How Secure is a Fingerprint Sensor Versus a Standard Password?

Question

According to Apple, Touch ID the probability of a fingerprint matching is 1:50000 while the probability of guessing a four digit passcode is 1:10000. Statistically speaking, this would make Touch ID five times more secure. But the answer isn't that simple. Reconstructing a fingerprint is far easier than reconstructing a passcode. Although a fingerprint is unique, you are basically walking around with the security key on you at all times. I see have a fingerprint is like have the four digits of a passcode, just not in the right order (is this the right thinking though?).

Regardless, I'm not interested in a passcode. I'm interested in a password. Software applications allows you to login to social media, online transactions, and even bank accounts. Is a 1:50000 ratio really that secure when being compared to a password, especially when looking at such sensation data? I am more interested in after the attacker has the password or fingerprint, not so much brute forcing methods. With a strong password it seems as though the odds are much greater. Although a fingerprint is unique per person, a password is unique per situation. If I have your fingerprint I have your email, you social media accounts, and your bank information. Where as a password I may only have your Facebook.

Is fingerprint scanning being rapidly growing solely on convenience or is it more secure for the typical user? Advertisement claims is more convenient and more secure. However, is this normally the case?

The fact that you normally don't abandon your phone unwatched adds some security to it. Attacker would need to steal your fingerprint and your phone, the technique may be easy, but doing it unnoticed probably isn't. Also a 4 digit passcode could be shoulder surfed while your fringerprint can't — Mr. E, Dec 05 '16 at 20:20
To cite someone who [hacked TouchID on Iphone6](https://blog.lookout.com/blog/2014/09/23/iphone-6-touchid-hack/) and [Iphone5s](https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/): *TouchID is not a “strong” security control. It is a “convenient” security control.* — Steffen Ullrich, Dec 05 '16 at 20:25
Passwords are easier to keep secret than fingerprints. And passwords are easier to replace if they have leaked. — kasperd, Dec 05 '16 at 22:43
Not exactly related to security, but worth noting: in the United States, a court cannot compel you to unlock a device with a password, but they can with a fingerprint. The distinction being one is information in your mind, the other is forcing you to touch something with your finger. — LTME, Dec 05 '16 at 23:58
@LTME what if you have them written down somewhere? Some sort of physical/digital copy. — J Sargent, Dec 06 '16 at 00:07
Highly recommended reading: [Your unhashable fingerprints secure nothing.](http://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/) — Wildcard, Dec 06 '16 at 01:38
Possible duplicate of [How secure is using your fingerprint for password against opportunist thieves?](http://security.stackexchange.com/questions/138827/how-secure-is-using-your-fingerprint-for-password-against-opportunist-thieves) — Josef, Dec 06 '16 at 08:56
@GavinYouker I can't remember, really. Somebody in a comment section once, I think. Or maybe someone in an interview in IEEE Security&Privacy, but probably the former. — David Tonhofer, Dec 06 '16 at 23:49
On the scale of Secure to Convenient I would say it leans more towards Convenient than passwords do. — miva2, Dec 07 '16 at 10:40
It's a common topic in security. Many people confuse identity and password. For example, e-mail, fingerpring, credit card number, phone number, social security number, bank account number - those are all your identification, not passwords. The sad thing is that they are often used like passwords :/ Passwords are secrets, identities aren't - the confusion leads to complications like masking card numbers to keep them useful as identification at least to some extent, while (hopefuly) eliminating their acquired password role. — Luaan, Dec 07 '16 at 12:06
A phone is something you **have**; a fingerprint is something you *have*, and a password is something you *know*. It's better to have one of each that two of the same. Not to mention that you leave fingerprints literally everywhere and 99.999% of people will not start wearing gloves every second. — Chris Cirefice, Dec 07 '16 at 18:58
Apple's "1 in 10000 for a four digit passcode" comparison seems a little disingenuous. Poppycock, I say. Every extra character you add to that passcode increases the security exponentially. Get it above 10 or 12 digits and guessing it becomes quite a large task, certainly much more secure than 1 in 50000. 10 or 12 digits is hard to remember, you say? 10 digits is just a phone number. 20 digits is just two phone numbers. Touch ID is about convenience, not security. Also bear in mind that somebody can always forcibly place your thumb on that Touch ID button, even if your thumb is dead. — Craig Tullis, Dec 11 '16 at 18:59
@Mr.E a sufficiently motivated attacker could physically relieve you of both your phone and your fingerprint, but not your password. — Craig Tullis, Dec 11 '16 at 19:03
@Craig I think you are misinterpreting what's I am saying. I am asking if a 1:50000 change is really *that* good of odds because in my opinion, a password is stronger. — Gavin Youker, Dec 11 '16 at 21:24
The issue is that a 4-digit passcode is not at all secure. In that case, the thumbprint reader is going to be more secure. But the longer the passcode, the stronger the security. The search space for a 4-digit number-only passcode is 11,100 permutations. That's in line with Apple's 1:10000 estimate. Presuming only 1,000 guesses/second, that passcode is compromised in 11 seconds. 5 digits gets you almost 2 minutes, 6 digits buys 20 minutes, 7 digits buys over 3 hours, 8 buys almost a day and a half, 9 buys 2 weeks, 10 buys 4.24 months, 11 buys 3.5 years, 12 buys 35 years, 13 buys 3.5 centuries. — Craig Tullis, Dec 11 '16 at 21:33
@SteffenUllrich, I fail to see how TouchId is more convenient than typing in a 3 digit passcode? — Pacerier, Nov 06 '17 at 20:19
@Wildcard, Technically they are hashable. You'd just have to hash a zillion representations. — Pacerier, Nov 06 '17 at 21:02

