Okay, so we should all be well aware as to what a fingerprint is – it’s the pattern of ridges on most people’s fingers that get left in smudges on glass doors.
What can it be used for?
The question arises as I look at my Microsoft Fingerprint Reader, and try to explain why a fingerprint reader is purposely disabled from authenticating an account to a domain.
Let’s first get into what is needed to log on to a system. In computer science terms, you need a claim of identity, and you need one or more pieces of evidence, that together will suffice as proof of identity.
Think of the bank ATM as an example – your debit card is the claim of identity (because it contains your account number), and it’s also a piece of evidence (because you cannot use the ATM without the card). Your PIN is a second form of evidence; with the card and your PIN, you claim and prove your identity for the purposes of the ATM’s operations.
Logging on to a domain is similar – you provide a username, which is a claim of identity, and you provide a password, which is the evidence used as proof of identity.
What differentiates a claim of identity from a proof of identity? That’s a little subtle.
A claim of identity is any information that uniquely identifies a person, or a role, or an identity, such that it can be used by the computer to look up that identity. Your ATM card is a claim of identity, because it contains the account number(s) to which you are allowed access, in a form that the ATM can use to supply as your identifier to your bank.
A proof of identity is made up of one or more pieces of evidence that can be relied on to demonstrate that the claimed identity is matched by the person or process presenting themselves for identification. It’s “something you are, something you have, or something you know.” The evidence should consist of items which, in conjunction with one another, can only be presented by the authorised user(s) whose identity is being claimed.
So, what is a fingerprint?
Is it a proof of identity?
Not as far as the Microsoft Fingerprint Reader (or any other low-resolution fingerprint reader) is concerned. Give me a couple of warm gummy bears, a freezer, five minutes, and the use of your finger, and I can produce a replica “finger” that will authenticate to the reader. What’s more, if someone can give me a glass door you’ve pushed open, or a cup or glass that you’ve held, within a couple of hours I can make as many gummy fingers as I need, that will all authenticate as you on any low-resolution reader. [I won’t go into the process here]. In more grisly methods, I don’t even have to go to all that effort.
Higher-quality fingerprint readers will look for a finger’s warmth (yeah, a warm gummy bear will beat you there), or pulse, translucency, capillary patterns, or other features that are supposedly only going to be present in a real finger attached to a live human, but those are expensive.
So, because this fingerprint reader is a basic one, to it, a fingerprint alone is not evidence sufficient for a proof of identity – combined with a guard manning the station, trained to check for gummy bears and severed fingers, and who can deny suspicious attempts, it may be enough, but that’s not its designed method of operation.
Is a fingerprint, then, a claim of identity?
Not in general, no. The fingerprint can be matched against stored fingerprints to see how closely it matches, but the fingerprint alone is not capable of generating the user ID, which is what you’d want. The fingerprint has to be almost exhaustively matched – this is why cops on TV seem to spend days getting a fingerprint match. It is very quick to say “here are two fingerprints, do they match” (which would be evidence of identity), but extremely slow to say “here’s a fingerprint, whose is it?”
Then there’s the issue of uniqueness.
I’ve searched and I’ve searched, and I’m surprised to find that there are as many as zero good scientific reviews of large fingerprint databases to check for uniqueness. So, when a “fingerprint expert” testifies that the fingerprint found at a crime scene matches the defendant, and the defendant only, they’re relying on a guess that hasn’t been reliably tested, and which has been proven false (or at least, badly collected and analysed) on some celebrated occasions:
[Note that these are culled from a very quick search of only one news agency’s recent output.]
Obviously, a fingerprint can be used to refute identity, in much the same way as “the suspect had red hair” will refute the identity of a suspect who does not have red hair, but there’s still significant doubt in my mind as to whether it can be relied upon in any way to prove identity – not without extra layers of evidence to increase the reliability.
Use other, more reliable, measurable, and provable means to protect your networks. Passwords – strong passwords – will serve you far better than a low-resolution fingerprint reader.