The Myth of Fingerprints
The news just keeps getting worse for Federal government employees. On the cusp of another morale-destroying, productivity-sapping, meaningless government shutdown, the Office of Personnel Management announced last week that the recent Chinese hack of its systems included over 5.6 million fingerprint records.
On the face of things, it would appear that this is the most serious and potentially damaging aspect of the breach. Fingerprints are increasingly used by Federal agencies as a way to access buildings, I.T. systems, and mobile devices of all kinds. OPM has offered credit monitoring services to all employees whose information was stolen – a mitigating strategy that will probably be enough to protect against further use of the data.
Fingerprints are different, though. Unlike passwords and other forms of authentication, fingerprints can’t be changed. If someone has your fingerprint, they can “become” you.
Or so the thinking goes. The reality of actually using a stolen biometric “in the wild” is actually far more complex.
Using someone else’s fingerprint requires the ability to reproduce it. That involves recreating the physical contours in sufficient detail. Since many biometric features measured by modern equipment are invisible to the naked eye, a high level of technical skill is needed. Since fingerprints are flexible, it’s also important to use the right materials – not always an easy task.
Then there’s the deployment problem. Most biometric equipment now contains built-in software designed to detect fraudulent indicators. These include “liveness detection”, which ensures that the user is presenting a genuine biometric indicator rather than a created substitute. Many biometric systems deployed today depend on more than one factor to confirm a subject’s identity – you may have a false fingerprint, but do you also have an iris from the same person? Or do you know their ever-changing password as well?
Perhaps the biggest problem in using stolen biometrics is the issue of templates. Biometric equipment doesn’t actually verify identity based on a picture of your fingerprint. It matches against a digital template derived from your fingerprint. So if you have a picture of someone’s fingerprint, that’s only half of the equation – you would have to know how to properly encode (and encrypt) that fingerprint image into a template that the software would accept. Since most templates are actually matched at the device level, in many cases the actual matching device would also have to be compromised.
Clearly, the Chinese government is motivated enough to steal fingerprint records – it must have some use in mind. The Chinese government may even have the resources to overcome the significant technological and logistical hurdles necessary to exploit those records.
At the same time, the probability that any one Federal worker would find their identity permanently hacked is extremely low. The technological safeguards and barriers to exploitation are simply too high. In the long term, biometric technology is such a rapidly changing field that security measures are likely to take forms which render the possession of another person’s biometrics moot.
Some perspective is also in order. Biometrics may not be completely hack-proof, but they remain head and shoulders above the alternatives. Passwords have proven to be disastrously insecure, and biometrics represent an easy to use replacement which many companies are already starting to adopt. To be sure, the danger of stolen fingerprints makes for good copy. But in terms of security, those fingerprints are still a solid bet.