John Wu · Answer 1 · 2016-12-05T20:24:25.450

37

The fingerprint does act as the sole means of authentication for accessing the device, but not for accessing secured services or sites. It therefore does not serve the same role as a password.

Typically the fingerprint authentication is used as a second factor of authentication, the first factor being physical possession of the device on which the fingerprint sensor is hosted. And there may be other factors too, such as the traditional password.

For example, if you have an online banking app, you will usually have to enter your user name and password first, then tell the app that you wish to turn on Touch ID. Later, when you wish to use the app, the device will authenticate the fingerprint, then retrieve the password from password storage and submit that to the server proper, which authenticates the password. If you don't have the device, the fingerprint is useless. And if the device doesn't have the password, the device is useless too.

Bottom line: You can't just use the fingerprint by itself. And no, it's not a secure as the password, unless the password is very very short.

edited Dec 05 '16 at 20:24

answered Dec 05 '16 at 20:19

John Wu

9,101
1
28
39

5

"then retrieve the password from password storage and submit" --Enabling Touch ID means your password gets stored (unhashed) on the device? Does this mean that enabling Touch ID possibly makes your password accessible to someone that gains access to your device? – elmer007 Dec 06 '16 at 14:00
Depends on the app of course. However, many consumers use their phone browser's "Remember me" feature which can store a password on the device, yes. – John Wu Dec 06 '16 at 17:46
1

@elmer007 The real answer is, it might as well give you the password. If you log into an app using just your fingerprint, it means the device is either storing your password, or it's storing something that can be used to log into the site/app/whatever, which makes it nearly as good as a password. – Patrick M Dec 07 '16 at 01:59
2

The first factor being physical possession of the device and the second factor is a fingerprint which can most likely be obtained from the device. So if someone steals your phone and your fingerprint is on the screen/case, he can use that to login. – Josef Dec 07 '16 at 11:21
3

