Thank you for joining me for part 2 of our 2 part series on finger print security. In part 1 we covered a lot of background information, the origins of finger print analysis, and the process of authentication. In this part we will go over the challenges you are going to face, and some ideas to make yourself more secure. If you missed part 1, check it out here.
We don’t often think about how much we use a finger tip, until you get a paper-cut, and it becomes painfully obvious. This lack of consideration, allows our finger prints to become obscured by dirt, and oil, or damaged during normal day to day usage. Accounting for this requires analysis to be flexible and guarantees that a false acceptance is likely. This is compounded when the manufacturers also need to assume that your enrollment print may also be distorted; creating a very high chance of false positive and false negative results. A recent example that may interest you is the case of the Samsung Galaxy S10. This mobile device uses an in-screen ultrasonic scanner that was rendered pointless when a gel screen protector was installed (BBC.com). This screen protector obscured the details of the print sufficiently during enrollment, that any finger was able to unlock the user’s phone. Similar flaws have been found in mobile devices since the iPhone 5s when it took 30 hours to devise a work around for an attacker to access a phone (ArsTechnica.com).
A very strong advantage to using passwords to protect your information is that they can be changed at any point, but that is not a feature equipped in your standard finger print. It may seem odd to think of the permanence of a finger print being a negative, when it seems like a pretty strong positive, but consider what happens when there is a data breach and your credentials, in the form of finger prints, are stolen. You are now in a position where high quality copies of your finger prints are publicly available, leaving you in a situation where your finger prints can never be trusted again. This nightmare scenario has already happened to 5.6 million Americans when their data was stolen in 2015 (The Washington Post), most of whom work for the United States Government. Lucky for us, there is not an available technology letting us use these pilfered prints, but it is extremely likely that as technology continues to improve we will see replica prints becoming readily available.
We like to think that out finger prints are unique to us, and that we are going to be the only ones to unlock our phone. The reality is that it is nearly impossible to verify this assertion, and relying on it is risky. We saw previously that researchers were able to identify that some features of a finger print are hereditary, which could mean that a duplicate or close match is possible within a family line (ScientificAmerican.com). These similarities mean it is even more crucial that our scanning technologies, and pattern matching be extremely precise to ensure accurate matches, every time.
My biggest concern with utilizing finger prints for authentication is that we leave copies of them everywhere. It could be like likened to leaving a note with your desktop password in every room of your workplace. The entire surface of our body is regularly secreting sweat and oil and our fingers are no exception to this (ScientificAmerican.com). We leave this residue behind on every surface we touch, and in the exact pattern of our finger print. Everyone knows this; it is what we use in criminal investigations to assist with convicting criminals. It also means that it is extremely likely a finger print may be reproduced from a latent print left on a smooth surface at any point in your life. Additional to latent prints, I expect that most people can conceive of other methods to extract a finger print from someone that does not rely on creating a copy print or any levels of cooperation. In short, it is extremely easy to get a copy of someone’s finger print.
After all of that you most likely think I am strongly against the use of finger print technology, but I am truly a huge fan. I think it is a great tool for non-critical identification systems, like a time clock at work, or in combination with additional authentication methods, in a Multi-Factor Authentication system. I think it is critical when implementing a convenient security measure that we completely evaluate all of the information available and hopefully with everything I have given you, you will now be able to make a safe and informed decision about your security.