NCSAM/2011–Post 13–What’s a fingerprint–name or password?
I’ve given a couple of arguments about names and why they shouldn’t be treated like passwords now, and because I always like to turn problems into classes of problems to be solved (the “meta-approach”), I figured a long time ago that I should decide what it is that makes a name different from a password, and whether I could apply that to the security world as a whole.
A Name is a Claim
A name is a claim of your identity. “Hello, I’m Bob,” says the badge – but anyone could wear that badge, much to the consternation of any real Bobs who happen to be bobbing around in the background. [Another name for a claim is an “assertion”, but the term “claim” seems to have won out in recent security discussions.]
An identity claim is best when it’s unique – so that claiming to be “Bob” is only useful if no one other than the one, true “Bob” gets to use that name.
A Password is a Proof
Your password, by comparison, is a proof of your identity.
Your password is not unique – which is good, because if you set your password to “frebbot”, and the system told you “that password is not unique”, you’d have a relatively easy time of going through each user on the system to find out who had that password.
Occasionally, systems are proposed where the entry of a password is all that is required to establish an identity – the proof is needed, but the claim is not. This is an example of a truly pathological case of unique passwords, in which you don’t even need to guess whose account has the password that you’ve just been denied.
So, what’s a fingerprint?
I’ll readily admit to enjoying using a fingerprint reader as a convenience device on my home computer. It’s a great way of quickly logging on to a system that no more than about four legitimate users are registered on, so I’m not going to say that fingerprints are unusable in all cases.
However, by the descriptions above, your fingerprint serves as both a claim of an identity, and a proof of that identity.
This alone rings alarm bells, and is a reason not to use it in an environment such as an enterprise, where hundreds, maybe thousands, of people are registered, and where a relatively simple few mistakes in reading a fingerprint could result in being identified as an entirely different user.
Other reasons to distrust fingerprints
There are, of course, further reasons why I would discourage security practitioners in business to avoid fingerprints as a security measure.
- Hygiene. Fingers are dirty appendages, thrust into ears, mouths and noses on regular occasions, and having a shared device whose designed purpose is to wipe fingers across seems to be a problem, even if you are far from being a germophobe. The only device I have with that purpose in mind is a hanky, and I wash those after each day in which I use them.
- Bad matches. False negatives are inconvenient, but not greatly so. False positives are disastrous, as you cannot predict who is going to be hit by them. There are a number of high profile cases of individuals who have been misidentified in criminal cases by partial fingerprints, or rotated fingerprints (imagine, a supposedly unique identifier that becomes non-unique when you add a consideration of rotation by right-angles)
- Revocation. If you ever do find two people whose fingers match, you can’t replace them with non-matching fingers. OK, so you can, but fewer than a dozen times.
- Failure. Some individuals don’t register as having fingerprints. As with any biometric, there will be people who can’t use it – whether because they have no fingers, or simply no recognisable fingerprints.
- Theft. Steal a Mercedes S-class and realise you need a fingerprint to unlock it. OK, so kidnap the owner so that you can steal the car. Then realisation dawns that you don’t need all of the owner. Just the finger.
- Mathematical rigour – or lack of it. We really don’t know how fingerprints form, and there aren’t sufficiently large studies to back up the use of a fingerprint as an entirely unique identifier. There are cases of mistaken conviction from fingerprint evidence that demonstrate fingerprints can be matched to people who didn’t plant the prints.
- Scientific rigour – lack of. Addressing the issue of the theft of a finger, some fingerprint readers claim to not be fooled by excised fingers. To make such a claim with any scientific rigour, they would have to have tested a finger several times for low false reject rate while attached, and then tested it for false accept rate once detached. I can’t see anyone volunteering for that study.