Questions have been raised about the feasibility of biometrics as an authentication method if the data was hacked.
LogLogic CEO Guy Churchward claimed that while technologically a great idea and as a two-factor authentication it is good, the problem with biometrics is in the fact that you cannot change your fingerprint like you can with a password.
He said: “The issue I have is biometrics are unique to you but once you have your fingerprint scanned it will give a unique data sequence which if compromised is not exactly something you can change.
“So it is good for additional security, but in my honest opinion it is not something you should ever implement as a single phase security system unless you can reverse out of it. Imagine having an option of only one password 'ever'. One loss and you are screwed."
Andrew Clarke, vice president and managing director EMEA at e-DMZ Security, claimed that there was a weakness in fingerprint scanners as while the scanner operates by taking a visual sample of the fingerprint, it cannot determine whether the fingerprint comes from a real finger or not.
Clarke said: “Security consultants have determined then that an artificial finger etched with the correct fingerprint can subvert a fingerprint scanner. To make an artificial finger for the purpose of fooling a fingerprint scanner, a residual impression of the registered fingerprint must first be acquired.
“These can be taken from other objects touched by the individual who has valid access to the system being protected by the biometric fingerprint scanner. Aluminum powder, ninhydrin solutions, and cyanoacrylate adhesives (materials used in crime detection) can be used to enhance these residual impressions.
“If someone gets access to the fingerprint reading device, it is quite possible to 'copy' the image of the fingerprint onto sticky tape and just replay it. I think that the readers are getting more sophisicated nowadays - but not infalliable.”
He claimed that fingerprint authentication is popular as the user does not need to write down a code, so the use of such a solution has to be balanced in light of the security risks possible from alternative solutions.
“As with all authentication, multiple factors increases the effectiveness of the solution. Something you have (fingerprint) combined with something you know (passcode) provides a stronger solution,” said Clarke.
“Clearly in some environments where the authentication is shared between multiple users (such as unix/linux root), a password is necessary since the finger-print is individual. In these cases a robust privileged password management capability is required, so that each time the password is used it is controlled, managed and audited identifying the person using it and then changed by a secure and audited change control system for subsequent use by another user.”
Commenting, David Ting, CTO of Imprivata, claimed that the risk profile for a computer secured using passwords or biometrics when it is lost or stolen is a common concern and any lost computer without full disk encryption and boot-level user authentication represents a significant risk, since the data on the drive can be easily accessed through a variety of creative ways.
He said: “Biometrics authentication compares the biometric data for an unknown user against one or more reference data captured during user enrolment. The matching algorithm converts a captured image, e.g. a finger, to a digital signature that is then used in a fuzzy comparison against the enrolled data.
“The large number of pixels involved in the image (several hundred kilobytes) together with the randomness of the finger being scanned results in the creation of effectively a long ‘password' with significant amount of randomness. This makes the biometric password extremely difficult to recover using any type of brute force attacks. In effect this task can be compared to trying to create an image of a fingerprint by systematically trying to set pixels in an image to different grey values until a print is generated.
“Of course this also assumes that one can gain access to the enrolled fingerprint data which can either be totally server resident or be encrypted and stored locally. All this, of course, is a considerably more difficult task than downloading a password recovery tool and letting it go on a file of hashed passwords.”
He recommended using complex passwords initially to thwart cracking, and layering strong authentication to secure access to the Windows logon with either biometric, one-time password tokens or smartcards to provide additional security in the event the machine is lost, as these offer a higher barrier to systematic cracking.