When I hear that bio-metrics are tougher to crack, it's left ambiguous as to whether they refer to the term 'hack' as simply getting through the system by guessing the password or mimicking the person. So in terms of technical hacking techniques you use such as SQL injection or something similar where you have absolutely no idea what the password is, where do bio-metrics trump (because at the end of the day you are still entering the correct combination of 1s ans 0s to gain access)?
Asked
Active
Viewed 182 times
3 Answers
3
The issue with the biometrics is that the data being generated depends heavily on the sensor used to capture the data. I have biometrics recorded on my iPhone, my Android and my bank. As all three uses different sensors, the data they all have on record is wildly different.
Even if someone steals the data from one of my phones, that data cannot be used to attack my bank, for example. The sensor used on the ATM is different, and the binary data cannot be used to reconstruct my fingerprints. Even if I reuse my fingers on all three services.
On the other hand, if I reuse my PIN on all three, and one leaks, the same PIN can be used for attacking all my phones.
The main vulnerability of biometrics is that they cannot be revoked. If someone manages to grab a high quality picture of my fingerprint, they can make a model of my finger and maybe unlock my devices and my account, and I cannot revoke my fingerprint and issue another.
ThoriumBR
- 50,648
- 13
- 127
- 142
-
But don't most people use different pins anyway? – yolo Apr 23 '20 at 12:54
-
1@yolo that's a pretty strong assumption, I would assume the opposite – multithr3at3d Apr 23 '20 at 13:00
-
Even so, the question specifies more technical methods of access as opposed to physical forms of access such as SQL injection. I've made it more explicit for your convenience – yolo Apr 23 '20 at 13:45
1
"Biometrics" and "pin" are generic terms, you can't really compare them. It'd be like asking why "motorcycles" are faster than "cars". It depends.
PINs are generally numeric passwords with a limited length. You generally don't get much entropy with only a few digits, so PINs are usually considered weak passwords. On the other hand, often PINs are used together with some kind of bruteforce prevention system (like blocking the device after a few failed attempts), so even a weak PIN can become sufficiently secure in some cases.
Biometrics includes a lot of different authentication methods: from keystroke dynamics to fingerprints, from facial recognition to iris scans. This kind of data in theory provides a lot of entropy, so they should be equivalent to a very strong password. In practice though, it totally depends on the specific implementation of the system. Not long ago there were mobile devices with facial recognition that could be unlocked by placing a picture of the owner in front of the camera. Or be unlocked by placing the device in front of the owner's face while they were asleep.
Is biometrics harder to bruteforce? In general, yes, because they usually provide much more entropy.
Is biometrics harder to steal? In general, yes, because PINs can usually be stolen easily by simply shoulder-surfing, or other well-known and easily available techniques (keyloggers). It's harder to make a copy of biometric data (but not impossible).
Is biometrics therefore better? On its own, no, because it has the huge drawback that biometric data cannot be changed. Once it's compromised, the damage is permanent. So while you can get a new card with a new PIN, you can't get a new hand with a new fingerprint.
reed
- 15,398
- 6
- 43
- 64
-
So what you're saying is that when it comes to the raw data that is entered (i.e a string of 1s and 0s), biometrics are *as* secure as PINs? – yolo Sep 21 '20 at 16:40
-
@yolo, no, I said it's generally harder to bruteforce biometrics because it provides more entropy (more 1s and 0s). PINs are usually only a few digits, so they provide less entropy. In specific cases, what I said might not apply (because as I said biometrics and PIN are general terms). – reed Sep 21 '20 at 20:41
0
Aside from what ThoriumBR said above, it would also just be much more difficult to reconstruct biometric data. For example, you can potentially brute force a pin or dictionary a pw, but it is much more difficult to reconstruct a finger print with a mold, or to duplicate an iris or retina pattern for a scan.