"And if the device doesn't have the password, the device is useless too" : that is another big drawback of using fingerprints: they are all over your phone! Anyone stealing your phone has a very high probability of retrieving fingerprints as well. (If you use a (good) password, unless you tape it on your phone yourself, or use it in a non-encrypted browser's password storage, it's not readily accessible when the phone gets stolen) – Olivier Dulac Dec 07 '16 at 12:12
@JohnWu, So is this 3way authentication? – Pacerier Nov 06 '17 at 22:11
@Pacerier I am not sure what you mean by "this" in your sentence, but I don't see anything in this thread that indicates any site enforcing 3FA. The banking site would not require you to have the touch ID or even the phone, since you could install the app on any device you wish. – John Wu Nov 06 '17 at 22:36
*"The fingerprint does act as the sole means of authentication for accessing the device, but not for accessing secured services or sites"*: not if your password manager uses fingerprints: https://myki.com/ – Andrea Ligios Jan 10 '19 at 09:01

score 28 · Accepted Answer · answered Dec 06 '16 at 09:43

Usability v/s Security Matrices isn't resolved with dependent Biometric Authorization & Authentication

For example, before I start - have a look at how the basic foundation of security is built in matrices:

It can be easily concluded that High Security unfortunately comes with low usability features.

How Do I know This?

I have been in ongoing research on secure architectural implementation of possible authorization & authentication mechanisms using iOS & Android - both. The framework isn't decided & with all the research experience, I have nailed down few points here which might be worth noting down.

Possible Risks

If it were to be primary security protection to access critical assets, there are traders, who can knock off an individual in person, chop off his thumb & login. It could be that simple for those who have finance data kept in secure login (primary use case) procedures.
Other threats could involve having the print collected using high resolution imaging & then apply image processing techniques to collect clone of the thumbprint & use it later having it imprinted on thin plastic filament. That way there is a second bypass possible here.
Materials used in building a phone might collect prints & afterwards the specific part can be physically taken apart to have it cloned & address security bypasses.

In contrary to using normal passwords, The latter - it could be in users mind solving the problem of physically not compromised. All it needs is user security level awareness of having the password & login strict to a compliant firm type e.g. PCI-DSS, etc (in cases of financial data fraud).

There's usability, but then there's security. Hence, more usability will lead to obvious broader security risk surfaces. Therefore, below is worth a consideration of using biometric devices such as the following:

iris (L)
termogram (L)
DNA (L)
smell (L)
retina (L)
veins [hand] (L)
ear (M)
walk (M)
fingerprint (M)
face (M)
signature (H)
palm (M)
voice (H)
typing (M)

Note: H for (High), M for (Medium) & L for (Low) risks.

Let's conceptualise the same in matrices as per basic construct mentioned earlier & see if it matches the criteria:

Overall Risks Factors:

The physical attack

Offer a clean glass of champagne to the target victim during a social physical event, and manage to recover the glass to get a high definition picture of the target fingerprints.

The storage attack

All these fingerprints have to be stored either locally or centrally. Steal the Phone5 of the target victim and through physical interfaces get the internal content and attack the stored and crypted fingerprint. If they are stored centrally, since we aren't in the magic space time where 0 probability live, this central storage will get broken sooner or later.

The algorithmic attack

As any other authentication technic, fingerprint reading, storing and comparing will use algorithms. Hence this authentication is also exposed to algorithmic attacks.

The aforementioned methods have risks. There's an important point about biometric authentication that many of the commercial installations respect, but which is not immediately obvious: Banks should never rely on biometrics to supply both authentication and identification. Biometric measurements are useful, but they're in no wise unique. Two people may not have the exact same fingerprint, hand geometry, or iris patterns, but the measurements are often lossy enough to allow for collisions. Biometrics need to be just one part in a multi-factor authentication system & hence can be fit when 2FA & Biometric go side by side.

Other Usability Limitations:

Aside from these risks, other limitations include the following:

Error rate - false accepts and false rejects are still unacceptably high for many types of biometrics.
User acceptance - still not widely trusted by users; The various privacy concerns are still quite high, and the idea that a part of your body is now a security mechanism is still not relevant to some citizens.

OP's question compares the same with traditional password - hence traditional password schemes are less probable & have lesser exposure to threat surfaces than the prior Biometric Security Mechanisms. Using more compliant keeping the traditional passwords & biometric optional post prior login methods have been successful - might be the take-away.

