Fingerprints and Passwords: A Guide for Non-Security Experts
Today Apple announced that the iPhone 5S will have a fingerprint scanner. Many of us in the security community are highly sceptical of this feature, while others saw this as a smart security move. Then of course there are the journalists who see fingerprints as the ultimate password killer. Clearly there is some disagreement here. I thought I’d lay this out for those of you who need to better understand the implications of using fingerprints vs or in addition to passwords.
Biometrics, like usernames and passwords, are a way to identify and authenticate yourself to a system. We all know that passwords can be weak and difficult to manage, which makes it tempting to call every new authentication product a password killer. But despite their flaws, passwords must always play some role in authentication.
The fact is that while passwords do have their flaws, they also have their strengths. The same is true with biometrics. You can’t just replace passwords with fingerprints and say you’ve solved the problem because you have introduced a few new problems.
To clarify this, below is a table that compares the characteristics of biometrics vs passwords, with check marks where one method has a clear advantage:
|Difficult to remember||Don’t have to remember|
|Requires unique passwords for each system||Can be used on every system|
|Nothing else to carry around||Nothing else to carry around|
|Take time to type||Easy to swipe/sense|
|Prone to typing errors||Prone to sensor or algorithm errors|
|Immune to false positives||Susceptible to false positives|
|Easy to enroll||Some effort to enroll|
|Easy to change||Impossible to change|
|Can be shared among users 1||Cannot be shared|
|Can be used without your knowledge||Less likely to be used without your knowledge|
|Cheap to implement||Requires hardware sensors|
|Work anywhere including browsers & mobile||Require separate implementation|
|Mature security practice||Still evolving|
|Susceptible to physical observation||Susceptible to public observation|
|Susceptible to brute force attacks||Resistant to brute force attacks|
|Can be stored as hashes by untrusted third party||Third party must have access to raw data|
|Cannot personally identify you||Could identify you in the real world|
|Allow for multiple accounts||Cannot use to create multiple accounts|
|Can be forgotten; password dies with a person||Susceptible to injuries, aging, and death|
|Susceptible to replay attacks||Susceptible to replay attacks|
|Susceptible to weak implementations||Susceptible to weak implementations|
|Not universally accessible to everyone||Not universally accessible to everyone|
|Susceptible to poor user security practices||Not susceptible to poor practices|
|Lacks non-repudiation||Moderate non-repudiation|
|1 Can be both a strength and a weakness|
What Does This Tell Us?
As you can see, biometrics clearly are not the best replacement for passwords, which is why so many security experts cringe when every biometrics company in their press releases claim themselves as the ultimate password killer. Biometrics do have some clear advantages over passwords, but they also have numerous disadvantages; they both can be weak and yet each can be strong, depending on the situation. Now the list above is not weighted–certainly some of the items are more important than others–but the point here is that you can’t simply compare passwords to biometrics and say that one is better than the other.
However, one thing you can say is that when you use passwords together with biometrics, you have something that is significantly stronger than either of the two alone. This is because you get the advantages of both techniques and only a few of the disadvantages. For example, we all know that you can’t change your fingerprint if compromised, but pair it with a password and you can change that password. Using these two together is referred to as two-factor authentication: something you know plus something you are.
It’s not clear, however, if the Apple implementation will allow for you to use both a fingerprint and password (or PIN) together.
Now specifically talking about the iPhone’s implementation of a fingerprint sensor, there are some interesting points to note. First, including it on the phone makes up for some of the usual biometric disadvantages such as enrollment, having special hardware sensors, and privacy issues due to only storing that data locally. Another interesting fact is that the phone itself is actually a third factor of authentication: something you possess. When combined with the other two factors it becomes an extremely reliable form of identification for use with other systems. A compromise would require being in physical possession of your phone, having your fingerprint, and knowing your PIN.
Ultimately, the security of the fingerprint scanner largely depends on the implementation, but even if it isn’t perfect, it is better than those millions of phones with no protection at all.
There is the issue of security that some have brought up: is this just a method for the NSA to build a master fingerprint database? Apple’s implementation encrypts and stores fingerprint locally using trusted hardware. Whether this is actually secure remains to be seen, but keep in mind that your fingerprints aren’t really that private: you literally leave them on everything you touch.