If I have learned anything from TV and movies, it is that finger prints will always perfectly identify the culprit. This dramatization has deeply ingrained a trust in finger print technology, and I have never thought twice about using a finger print to sign into my phone, or unlock my front door. The reality is not as simple as I had believed. This is part 1 of a 2 part series. The primary purpose is to give you a full understanding of your fingerprints, and how they are used to identify you. The second part will go into depth with concerns and pitfalls with using your fingerprints as an authentication method, and offer you some additional thoughts to improve your security.
The thing we call finger prints are an evolutionary trait also referred to as friction ridges, and they have a very neat affect on our sense of touch; allowing us to differentiate extremely small differences in height (Nature.com), or sense very small vibrations (Nature.com). We develop our fingerprints in the womb, and they will never drastically change throughout our lifetime. The cause of this permanence is found below the surface of the skin, in the interface of the dermis and epidermis and the unique pattern is generated by the papillae. During our development, random pressures, and movements within the womb generate these folds creating a unique outcome. There is evidence to show that some patterns can be hereditary, every finger print as a whole is considered unique (Scientific American).
Fingerprints have been used as a unique signature for thousands of years, beginning with ancient Babylon, where a contract was drawn up in clay, and both parties left their thumbprint to prevent forgery and repudiation. Around the same era, China was using ink to impress thumbprints on paper contracts. In the mid-to-late 1800’s comparing fingerprints had become an effective tool at identifying a perpetrator (Wikipedia). Multiple systems were simultaneously created, resulting in the Henry Classification System becoming the dominant method of classification.
Fingerprint analysis (also known as Dactyloscopy) aims to identify, categorize and quantify the unique features found on the pads of your fingers, and toes. The Henry Classification System contains three basic patterns are: The Arch, The Loop, and the Whorl. These categories can have sub-categories, like tented arch for example, and may also be classified by which hand and finger they occur on. Basically this methodology uses a simple mathematical formula created from the details of a set of prints, and generates a system of indexing, where it became possible to greatly reduce the number of comparisons needed to identify an unknown print.
In the last two decades computerization has dramatically improved the process of print identification. First by allowing a computer to run thousands of caparisons an hour, instead being limited by the speed of a person. Additionally, pattern recognition algorithms have been created to be able to compare more minutiae more accurately than a human would ever be able to. Previously this technology was restricted to criminal investigations, and like all electronics bound by Moore’s Law, the equipment became smaller, faster and cheaper, until 2011 when Motorola introduces the Atrix 4G with an integrated fingerprint recognition system, followed by the Apple iPhone 5s in 2013. Since then we have seen these scanners installed in a wide variety of mobile phones, computers, and even residential door locks.
There is a significant difference in processes and intention when comparing the fingerprint device on your smartphone and the Automated Fingerprint Identification Systems (AFIS) used by law enforcement to identify the owner of a particular fingerprint. Because of these differences in requirements both systems accept different levels of erroneous results. It is important to know that it is accepted that the AFIS is not perfect, and instead it produces likely matches, it is left to a technician to verify. Even with the a human fail-safe mistakes have been made. In 2004 an Oregon lawyer was positively identified by the FBI as a suspect in a bombing in Madrid Spain. Brandon Mayfield spent two weeks in custody, due to this false identification.
Fingerprint authentication systems in place in commercial electronic equipment are often referred to as Biometrics; a technology that measures biological characteristics of a body in order to authenticate. Other forms of biometrics, include facial recognition, retina or iris scans, or even gait analysis. When we talk about biometric systems there are four possible outcomes of any login attempt:
- False Acceptance. This is where the system incorrectly identifies a user as a valid login attempt.
- False Rejection. This is where the system incorrectly blocks a valid user from accessing the system.
- True Acceptance. This is a case where the system validates a user, because they are authorized to access the system.
- True Rejection. This is where a user who is not authorized is denied access.
When implementing a biometric system, you will want the False Acceptance Rate (FAR) and the False Rejection Rate (FRR) as low as possible. This means keeping unauthorized people out consistently, and allowing authorized users easy access without the frustration of retrying multiple times. Typically, as you push the FRR and FAR to a lower value, more intricate hardware and software is involved, typically creating an increase in cost. Google as an example requires that all Android devices with a fingerprint authentication system have a false acceptance rate of no more than 0.002%, and an imposter acceptance rate of no more than 7%(Android.com).
So how does a fingerprint authentication system actually work? While many companies keep parts of the process secret, the premise is the same across all equipment:
Step 1: Capture an image of the print to by analyzed and authenticated.
There are 3 common technologies available to capture a print:
- Optical – This is the oldest method, and uses existing camera technology to create an image of your fingerprint. This method suffers from multiple issues including sensitivity to skin dampness, dirt, scars, or even the ability to scan the fingerprints of older people.
- Capacity – This method uses extremely small sensors that measure the capacitance of small sections of a print, allowing it to detect the ridges and valleys present. These data points are then formed into data that can be processed as a fingerprint. This system is susceptible to damage from static, and suffers from many of the same limitations as optical, like dirt, moisture, and non-elastic skin.
- Ultasound -This method uses very high frequency sound waves to penetrate the epidermal layer of the skin and generate a reflected image of the print. Because the image of the print is not taken from the surface of the finger, dirt, moisture, and scars have significantly less impact on the quality of the image, and it is possible to put the scanner inside the screen of your favourite smartphone.
Step 2: Analyze the image. This involves cleaning up the data, generating data about the print (like whorls, tents, loops, and other minutiae).
The specific details of this process are very restricted by the manufacturer, but it entails looking at more details than being utilized in the Henry Classification System. These minutiae include: Ridge Ending; Bifurcation; Short or Independent Ridge; Island or Dot; Lake or Ridge Enclosure; Spur; Bridge or Crossover; Delta; and Core.
Step 3: Compare the generated data with the internal database of previously authenticated prints, and look for a close match.
In this process the analyzed data is compared to prints previously captured in the enrollment process. To ensure higher accuracy you are often required to sample a print multiple times during enrollment to create a more accurate model of the print.
Step 4: Send a success or failure notification to the device
After the print is scanned, analyzed, and compared, the results are passed to the software on your device and access is either granted or denied.
So now that you have all of this new knowledge, and a broad understanding of how fingerprint authentication systems work you are in a much better position to understand the security implications of using them. In part 2 we will go through understanding the challenges with authenticating with fingerprints, and how you can improve your security with fingerprints.