Fellow security researcher here: I am really curious about your research! Would you mind sharing links to publications, ongoing topics of interest etc etc? — Mark, Dec 06 '16 at 17:02
How is the screenshot of a table of contents related to the rest of the post? Sure, it is about security, but it still seems a bit disconnected to me. — Anders, Dec 06 '16 at 17:03
Also, the TOC shows a research of just 3 pages? Saying that you are currently researching the area is good to know, but showing a 3 pages work is not meaningful. I would suggest to remove the image. — Zanon, Dec 06 '16 at 17:54
@Anders would appretiate your focus on an answer rather than a mere TOC; how is it relevant to improvement on the post? — Shritam Bhowmick, Dec 06 '16 at 20:57
@ShritamBhowmick I have no comments on the rest of the answer. I just did not understand what the TOC did there, so I asked. — Anders, Dec 06 '16 at 21:00
@Anders the point to detail it down is to showcase that a relevant prior research were conducted. Additionally it's not a 3 page .. it's a basic skeleton draft copy alongside the original which shall be published recently. — Shritam Bhowmick, Dec 07 '16 at 08:07
It looks like [voice is pretty much out the window](https://www.youtube.com/watch?v=I3l4XLZ59iw) as far as any kind of security goes. — Wayne Werner, Dec 07 '16 at 14:19
@Wayne Werner yes it look likes so Many thanks to share this valuable info unlike the rest ... i truly appreciate that you could add more value to this one. — Shritam Bhowmick, Dec 07 '16 at 19:00

score 11 · Answer 3 · answered Dec 06 '16 at 09:36

11

A fingerprint should never be used as a password. It might be used as a identifier. You cannot change your fingerprint. If it is your password and your account has been compromised, no way to set a new 'password' because you can't get new fingerprints. But it might not be ideal as a identifier either. I didn't know, but apparently fingerprints aren't that unique like you said in your initial post.

answered Dec 06 '16 at 09:36

roel

211
1
4

You can change your finger, and you can get a new fingerprint with a thumb tack and some lemon juice. – cde Dec 06 '16 at 19:53
@cde Will fingerprint scanners actually work on a deformed finger like that, though? They work badly enough on well-formed fingerprints, I'd expect this would make them even worse. – Luaan Dec 07 '16 at 12:32
@luaan depends on how they are deformed. If you sand or bite the hills and valleys off, then no. If you simply change them, then yes. – cde Dec 07 '16 at 15:12
Using a fingerprint as a password and not being able to change it is why it is so important to use tamper proof security hardware on biometric scanners. Because a fingerprint is scanned and turned into some kind of bit stream, and if that was always the same things would be very bad. So these things often work with an embedded private key and mixing the fingerprint with random salts and such so that each print scan produces a different, but verifiable output. – Zan Lynx Dec 07 '16 at 18:03

score 8 · Answer 4 · edited Jun 16 '20 at 09:49

A password of any length is much more secure than a fingerprint, at least in the US.

You can't be forced to divulge a password (most of the time). You have no such protection against being forced to give up your thumbprint on your locked device.

Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

“If you are being forced to divulge something that you know, that’s not okay,” said Marcia Hofmann, an attorney and special counsel to digital rights group Electronic Frontier Foundation. “If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection.”

Not just state, a federal court affirmed this just this year.

Of course, this depends on the laws of your country, as the UK recently made it so not even a court order is required to force you to disclose a password.

To address one of your points:

Although a fingerprint is unique per person, a password is unique per situation. If I have your fingerprint I have your email, you social media accounts, and your bank information. Where as a password I may only have your Facebook.

Not quite. A fingerprint scanner can track multiple fingerprints, and sides of the same finger. Swipe one way, or on the side, and you have a new data point. I can easily provide 100+ fingerprints on a press type scanner. Much more on a swipe style scanner. And of course, the typical person only has a handful of passwords used, so from a social aspect, a fingerprint and password from the same average person are the same in practice in terms of how much you could expect to access.

