Why fingerprints should not be used for access control

December 31, 2014 mitch tanenbaum

A presentation at the Chaos Communication Congress (a large hacker convention in Hamburg, Germany that attracted about 10,000 visitors this year – sort of, kind of, like Defcon here) demonstrated the ability to reproduce fingerprints of a target subject from just photographs. Reports in PC Magazine say that the researcher, Jan Krissler, took photographs of Ursula von der Leyen, Germany’s Federal Minister of Defense, while she was speaking in public. From those photographs he was able to create fingerprints.

Of course, having the fingerprints is not very useful unless you have a use for them – like a stolen iPhone or perhaps a door system that is controlled by a fingerprint reader.

It has been known for a long time that you could lift fingerprints off a smooth surface like a glass that the target used, but this is the first time that I am aware of that fingerprints have been recreated from a photograph.

Lets assume that, unlike Apple Pay, that you have to use your fingerprint plus a PIN. If so, having the fingerprint doesn’t totally compromise the system but it reduces the security of the system down to that of a PIN, which is not very good.

Unlike a password which can be different for different purposes, using your fingerprint would be the same for different purposes, increasing the damage from the crime of a stolen fingerprint. In theory, you could use all 10 fingers, but do you really think people are going to remember which finger they used for each web site? Didn’t think so.

Therefore, the big problem is how do you go about requesting a new fingerprint after your old one is compromised? Not quite sure about that one.

Apple, to their credit, wanted something that was easy to use. Unfortunately, most of the time, easy to use means easy to compromise. And sometimes, it also means, hard to recover from that compromise.

Mitch