Josselin Mouette: Won t people ever learn?
Introducing biometric authentication in our systems is a very good idea. It is the key to two-factor authentication which, while not solving all security issues, can bring a giant leap in terms of security when done correctly.
Everything is in the correctly.
And I can t say I m impressed with the way people are developing fingerprint authentication systems. Let s look at the currently emerging standard, fprint, and its security notes:
Wait Yes, they are treating biometrical data like a password. Password-based security relies on the fact it isn t easy to obtain your password without spying on you or torturing you. But obtaining your fingerprint? Unless you ve been wearing gloves for years, this is absolutely trivial. And this is how people focus on the wrong issues.
Biometric data is not a password, and it requires a radically different approach to authentication. You can t just expect the person in front of the computer to provide some data corresponding to the fingerprint. You have to ensure that the person in front of the computer is the one with the correct fingerprint. Biometric devices manufacturers have made impressive efforts to ensure fake fingers or cut fingers can t be used, but there is still a giant hole in the security model. While you can now be reasonably sure that the device will only return data corresponding to the person in front of it, you also need to ensure the data processed by the computer comes from the device.
Guess what? These devices are USB-based. And given how USB works, there is nothing that prevents an attacker to plug a custom device in the USB port and send the data he wants to the authentication system. Good job, guys. While you re busy hiding easily available data, the house s door is still wide open.
Everything is in the correctly.
And I can t say I m impressed with the way people are developing fingerprint authentication systems. Let s look at the currently emerging standard, fprint, and its security notes:
In it's current state, fprint is not a very secure system: this data is stored on disk in unencrypted form. This data is not readable by other users, however it is possible that the super-user can access it, and also someone with local access could move the disk to another system in order to gain access to the whole disk.This statement is followed by considerations on how to protect this data from being read, much like passwords are protected by MD5 hashes.
Wait Yes, they are treating biometrical data like a password. Password-based security relies on the fact it isn t easy to obtain your password without spying on you or torturing you. But obtaining your fingerprint? Unless you ve been wearing gloves for years, this is absolutely trivial. And this is how people focus on the wrong issues.
Biometric data is not a password, and it requires a radically different approach to authentication. You can t just expect the person in front of the computer to provide some data corresponding to the fingerprint. You have to ensure that the person in front of the computer is the one with the correct fingerprint. Biometric devices manufacturers have made impressive efforts to ensure fake fingers or cut fingers can t be used, but there is still a giant hole in the security model. While you can now be reasonably sure that the device will only return data corresponding to the person in front of it, you also need to ensure the data processed by the computer comes from the device.
Guess what? These devices are USB-based. And given how USB works, there is nothing that prevents an attacker to plug a custom device in the USB port and send the data he wants to the authentication system. Good job, guys. While you re busy hiding easily available data, the house s door is still wide open.