Passwords can be difficult. Every time we interact with a new corporation on a digital level, we’re expected to identify ourselves with a password. It’s recommended that we don’t use the same password for every account. We have to come up with increasingly complex combinations of capitals and numbers to satisfy security requirements. When we forget our password, we sometimes must recall if we used the word “street” or its abbreviation when answering a security question about where we grew up. This can be a problem, and every system we use to keep everything organized chips away at the strength of our password’s security, bit by bit. Even then, we’re always one stroke of bad luck or one poor decision away from handing it over to a hacker.
Thank goodness that fingerprint readers are becoming a feature seen in more and more of our digital devices. Bypassing security could soon be a finger stroke away. Only, maybe that’s not the best idea.
CRACKING YOUR FINGERS
It doesn’t get much more personal than biometrics. They are used to measure an undivorceable part of our biology. These features are always on us, unique to ourselves, and, for the most part, unchanging. Fingerprints readers are perhaps the most ubiquitous of biometrics. All the arches, loops, and whorls on the ends of our digits are completely unique to us, and are famously used in forensics to match someone to a crime scene. It seems like the perfect way to confirm to a computer that we are who we say we are. However, it’s those advantages that also weaken the usefulness of fingerprint readers as a security measure.
As personal as fingerprints are, we leave them everywhere we go. Every surface you touch becomes marked with a greasy imprint of your precious fingers. That may seem like an insignificant problem, after all, how does oily residue left from your fingers help anyone get on your phone? The thing is; it doesn’t take much to fool a fingerprint scanner. It’s been proven that high resolution photographs or molds pulled from the markings are enough to satisfy a computer that it’s you rubbing your digits on it.
That’s all there is to it. For optical fingerprint readers, it’s as simple as finding a decent imprint and pulling a quality photograph or scan of it, then printing it out on a sheet of paper and running it across the scanner. That’s because optical fingerprint sensors do essentially the same thing as any other photo scanner. As you draw your finger across them, they’re taking a digital image in what’s called a live scan. It then compares the image it pulled against what it has stored to see if there’s a match.
The printout won’t work in every case, of course. While it will work on common optical sensors, most phones and laptops use capacitance sensors to pull an image in different ways. In cases like these, if the raised ink on a printer photograph doesn’t work, a mold can be pulled using a high-contrast image of a fingerprint and gelatin. Even without the physical methods, brute force and man-in-the-middle attacks work just as easily as they do with passwords. The point is, a fingerprint scanner does very little to ensure that it’s a human that’s rubbing against it.
It’s important to remember that a password can be changed, but your fingerprints are with you forever. Identity theft is bad enough, but you can at least recover from it by changing your passwords and PINs; your fingerprints are stuck with you. One breach of security and you’re compromised for life. What’s perhaps more concerning is how likely it is that you’ve already given someone your prints.
There are many levels of government clearance and certification that requires submission of your fingerprints to be databased. Likewise, committing certain offenses also results in turning over the ends of your fingers to be filed away. Even travelling to some other countries for a vacation requires having your fingers scanned at customs, and all of that is stored away. That’s millions upon millions of individual fingerprints, all stored in a few databases. It takes one intrusion before all of them are leaked onto the internet, and the internet never forgets. That’s a lot of keys falling into the wrong hands, all of which can be given the Jell-O mold treatment and used to bypass security.
That may sound dramatic, but don’t let it scare you too much. A point that we’ve stressed frequently is that hackers rarely target direct users; it’s much simpler and more efficient to cast a net using a phishing scam and wait for someone to get snagged. With that in mind, it’s unlikely any of these techniques would actually be used. Most of the above methods are too intensive for random attacks, so they’d only be used against individuals who are protecting extremely sensitive data.
The point to be taken away from this is that fingerprint readers provide little security benefit over passwords, and can, in some ways, be considered inferior. For now, anyway. Biometrics are likely to improve over time, and options like facial or iris recognition have the potential to step in and free us from the scourge of passwords with fewer risks. In the meantime, it’s still not a terrible idea to swipe your finger to get into your devices, but as with any security measure, it’s important to keep its limitations in mind.