Fingerprint recognition - PINs can make it foolproof

Fingerprint scanners can be tricked. But combined with other security measures, such as PINs (personal identification numbers) and smart cards, they can be made practically foolproof.

Event

On 16 May 2002, it was reported that a Japanese cryptographer, Tsutomu Matsumoto, had tricked fingerprint recognition devices with false fingerprints created by using widely available and cheap materials and a digital camera. He claims to have fooled fingerprint detectors four out of five times.

First Take

The vulnerabilities of fingerprint scanners to false fingers are well-documented. Gartner warned in 1998 it was possible to fool fingerprint scanners. The well-publicised demonstrations by Matsumoto using household gelatin and photosensitive hobbyist circuit board material contain no surprises. However, many scanner makers still cling to the belief that fingerprint technology cannot be defeated.

Matsumoto's demonstrations point to the importance of the proper deployment of these technologies. In crucial applications, fingerprint technology should be used under qualified supervision. Under these circumstances, they can deliver near-certain identification of an individual.

This approach is most successful in situations where an individual would prefer not to be identified but has no choice. Immigration, social security, drivers' licences and the justice system are all examples of situations where the individual yields some options in exchange for rights or as a result of past actions. Fingerprint readers here can be basic but need to be supervised.

For desktop and notebook security fingerprints remain more secure than passwords. However, a second identifier such as a PIN is preferable for both security and privacy reasons.

There is no reason to stop deployment of fingerprint readers for basic log-on processes, as long as it is understood that the readers can be fooled. Depending on the value of the data and the likelihood of attack, different levels of precaution need to be applied. Such precautions include, in ascending resistance against attack:

- PIN
- Smart card and PIN
- Smart card with matching capability and PIN

For desktop computers in a secure environment, the basic fingerprint reader is adequate. Notebook computers should add a PIN to defend against reconstruction of false fingers from latent fingerprints. Network security systems should use a PIN by default to protect the user's privacy and increase the resistance of the system to external attack.

Matsumoto's work will send would-be hackers off to the grocery store, just to see what can be done. This increase in knowledge will lead to increased attacks. Gartner recommends users of fingerprint security review their installations for the risk and cost of attack by false fingers, and increase security measures where appropriate.