Together with a colleague, we discussed the way of biometric authentication and how this works out.
Both of us are only interested in security but far from being an expert on the technical side. Therefore, we are reaching out to you.
The following case should serve as an example:
An employee wants to access a restricted area and needs to authenticate via fingerprint to do so. So, he puts his finger on the scanner which obviously scans his minutiae and compares this to the minutiae known for that user. If the result is within an acceptable corridor of error the scanner signals the door mechanism to unlock.
So far, so good.
But how does this work from a practical, technical side?
- How does the scanner store the authentication information? We guess, the system probably scans the fingerprint and calculates some vendor-specific value from that scan. This information is then hashed and stored in some database/ container.
- How does the scanner compare the information in case of the request for access? Does the scanning device itself produce a hash value and sends this to an authentication server? Is there some offline authentication possible like passing hash values directly on the authentication device?
I see the following risks:
- As soon as I can get hands on the hash value it is a matter of time until the underlying problem for the hashing algorithm will be tackled and I can recalculate the actual fingerprint-data and thus could copy that person as long as the vendor (producer of the device) does not change its way of creating the fingerprint data.
- I can intercept the transmission of the values between device and server.
Are there any other known attacks on such devices except for the counterfeit attacks like feigning a fingerprint to trick the scanning activity itself? We are more focused on the technical side.
Any thoughts on this issue would be greatly appreciated.
