The Register had a nice article about a real-world demonstration of why biometrics aren’t the security panacea that so many security practitioners (and vendors) would like to believe.

They start with the the question of who does Wolfgang Schauble call to get his fingerprint reset?

A hacker club has published what it says is the fingerprint of Wolfgang Schauble, Germany’s interior minister and a staunch supporter of the collection of citizens’ unique physical characteristics as a means of preventing terrorism.

As has been debunked more times than I care to link to, terrorists are pretty much never anonymous, but rather tend to be “sleepers” until they act. That’s irrelevant here, though, because I want to look at the inherent weakness of fingerprints as an authentication mechanism:

“The whole research has always been inspired by showing how insecure biometrics are, especially a biometric that you leave all over the place,” said Karsten Nohl, a colleague of an amateur researcher going by the moniker Starbug, who engineered the hack. “It’s basically like leaving the password to your computer everywhere you go without you being able to control it anymore.”

Today, fingerprints are sold to the world as “strong” authentication, but only because no one has really begun using them for value-added activities. Just like the now-infamous Social Security Number, which was simultaneously a semi-public personal attribute and the password for accessing a person’s potential lines of credit, so will the fingerprint die a similar death if it ever begins to gain acceptance as an authenticator for financial transactions.

Going back into history, Once upon a time, A man’s word was his bond. More recently, a signature, usually combined with a belief by the lender in the character of the borrower, was adequate to borrow money. That standard, in turn, went by the wayside as the FICA score took hold. Now, we live with a world filled with identity theft/fraud-by-impersonation driven by automated “instant credit” for anyone with a state ID card and the matching social security number.

The fingerprint will be next, once the value is there. The problem here is the over-reliance on authentication and ignoring the potential for additional compensating controls in the process, such as out-of-band confirmation of the request and the same degree of reasonableness checking. For instance, just as credit card issuers perform to identify potentially fraudulent transactions, why would it make sense to approve instant credit at a Best Buy in Chicao for someone who lives in Texas? (And maybe this is done today, but it wasn’t when I used instant credit to buy appliances during a move a few years ago. It didn’t set off alarm bells when it should have)

Pay-by-Touch, the company that was trying to use fingerprint authentication for point-of-sale transactions has failed because of (I suspect) poor user acceptance–all their scanners had hand-written “no longer available” signs taped over them at the grocery store last weekend.

Now does that mean that we should abandon fingerprint readers entirely? No. It’s potentially-useful in many ways, I just don’t think that this is one of them.

Instead, let’s think about the risks that are mitigated and created by using a fingerprint as authentication factor, given their aptly-noted characteristic that, again, “It’s basically like leaving the password to your computer everywhere you go without you being able to control it anymore.” We tell people, “Don’t write your password on a sticky note and leave it on your computer,” yet with fingerprints, they do exactly that all day, every day, by virtue of using the device.

The effectiveness of biometrics to mitigate authentication risk can be down into two factors, proximity and selection. An attacker remotely and randomly “rattling doors” looking for weak authentication mechanisms (e.g. blank, trivial, or default passwords) is going to get stopped by a biometric authentication system. But, let’s be honest, he’s also going to be stopped by some basic good security practices such as a password complexity requirement and changing all default passwords. So the incremental benefit here is pretty much zero for what’s still a fair amount of effort (although this will continue to drop over time).

Now, let’s consider the opposite case, an attacker in physical proximity to a targeted user. That’s the high-impact scenario, and the one which CCC effectively simulated–and highlighted the weaknesses of fingerprints as a biometric authenticator. In this case, the effective countermeasure–wearing gloves at any time except when authenticating–is not feasible. So the risk will be accepted. There is no other option.

We may understand that a fingerprint may be better than a password alone when it comes to protecting a low-value resource, but worse-than-useless (because of its immutability) when protecting a high-value target where the effort is worthwhile. Unfortunately, this distinction will be swept under the rug by vendor hype as they attempt to maximize the potential market for their products. And when that happens, we will all lose.

I only wonder whether the fingerprint will die a deserved death as an authentication mechanism before or after it’s widely-enough adopted to have allowed significant damage.

As an afterthought, consider the implications once someone takes a fingerprint card and converts that image into something that will fool a scanner–assuming it hasn’t already been done. Think about the millions of people who have had their fingerprints taken, and they tend to be the tails of the population distribution along the security/risk axis–people with criminal records at one end and people with clearances at the other. I’m not going to ponder the implications of that right now, since it’s more of a social and civil liberties issue, only note the possiblity.