Okay, seriously...How Secure is Biometric Fingerprint Reader

[IBMorBust]

I need to know if the rumors of insecurity amongst T42 biometric fingerprint scanners are true.

There are rumors that people can defeat these using a "gummy bear" imprint, or other such methods.

Does anyone have a credible source on info regarding the veracity of such statements and comments?

Thank you very much in advance. This is a really important issue for me.

[Leon]

see this....

http://www.theregister.co.uk/2002/05/16 ... t_sensors/

[Orbitz]

Thats scary....

[craigg]

No security option is 100% flawless. Given the resources almost any system can be compromised. With that being said, the biometric scanner adds one more level of protection that would take a very determined individual or government agency to crack.

[egibbs]

I think if you look at the track record, ANY type of hardware lock has a useful life of 6 months to a year before hacks are widely available for it. Beyond that I'm not a big fan of bio-metrics in general, too much snake oil around.

As far as the fingerprint reader in particular, the big drawback that I see is that it has no way of knowing if the user is willingly swiping their finger, has a gun to their head, or has been beaten to a bloody pulp and their severed finger is being swiped. Yes, a severed finger will reportedly work for a couple hours afterward.

I don't have anything THAT important on my laptop, but if I did I'd use a good open source encryption program with a nice strong passphrase. There are ways to force someone to divulge their passphrase, but they take longer.

Ed Gibbs

[RonS]

That trick won't work on the Thinkpad's fingerprint reader.

On the Thinkpad, you have to swipe your finger over the reader. As you do, the ridges of your fingerprint are read as changes in electrical properties detected by the sensor, and a map is constructed of your fingerprint.

The trick described at theregister is for sensors where you lay your whole fingerprint down at once, and your fingerprint is read in one operation without swiping. If those sensors "see" your fingerprint (even with the gummi bear trick), you're in.

IBM's swipe technology (developed by UPEK) is much more secure, and is also a smaller form factor.

Here is a good discussion on fingerprint reader technology: http://www.pc.ibm.com/us/pdf/Fingerprin ... _paper.pdf

When the fingerprint authentication on the Thinkpad is combined with hard drive password protection, the hard drive is very secure. From what I've read, the only way to defeat the hard drive protection is to open the drive in a clean room, and re-build the drive by physically moving the platters to another housing.

[Orbitz]

Very good info. I read somewhere that someone was developing a product that would send a signal to your laptop and melt the hard drive down completely the next time it was on the net. As I recall, what ever they were sending to the laptop was delivered in seconds and was not able to be stopped even if pulled off line etc. Seemed like an interesting idea...even if you found the machine or it was returned all you would be out is the cost of a new hard drive.

Of course, the only thing on my laptop someone might find useful is my rip of Meet the Fockers

[Leon]

I hope it doesn't get too hot while it's melting .

[a31pguy]

Noted cryptographer Bruce Schneier, the founder and CTO of Counterpane Internet Security, described Matsumoto's work as more than impressive.

Biometrics are still an emerging field. The better way to do biometrics is multi-factor authentication. Something you have (or are) and something you know (a password). This is strong authentication and is used by banking and the military. Your ATM card is strong authentication: You must have the ATM card and also know the PIN.

Simply depending on one factor (something you are) such as a fingerprint is always a risk. It's like simply asking for the ATM card or asking for the PIN to access your money.

Look at it this way - if there was something you cared about a great deal - would you just look at one factor to protect it? Off course not - so the better way to use the biometric reader is to combine it with a password. That way even if I had a gummy bear and your fingerprint - I would still need the password to access your system. But it has the additional value of reducing the number of people who might even have the chance to enter the password. An even better way would be to combine it with video cam - facial recognition software, a finger print reader, and a password. This would be three factor authentication and would be more secure than RSA securids because they use more factors to compute access.


The biggest problem with Biometrics is the hygenic problem. Asking someone to put the finger on a piece of glass or a reader is asking to spread germs and viruses. The power app for Biometric is non-invasive readers like Iris scanners or facial recognition which doesn't require contact.