How safe are fingerprint-scanning and other biometric authentication methods?

Does your company use fingerprint-scanning authentication technology? If so, that technology might not be enough to guard the authentication process for your particular network environment because, as you know, the finger doesn't have to be attached to the body. For that matter, the finger doesn't even need to be a real finger. A recent news story from The Register is a good case in point. In the story "Gummi bears defeat fingerprint sensors," reporter John Leyden describes how Japanese mathematician Tsutomu Matsumoto used gelatin and a plastic mold to reproduce a portion of a finger, including its fingerprint, and defeated 11 different fingerprint-authentication systems in four of five attempts. Taking the process further, Matsumoto lifted a fingerprint from a glass, transferred the print to a rigid flat surface, and used a mold to create a fake gelatin finger. According to the report, the finger fooled scanners about 80 percent of the time.

To receive a copy of a paper Matsumoto wrote detailing the preceding endeavors, send him an email message to tsutomu@mlab.jks.ynu.ac.jp and request a copy. Although that paper isn't available on the Web site, you'll find a presentation in which Matsumoto discusses biometrics and shows some photographs of the process of creating a fake finger. You can download a copy of the PDF file (about 1.2MB).

Bruce Schneier, founder and chief technology officer CTO of Counterpane Internet Security, publishes the newsletter Crypto-Gram. In the May 15 edition , Schneier offers more detail and commentary about Matsumoto's process. According to Schneier, "There's both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he's a mathematician. He didn't use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with 'live finger detection' features." Schneier urges us to consider how much more dedicated attackers could do. Schneier warns, "All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that \[Matsumoto's methods\] don't really work, or that they don't apply to them, or that they've fixed the problem. Think twice before believing them."

Following the fake finger story, Crypto-Gram offered a link to a news report about paying for merchandise with nothing more than a fingerprint. According to an April 27 article in the Seattle Post-Intelligencer, the West Seattle Thriftway store offers customers a fingerprint-only payment system. The system ties customers' fingerprints directly to their credit cards, checking accounts, and benefit cards and lets them pay for merchandise by simply placing their index finger on a scanner during checkout.

Someone could theoretically use Matsumoto's technique to create a thin "skin" with someone else's fingerprint, lay it over his or her index finger, and go on a shopping spree at someone else's expense. The article about the fingerprint checkout system could mislead uneducated consumers. According to the store owner, the new payment system is foolproof: "People no longer have to worry that their cards will be lost or stolen and then used to run up hefty charges. Stores and credit card issuers will likewise avoid the losses associated with identity theft." Yeah, right. If nothing else, the Matsumoto experiments should keep us all from being lulled into a false sense of security.

The West Seattle Thriftway might have used something a bit more secure for its biometric payment system. Several other options (e.g., facial-recognition units) offer more security. Visionics makes a facial-recognition unit that you can use for network authentication. The company's FaceIt product works as a single sign-on (SSO) tool and as a continuous authentication system. Users are authenticated initially, then reauthenticated as they continue to use the system. This approach helps prevent anyone but the authenticated user from using the authenticated resources. FaceIt uses any video camera that supports Microsoft Video for Windows. The product runs on Windows platforms, Linux, Sun OS, and SGI Irix systems, and the company offers software development kits (SDKs) for custom application development.

BioID makes a facial-recognition product also called BioID. The product uses a combination of facial features, voice patterns, and lip movement to identify a person. BioID uses a standard USB-based video camera and microphone to perform its authentication process. You can learn more about the product at the company's Web site (see the URL below).

If you're interested in other types of biometric security, such as hand-geometry, iris, retina, voice, and signature scanners, a great place to start is the International Biometric Group Web site (see the first URL below). The site offers information about most types of biometric security available today and links to many vendor sites. The following quick reference by security type (see the second through eighth URLs below) will get you started.

In last week's Security UPDATE commentary, I discussed Instant Messaging (IM) software. A different article in The Register, "EDS bans IM", discusses how the computer arm of the British government has banned IM because of its inherent security risks, particularly the way IM products let network traffic bypass certain security systems designed to protect networks. For example, IM software can deliver email and transfer files that bypass virus-scanning software and infect your network. The article offers further evidence that you should weigh the risks of IM before you allow its use in your environment.