3

Together with a colleague, we discussed the way of biometric authentication and how this works out.

Both of us are only interested in security but far from being an expert on the technical side. Therefore, we are reaching out to you.

The following case should serve as an example:

An employee wants to access a restricted area and needs to authenticate via fingerprint to do so. So, he puts his finger on the scanner which obviously scans his minutiae and compares this to the minutiae known for that user. If the result is within an acceptable corridor of error the scanner signals the door mechanism to unlock.

So far, so good.

But how does this work from a practical, technical side?

  • How does the scanner store the authentication information? We guess, the system probably scans the fingerprint and calculates some vendor-specific value from that scan. This information is then hashed and stored in some database/ container.
  • How does the scanner compare the information in case of the request for access? Does the scanning device itself produce a hash value and sends this to an authentication server? Is there some offline authentication possible like passing hash values directly on the authentication device?

I see the following risks:

  • As soon as I can get hands on the hash value it is a matter of time until the underlying problem for the hashing algorithm will be tackled and I can recalculate the actual fingerprint-data and thus could copy that person as long as the vendor (producer of the device) does not change its way of creating the fingerprint data.
  • I can intercept the transmission of the values between device and server.

Are there any other known attacks on such devices except for the counterfeit attacks like feigning a fingerprint to trick the scanning activity itself? We are more focused on the technical side.

Any thoughts on this issue would be greatly appreciated.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Alex
  • 31
  • 1
  • 3
    While your title is very broad It looks from the body of your question like you essentially ask about the security and risks of fingerprint scanning. There are [several similar questions at this site](https://www.google.com/search?q=site%3Asecurity.stackexchange.com+attacks+against+fingerprint+scanning) so please study these first before asking a new one. If your question is not covered by the others please make clear how it differs from existing answers to get the kind of answer you expect. – Steffen Ullrich Jun 01 '18 at 11:59
  • 1
    have you read the wiki on this topic? https://en.wikipedia.org/wiki/Biometrics – schroeder Jun 01 '18 at 12:52
  • Possible duplicate of [Why do we even use passwords / passphrases next to biometrics?](https://security.stackexchange.com/questions/6349/why-do-we-even-use-passwords-passphrases-next-to-biometrics). I flagged this question as a duplicate of the aforementioned one, as the technical details will most likely differ in every implementation. – Tom K. Jun 05 '18 at 08:36

0 Answers0