The U.S. government recently announced that 5.6 million fingerprint records were stolen along with other valuable data from the breach they publicized earlier this year. Since many of your clients have iPhones that use fingerprint scanning for security, they may be wondering what could happen if their fingerprint data was stolen.
With fingerprint authentication, you do not need to remember and enter a password to access a device. You just place your finger on a fingerprint scanner. If your fingerprint matches the scanned image on file, you gain access.
More and more devices are using fingerprint authentication, including smartphones and notebooks. But is using fingerprint authentication a good idea? To answer this question, you need to know how fingerprint scanners work, along with their advantages and disadvantages.
How Fingerprint Scanners Work
No two people have the same fingerprint. Even identical twins have different fingerprints. Thus, fingerprints can be used for identification purposes.
There are two main types of fingerprint scanners: optical and capacitance. Optical scanners use charge-coupled devices (CCDs) to get a fingerprint image. They work a lot like traditional scanners. Capacitance scanners use electrical current to obtain fingerprint images. Their images have a higher degree of fidelity than the images made with an optical scanner. Plus, capacitance scanners require an actual fingerprint shape to work, making it harder to fake fingerprints.
Most optical and capacitance fingerprint scanning systems do not compare the entire fingerprint when checking a fingerprint against the scanned image on file. They compare specific features of the fingerprint, which are known as minutiae. They use complex algorithms to recognize and analyze minutiae patterns.
All the minutiae patterns in the fingerprint and in the scanned image on file do not have to match for fingerprint scanning systems to allow access to devices. They simply have to find a sufficient number of minutiae patterns in common. The exact number depends on the programming in the fingerprint scanning system.
The Advantages of Fingerprint Authentication
Fingerprint authentication has several advantages over authentication systems that use passwords, personal identification numbers, or access cards. Here are some of the most noteworthy advantages:
- Users cannot create weak fingerprints or forget them.
- Users cannot misplace their fingerprints.
- Criminals cannot guess a fingerprint pattern.
- If a mobile device using fingerprint authentication is lost or stolen, its contents cannot be easily accessed.
Because fingerprint authentication is convenient for users but not criminals, many device manufacturers are beginning to use this type of authentication. For example, the iPhone 5S and newer models use capacitance scanning to provide fingerprint authentication.
The Disadvantages of Fingerprint Authentication
Fingerprint scanning systems are not infallible. Optical scanners cannot always distinguish between a high-resolution picture of a finger and the finger itself. Even capacitive scanners can sometimes be fooled by an artificial fingerprint. There are documented cases where fingerprint scanners have been duped with fingerprints lifted from glasses, CDs, and other items. The process is time-consuming and requires a lot of expertise. You first need to enhance the fingerprint and get a high-quality digital image of it. You then need to turn the image into a mold in which you can pour gelatin or silicon to make the fake fingerprint.
Already having a digital scan of a fingerprint would make the process easier and less time-consuming, potentially making it more lucrative to criminals. In September 2015, they learned that their fingerprint scans were stolen during the U.S. Office of Personnel Management (OPM) data breach that occurred earlier in the year. The OPM data breach was massive.
Federal experts believe that the ability to misuse fingerprint data is currently limited, but this could change over time as technology evolves, according OPM Press Secretary Sam Schumach. A group with expertise in this area will be reviewing the potential ways adversaries could misuse fingerprint data now and in the future.
This group’s activities will likely give little comfort to the 5.6 million federal employees who had their fingerprint scans stolen. While passwords, personal identification numbers, and access cards can be changed, fingerprints cannot be. As a result, they will likely have to worry about becoming victims the rest of their lives.
“While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread,” said Tim Erlin in an eSecurity Planet interview. Erlin is the director of IT security and risk strategy at Tripwire. “Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets.”
One way the 5.6 million federal employees can protect themselves at home is to use more than one type of authentication to access their devices. This is referred to as multifactor authentication.
Using Multifactor Authentication Is Best
With multifactor authentication, you use two or more types of credentials to access a device. The main types of credentials are often described as:
- Something you know. Examples include passwords and personal identification numbers.
- Something you have. Examples include access cards and fobs.
- Something you are. Examples include fingerprint and retinal scans.
Using fingerprint authentication with another type of authentication can provide a high degree of security. For more information about using multifactor authentication, talk to your IT service provider.