far below 1 and an attacker will probably not even try it. But if my phone was to contain really sensitive data, I would not rely on only a fingerprint.

A fingerprint is only a correct authentication system if someone controls that it is really the fingerprint of you own finger.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84