5

Some business laptops have a fingerprint reader, and Windows has the ability to use your fingerprint to log into an account in lieu of a typed password.

I understand that these open up lines of attack because of their physical nature, but I want to know how secure are the actual algorithms tied to these fingerprint logons? As in, how are they stored, what is the keyspace like, and does this open up any bruteforce attacks?

Chuu
  • 153
  • 3

1 Answers1

3

WBF

In Windows, at least as of 2019 in Windows 10, uses the Windows Biometric Framework (WBF) to verify a user identity. Capturing the data is done through an interface through this framework, and that driver could potentially be exploited, but let's assume it's vulnerability-free and an attacker is only able to work with the data that is captured.

WBS

The Windows Biometric Service performs some security immediately by separating applications from accessing the data directly. It requires applications to be authorised with certain privileges to access data and uses Biometric Units (BUs) to expose devices through a standard interface.

Security

Trusted Platform Module (TPM) is used to ensure that given the hardware software cannot produce valid authentication without biometrics being supplied.

When the sensor is first detected, a secret is shared between the biometric sensor and the TPM which is never seen again by Windows. For the actual authentication event, WBF opens a session with the TPM and gets an arbitrary number that can be used once (a nonce). This nonce is sent to the sensor, which attempts a match, which if successful is passed to a HMAC utilising the nonce and the identity of the user - the HMAC expires after a few seconds, which is why you readily need to re-authenticate. The point is that no sensitive data is held by Windows.

The rest of your questions are then answered by the strength of the HMAC hashing algorithm - the minimum is SHA-1, and a variety are available as defined in RFC3278 and RFC3279.

The last thing to note is that devices have to be marked as secure, and the documentation states that this comes from meeting the following requirements:

  • The matching engine of the sensor must be isolated from the normal OS (for example, using a trusted execution environment)
  • The sensor must support secure input of samples to the isolated matching engine; the content of the samples must never be exposed to the normal OS
  • The matching engine must support secure credential release by implementing the new v4 methods
  • The sensor must support presentation attack detection
LTPCGO
  • 965
  • 1
  • 5
  • 22