Usual password authentication systems do not store passwords directly on the server, but only hashes of those passwords. Why do fingerprint authentication systems not offer this possibility?
Asked
Active
Viewed 173 times
2
-
4Does this answer your question? [Is iPhone's fingerprint signature a one-way hash?](https://security.stackexchange.com/questions/43587/is-iphones-fingerprint-signature-a-one-way-hash), [Is there any way to cryptographically hash a human thumbprint?](https://security.stackexchange.com/questions/42384/is-there-any-way-to-)cryptographically-hash-a-human-thumbprint – Steffen Ullrich Jul 03 '20 at 17:22
1 Answers
3
Password authentication systems check for full equality. If you make a typo in your password, you will not be authenticated*.
You cannot check a fingerprint for full equality; it's a 'scan' and there will always be some minor differences: perhaps you have a small cut in your finger, or you put your finger slightly rotated on the device and the digitalization process displaces a few pixels.
A hash is designed to implement the avalanche effect; a small change in the input causes a large difference in the output. That means that two slightly different passwords or two slightly different fingerprints produce two completely different hashes. If you have the hash of a fingerprint, there's no way of verifying whether it matches a slightly different fingerprint.
*: such a verification system would work by verifying the hash with not only the hash of the actually entered password, but also the hash of all possible typos.
Glorfindel
- 2,235
- 6
- 18
- 30
-
I believe Facebook implements an authentication system similar to what you described about typos. – vikarjramun Jul 03 '20 at 19:40