At least in the UK, you can be forced to give up your passwords. Compare https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom. — user, Dec 07 '16 at 16:42
Fingerprint scanners are usually able to identify a given finger even when you swipe it in a manner that you didn't use to train it on the finger print. So, no, you cannot easily provide 100+ fingerprints. It would be foolish to expect you could provide more than 10. — iheanyi, Jul 06 '18 at 14:53
@iheanyi it's foolish to say that when any one that uses a phone or computer fingerprint reader can tell you that's a damn lie. — cde, Jul 06 '18 at 17:33
I've used fingerprint readers on computers and phones for over a decade. I can tell you that you're wrong. Of the many devices I've had, you could not generate anything nearing 100 or barely more than 10 different fingerprints from just the 10 you possess. If we limit ourselves to fingerprint readers in the past 3 years, I can make the stronger statement that with 10 fingers, you can only get 10 fingerprints. — iheanyi, Jul 06 '18 at 21:08

score 4 · Answer 5 · answered Dec 05 '16 at 22:04

As mentioned in the comment above, fingerprint is a 'convenient' security control; however it is not reliable for remote access control.
When dealing with bio-metric authentication in general, there is one factor that infosec people tends to ignore: the proximity of the bio-sensor device and the system that uses that device to control access.

you are basically walking around with the security key on you at all times

So you are leaving your fingerprint traces randomly on any places, which means your fingerprint could be retrieved and used the same way a stolen password could be. That being said, a system that uses fingerprint to authenticate remote user is exposed to the same risk as the one which use password. The remote system can't check if that a legitimate user or not who is being authenticated.

However, even this might not address the question, but when a bio-metric access is used onsite, we can physically identify the users, so we are safe that only the right users are being authenticated and/or authorized.

score 3 · Answer 6 · edited Jun 16 '20 at 09:49

It can be as secure (conditions apply)

A four digits PIN or a fingerprint are very good provided that there is something clever in place to mitigate their small keyspaces.

Typically this would be a throttling mechanism which increases the time between the login attempts following a failed authentication. For current iOS versions, the first three attempts are not throttled, then this is a minute, 5 minutes, etc. When you reach 10 attempts (after 1 hour 36 minutes if my calculation is right), you can have the device wiped (if configured so).

_source

This covers the online attack. What about offline?

If it was just a matter of encrypting with a key derived from your short key-spaced key (PIN, fingerprint), then offline attacks would be easy. The solution was to go though a TPM (which Apple calls Secure Enclave) which

generates long (2048+ bits) keys for encryption
makes this key available (normally to the OS, but that could be an attacker requesting the key) only after a successful authentication (via the fingerprint/PIN), which is throttled per above.

Offline attacks can be mitigated by using proof of work, a very computationally expensive hash (like bcrypt). Not very expensive for 1 try ( a couple of seconds), infeasible for a brute force attack — Gianluca Ghettini, Sep 13 '17 at 06:38

score 0 · Answer 7 · answered Dec 07 '16 at 13:28

Neither is more secure. It all depends on the circumstances, as other answers here explain.

What is better is to use both. This is two-factor authentication, a.k.a. "Something you have and something you remember".

A fingerprint on its own is useless if all it allows is a few attempts at guessing a fairly secure password. A stolen password is hard to use if it cannot be entered without being validated by the matching fingerprint.

Personally I detest fingerprint security, because there are brutal people out there who will cut your finger off first and think later. When it doesn't work, you are still minus a finger. If there is a financial account or valuable equipment behind it, I shall always refuse to offer my fingerprint. My bank gave me a battery-operated widget for online banking. To log in I insert my card into the widget and enter my PIN to activate the widget. Then I identify myself to the bank's online site and it gives me a number which I type into the widget. The widget calculates another number which I give to the bank. If that number is as expected, I'm in.

