How Secure Is Microsoft's Fingerprint Reader?

Moos3d asks: "I recently found out about this Microsoft Fingerprint Reader at the library and ever since then I have been fascinated by using something like this for my own PC. How secure is this compared to using multiple 10+ character long passwords? Some people I've talked to seem to think it isn't safe at all and some people seem to think it is only safe for casual use. I only plan to use it for online forums and other applications that don't require great measures of security so it seems to be perfect for me, but how secure do you think it really is?"

Not very

[DarkHand]

Dan of dansdata.com debunks the myth of 'secure' fingerprint readers in his review of a Lifeview Finger ID machine here.

A fingerprint is just a password...

[swillden]

... but one that can't be changed and gets left lying around on a regular basis, but also can't (easily) be lost.

Against a casual attacker (all most of us really have to worry about), it's perhaps slightly more secure than the average password and it's much more convenient.

Against a sophisticated attacker, a fingerprint alone is much weaker than any password, unless you have a habit of writing your password on everything you touch. Yes, all of the fingerprint scanners claim to offer liveness verification, but in practice every time someone has seriously tested the claims, they've fallen down.

If you need really high security, a password is better than a fingerprint, but it's even better to use both. Of course, if you need really high security, you shouldn't be using a standard PC with a common operating system, and I'm not just talking about Windows. Everyday PCs are wide open to an attacker that has physical access to them, regardless of what OS you're running. A TCPA-enabled OS would be slightly better, but not much since the TCPA standards don't require any tamper resistance on the TPM, so a clueful attacker with physical access will almost certainly pwn your machine anyway.

IMO, and this is closely related to my day job, for low security and high convenience, go with a fingerprint. For moderate security, use either a good password or a combination of password/fingerprint or password/smart card or fingerprint/smart card. If you need high security, hire someone to help you figure out how to do it right.

Very Unsecure

[Methuseus]

From the reviews by security experts, this is less secure than most other fingerprint readers used in non-consumer applications. It takes a less precise reading of your finger than just about any other fingerprint reader, especially those used in most "secure" applications.

There's also the fact that it sends and stores the fingerprint info, mainly unencrypted, on the local hard drive so that it can match it. If you can get that information and which points need to match, it's relatively easy to make a fake that will match.

Not very...

[JackAsh]

First things first: This is a Windows only device. I'm sure someone will figure out how to get it working with something else, but it comes with software for Windows only.

This is the Digital Persona http://www.digitalpersona.com/ fingerprint scanner, rebranded by Microsoft. I actually use some of their older sensors at home, they're fairly cheap and easy to use.

How secure are they? Not very - these are the same sensors that can be bypassed with highly advanced Nasa Gummi Bear Technology. Yeah, get some latent prints, extrude them with superglue and a couple other items, then pour melted gummi bears into the mold to make a cool new fingerprint that can bypass the sensor.

That being a given, they are pretty damn cool, and extremely convenient. You just come over to your Wintendo XP system, put your finger on the sensor and you are in. You can whip up authentication for websites and applications in no time (although I haven't figured out yet how to get it to authenticate me into World of Warcraft). It really is a "password database" system, unlocked with a fingerprint.

BTW, if you decide to buy these go with Microsoft's sensors - Digital Persona is notoriously stingy with application upgrades. Not that it matters, the supplied software still works with my newest WinXP perfectly, but I feel kinda weird running the 1.0.3 version of a product now in 2.x. MS has traditionally been pretty good about providing updated software for their hardware.

The way I look at it, it can keep people (friends, girlfriend, visitors) away from your Windows box without requiring you to enter a password every time you come back to it:

Now you can press windows-L, get up, get a coke, come back, give the pc the finger (preferrably middle ;) and get back to browsing pr0n without anyone getting into your session ;).

Not only that, but it will even allow for Fast User Switching just by putting in someone else's finger. Bonus!

-Jack Ash

Just as secure as any other

[Pan+T.+Hose]

It is completely useless, just as any other authentication relying on sending data that is not secret. This is really getting old... Ley me quote a 1998 article on biometrics by Bruce Schneier:

Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn't that simple.

Biometrics are the oldest form of identification. Dogs have distinctive barks. Cats spray. Humans recognise each other's faces. On the telephone, your voice identifies you as the person on the line. On a paper contract, your signature identifies you as the person who signed it. Your photograph identifies you as the person who owns a particular passport.

