June 16, 2016
There are several fundamental problems with using biometrics such as fingerprints, facial recognition etc for authentication. It’s even more problematic when encryption is involved.
There are two major problems with using biometrics for authentication.
- If there is no other human actually watching you ‘apply’ the biometric, it’s really hard to ensure that the biometric is really attached to the real person. Think 3D-model of face, or chopped off thumb :-( .
- You can’t change your face or your fingerprint, and it’s not a secret, so once that knowledge is in the wrong hands it’s a technological arms race against physical and electronic spoofing devices such as fake thumbs or thumbprint reader bypass technology just to name a few. You’re for ever stuck with your face and your fingers.
This makes it pretty clear that pure biometric authentication is only suitable when the asset being protected is of sufficiently low value that an attacker will not find the cost and risk of bypassing it worthwhile.
The current trend of incorporating fingerprint authentication in mobile devices is troubling. The value represented by a modern mobile device, including the assets potentially reachable indirectly such as online accounts, could easily make spoofing worthwhile. In some parts of the world it does not require too much imagination to envision people being robbed not only of their phones as today, but of a fingertip at the same time tomorrow.
We already have a situation where identity theft is a major headache. But this can actually be handled, even if the process is hampered by outdated systems and laws. If biometrics continue to gain headway, we may get a group of people who will never fully integrate into society since their biometrics once stolen can never by recovered or changed. The theft may occur individually, or from corporate or government databases.
While the likelyhood of a national or corporate fingerprint database leaking is perhaps low, it’s not zero. With time it will happen. Once it’s happened it can never be undone.
A stolen password on the other hand, is comparatively trivial to change.
Biometrics for encryption
Quite frequently we get requests for integrating various forms of biometrics into AxCrypt instead of, or as complements to the password. The problem here is that properly designed encryption systems assume an attacker has huge resources and full knowledge of everything. Except one single piece of information: the decryption key. This is all that must be kept secret, and it must also be kept secret. Everything depends on this key being secret. In AxCrypt terms the password is ultimately the key that must be secret.
A fingerprint is unique, but it is not secret and it cannot be changed. It is entirely unsuitable to use directly or indirectly as an encryption key.
It is possible to do what mobile device manufacturers do, to use internal trusted hardware as the guardian of the secret keys which will only release the secrets if authenticated by for example a fingerprint. This is how Apple Touch ID works. But, remember the caveats of biometric authentication mentioned above. The internal trusted hardware can always be fooled by a sufficiently well made device or artifact, and frequently the required fingerprint is even found all over the device itself!
Svante, Developer and Co-Founder AxCrypt AB.