The common turn of phrase “without lifting a finger” is quickly becoming obsolete. In today’s society, it seems that all one has to do is lift a finger. With a few taps on our phones, we can shop online, pay our bills, and even contact people halfway around the globe. This phrase might be better suited to modern day if it were changed to “by only lifting a finger.” Nowadays, our fingers are serving an entirely new purpose. Thanks to biometrics and the endorsement of tech giants like Apple and Samsung, fingerprints are quickly replacing passwords as the most popular method of securing our devices. After all, why bother to remember a password when you can simply use your finger, without having to remember a thing? Also, a fingerprint seems more secure; after all, no two individuals have the same fingerprint, right? In reality, however, using fingerprint recognition in place of a strong password can be dangerous. The truth of the matter is that a strong password is much safer than any fingerprint. Show
The History of Fingerprint IdentificationUsing fingerprints as a means of identification has been around since the late nineteenth century. Sir Francis Galton discovered that certain aspects of fingerprints could help to identify a human being. These points, known as Galton Points, are still used in modern fingerprint identification technology. According to a document published by the Federal Bureau of Investigation (FBI), the FBI first began working with NIST, the National Institute of Standards and Technology, to automate fingerprint identification in 1969 (USA, p. 100-101). As technology improved, so did the FBI’s fingerprint recognition systems. In 1981, the Automated Fingerprint Identification System (AFIS) had bene created. Later, in 1994, the Integrated Automated Fingerprint Identification System (IAFIS) was created specifically for the use of the criminal justice system. IAFIS stores information on the fingerprints as well as some biographical information. This system is still in use today to aid in criminal investigations and contains over 47 million subjects (USA, p. 101). As this technology developed further it began to be incorporated in commercial products. In 2011, Motorola released a phone called the Atrix, which was the first phone to include a fingerprint reader. Two years later, in 2013, Touch ID was incorporated into the Apple 5s, and has since been incorporated in every new generation of the iPhone (Greenberg, 2013). Fingerprint recognition software is not limited to Apple phones either. iPads, laptops, and even the Starbucks app are also allowing consumers to forgo those cumbersome passwords and replace them with fingerprint identification. How It WorksTo understand the vulnerabilities that come with fingerprint recognition software, it is important to understand how the software works. Although each brand’s system is slightly different, they all use the same basic concepts. According to an article by Alonso-Fernandez et. al, “The main modules of a fingerprint verification system are: a) fingerprint sensing…b) preprocessing… c) feature extraction… and d) matching” (p. 53). Fingerprint sensing is when the raw data for the fingerprint is gathered. Essentially, this is what happens when a user places their finger on their device multiple times in order to capture their fingerprint.  The second type of fingerprint sensing is optical sensing. In this type of sensing, “The finger touches a glass prism and the prism is illuminated with diffused light. The light is reflected at the valleys and absorbed at the ridges” (Alonso-Fernandez, p. 54). The third and final type of fingerprint sensing is ultrasound. Ultrasound sensing collects data on the fingerprint using acoustic signals. By recording the echoes of the signals, the sensor is able to record and store the fingerprint for future reference (Alonso-Fernandez, p. 54). Preprocessing is the process by which the fingerprint captured from sensing is enhanced in order to aid with matching it to a user’s finger in the future by identifying distinctive markers known as minutia. Essentially, minutia are the places where ridges either end, known as ridge-ending minutia, or divide, known as ridge bifurcation minutia. After preprocessing comes feature extraction, during which more distinctive features of the fingerprint are recorded and enhanced. The image of the fingerprint is then turned into a binary code and encrypted so that the device is able to recognize and quickly compare to a user’s finger, which then results in a matching score. Based on the matching score, the system will either allow or deny access to the device (Alonso-Fernandez, p. 55-58). Vulnerabilities of Fingerprint Recognition SystemsThe fact of the matter is that fingerprint scanners are not invulnerable. The biggest problem with fingerprint recognition software is that it often fails to tell a real finger from a fake one. If someone could gain access to a user’s fingerprint, or even a general, similar fingerprint, they could potentially create a fake finger that could trick the scanners. In fact, Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino (2002) did just that. Their experiment found “…that gummy fingers, namely artificial fingers that are easily made of cheap and readily available gelatin, were accepted by extremely high rates by