Hacking my computer won't help because the challenge and response are different every time and depend on secret (and time-varying?) logic inside the widget. So a thief has to obtain both my bank card and my widget (normally one is at my house and the other in my wallet), and also obtain both my PIN and my logon ID. It's vulnerable to a burglar breaking into my house and threatening me, but hard to break in any other way.

If you are rolling your own system, here's a free plug for the Google Authenticator app (which lets you combine a password with a smartphone as widget for logon security, at no added cost).

Craig Tullis · Answer 8 · 2017-07-25T18:53:20.230

Apple's "1 in 10000 for a four digit passcode" comparison seems a little disingenuous. Poppycock, I say.

Every extra character you add to that passcode increases the security exponentially. Get it above 10 or 12 digits and guessing it becomes quite a large task, certainly much more secure than 1 in 50000. 10 or 12 digits is hard to remember, you say? 10 digits is just a phone number. 20 digits is just two phone numbers.

Touch ID is about convenience, not security. Also bear in mind that somebody can always forcibly place your thumb on that Touch ID button, even if your thumb is dead.

The issue is that a 4-digit passcode is not at all secure. In that case, the thumbprint reader is going to be more secure, although still not actually secure.

The longer the passcode, the stronger the security. The search space for a 4-digit number-only passcode is 11,100 permutations. That's in line with Apple's 1:10000 estimate. Presuming only 1,000 guesses/second, that passcode is compromised in 11 seconds, while the thumbprint gets you about a minute.

A 5-digit passcode gets you almost 2 minutes, 6 digits buys 20 minutes, 7 digits buys over 3 hours, 8 buys almost a day and a half, 9 buys 2 weeks, 10 buys 4.24 months, 11 buys 3.5 years, 12 buys 35 years, 13 buys 3.5 centuries and 14 buys 35 centuries. A 15 digit, all-number passcode would require up to 35,300 years to crack. 16 digits could take up to 353,000 years. Of course, random chance means it's also possible that any given algorithm will guess the right code within the first 4 attempts, but it's extremely unlikely.

Of course, modern computers using GPU's can perform billions of comparisons per second, so take those years and centuries and tens of centuries with a grain of salt. 16 digits, being guessed at one-hundred-billion guesses per second (government-level resources) would last about a day and a half. You would improve the security of that 16-character password by increasing the key space (using letters in addition to numbers, upper-case letters in addition to lower-case letters, etc.)

But you get the idea.

This doesn't answer the question and focuses on the passcode when the OP specifically states that passcodes are not his focus. — schroeder, Dec 11 '16 at 21:43
@schroeder The OP specifically states that passcodes are in fact his focus, in the sense that he believes passcodes are more secure than thumbprint readers. And he's right, presuming you can use more than 4 digits for your passcode. Of course we're playing a semantics game with "passcode" vs "password." — Craig Tullis, Dec 11 '16 at 22:10
"Regardless, I'm not interested in a passcode. I'm interested a password." The semantics are clearly defined by the communicator in this case. — schroeder, Dec 11 '16 at 22:16
" Of course we're playing a semantics game with "passcode" vs "password." " — Craig Tullis, Dec 11 '16 at 22:17
It's important to answer the question asked, not what you want to answer. — schroeder, Dec 11 '16 at 22:20
The entire question is moot if your only security option is a 4-digit pin (e.g. iPad 4), and the question is insufficient or naive if you're using a device where your only options are thumbprint recognition *or* a long numeric passcode (iPhone 5s/6/6s/7). In which case, if you stick with a 4-digit PIN, the thumprint is definitely stronger security, but if you got with a 12 or 14 character passcode, that's definitely stronger than the thumbprint reader, and a pass*word* with letters and numbers isn't even an option. — Craig Tullis, Dec 11 '16 at 22:20
And again, passcode vs password is a semantics game. :) I can argue that I did actually answer the question. — Craig Tullis, Dec 11 '16 at 22:21

How Secure is a Fingerprint Sensor Versus a Standard Password?

8 Answers8

It can be as secure (conditions apply)

Linked

Related