What makes biometrics useful for many of these applications is that they can be stored in a database. Alice's voice only works as a biometric identification on the telephone if you already know who she is; if she is a stranger, it doesn't help. It's the same with Alice's handwriting; you can recognize it only if you already know it. To solve this problem, banks keep signature cards on file. Alice signs her name on a card, and it is stored in the bank (the bank needs to maintain its secure perimeter in order for this to work right). When Alice signs a check, the bank verifies Alice's signature against the stored signature to ensure that the check is valid.

There are a bunch of different biometrics. I've mentioned handwriting, voiceprints, and face recognition. There are also hand geometry, fingerprints, retinal scans, DNA, typing patterns, signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.), and others. The technologies behind some of them are more reliable than others, and they'll all improve.

"Improve" means two different things. First, it means that the system will not incorrectly identify an impostor as Alice. The whole point of the biometric is to prove that Alice is Alice, so if an impostor can successfully fool the system it isn't working very well. This is called a false positive. Second, "improve" means that the system will not incorrectly identify Alice as an impostor. Again, the point of the biometric is to prove that Alice is Alice, and if Alice can't convince the system that she is her then it's not working very well, either. This is called a false negative. In general, you can tune a biometric system to err on the side of a false positive or a false negative.

Biometrics are great because they are really hard to forge: it's hard to put a false fingerprint on your finger, or make your retina look like someone else's. Some people can mimic others' voices, and Hollywood can make people's faces look like someone else, but these are specialized or expensive skills. When you see someone sign his name, you generally know it is him and not someone else.

Biometrics are lousy because they are so easy to forge: it's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly. Imagine a remote system that uses face recognition as a biometric. "In order to gain authorization, take a Polaroid picture of yourself and mail it in. We'll compare the picture with the one we have in file." What are the attacks here?

Easy. To masquerade as Alice, take a Polaroid picture of her when she's not looking. Then, at some later date, use it to fool the system. This attack works because while it is hard to make your face look like Alice's, it's easy to get a picture of Alice's face. And since the system does not verify that the picture is of your face, only that it matches the picture of Alice's face on file, we can fool it.

Similarly, we can fool a signature biometric using a photocopier or a fa

fingerprint is worst

[deanpole]

Fingerprints make terrible biometric keys because you leave your fingerprint everywhere, unlike your password or retinal scan. Yes, fingerprints give that cool "we take security seriosly" aura, but are false security. Gelatin fingerprints are easy to construct from a fingerprint image, and difficult to detect when worn. Moreover once your fingerprint is compromised it is difficult to change. Doh!!!

Re:How do you plan to use it?

[Johnny+Mnemonic]

hey don't support this (at least majority of forums I know

Having looked at the linked product, it appears that the thumbprint device unlocks a cache of stored passwords on the host PC, and the cache then transfers the (text) user name and password to the input fields of the websites. So the websites would not have to be compatible with the thumbprint device per se; it just has to allow autocompleted user/pass info. And most do.

That being the case, is this much more secure than a password protected password cache, ala Apple's Keychain? Probably not. I wonder if the thumbrprint reader even bothers to encrypt the print between the reader and the host PC; if not, with a USB sniffer like a keylogging device you're no more secure.

But let's say that the reader does encrypt the print--maybe it does. Do you think it's easier to get my print (glass, gummy bear, etc) or to read my mind for my password? And as another poster pointed out--I can change my password and therefore limit my vulnerability window to whatever temporal limit I choose. OTOH, if my thumb is compromised then I only get one more chance.

Re:A place where it works

[Johnny+Mnemonic]

The nurses would otherwise be typing in passwords about 300 times a day, as the computers lock whenever someone isn't standing at them

They really use thumbprint scanners? What if the nurse has gloves on/a cut/some liquid on their finger? What if the scanner is dirty or scratched? That seems like a strange thing to do.

Probably more likely is that they use Common Access Cards which would be just as secure as a thumbprint, but would also allow one to decertify the existing cards and force a periodic new key to be issued, say every few months--thereby expiring any exploitation of the previous code.

Ask Microsoft

[linuxwrangler]

According to Microsoft: "The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks."

Um. Isn't "sensitive data" the reason that pages are password-protected in the first place?

So apparently the Microsoft Fingerprint reader is so insecure that even Microsoft can't recommend using it. Now that's scary.