particular fingerprint devices with optical or capacitive sensors” (p. 1). Another weakness of using fingerprint recognition as opposed to a strong passcode is the fact that your finger is a part of your body. While it is true that no two fingerprints are alike, fingerprints also cannot be changed. So, for example, should a criminal be able to create a fake finger like the ones from the Matsumoto et. al study, they would have access to everything. A compromised password can be changed; a compromised fingerprint is still a fingerprint for life. In a similar vein, passwords allow users to use different variations for each device, account, and website they log on to. Fingerprint recognition does not allow for this. If you use fingerprint identification on your laptop, phone, and Starbucks app, then if your fingerprint is compromised all of those would be compromised. It would be a one stop shop for any criminal. Additionally, people unwittingly leave their fingerprints everywhere. They cannot help it; their fingerprint is a part of them. It is essentially like leaving your password written on a sticky note everywhere you go. Anyone, with a little bit of patience, can get access to your individual fingerprint. One of the most important vulnerabilities to consider with regard to fingerprint recognition software is its lack of protection under the Fifth Amendment. The Fifth Amendment of the Constitution protects US citizens from self-incrimination. As a result, it has been ruled that the government cannot force people to reveal memorized PIN numbers or passcodes. Fingerprints, however, because they do not give away anything in your mind, are not protected under this amendment (Waddell, 2016). In an interview with Time magazine, Marcia Hoffman, an attorney for the Electronic Frontier Foundation, explained; “‘If you are being forced to divulge something that you know, that’s not okay,’ … ‘If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection’” (Linshi, 2014). In a 2014 court case in Virginia, a judge ruled that it is constitutional for police to get a warrant to force people to unlock their smartphones with their fingerprint. In a 2016 article in The Atlantic, there is a story about a woman who was the girlfriend of an alleged member of an Armenian gang. She was sentenced for identity theft, and in a matter of 45 minutes the authorities had a warrant forcing her to unlock her phone, although it was unclear what they were looking for (Waddell, 2016). The Downside of Using Passwords and Why You Still ShouldThe choice to refrain from using fingerprint recognition is not without its downsides. For one thing, fingerprint identification systems are much faster and much more convenient than passwords. You do not have to remember any long strings of letters, numbers, and characters, nor worry that your password may not be strong enough. Additionally, it seems unlikely that criminals would be willing to take the time to create a fake finger that would work specifically with a single device. Regarding the lack of protection under the Fifth Amendment, many would say that since they have nothing to hide, they have nothing to fear. The point about speed and convenience is absolutely true. Passwords are more cumbersome, and can be more difficult to remember. However, the extra time is worth the extra security. A good password can be much more secure than a fingerprint and, if done correctly, not too difficult to remember. Whereas a fingerprint cannot be changed, a compromised password can. As to whether or not criminals would be willing to take the time to replicate a fingerprint, it is not as difficult as one might think. Using cheap and readily available materials such as gelatin or play dough, criminals could easily replicate a fingerprint. In an article on The Verge, a website that specializes in technology, the difficulty of hacking past the fingerprint on an iPhone 6 and a Galaxy S6 Edge was “…just a little harder than steaming open a letter” (Brandom, 2016). As fingerprint recognition and biometrics become more and more common, criminals will have more incentives to attempt to fake fingerprints. There are already plenty of methods readily available to trick a fingerprint reader. They range from as simple as a dental mold filled with play dough to recreating the fingerprint of the German defense minister using only a high-resolution image of her hand (Brandom, 2016). The argument that people who have nothing to hide should have nothing to fear from the lack of protection under the Fifth Amendment is common, but fails to consider the implications of such a statement. If we do not stand up for our rights because we “have nothing to hide” then when do we stand up for them? What is there to prevent them from being taken away from us? Even if one has nothing to hide, would it not be better to voluntarily give up a password than to have someone else force your finger to a screen? It may seem a bit morbid, but take a moment to consider that a person has to be alive to give you a password, not to unlock a phone with their finger. On the whole, a good, strong password is more secure than fingerprint recognition software. Fingerprints cannot be altered if they are compromised, nor can they be altered between different accounts or devices. Fingerprint scanners can be easily hacked, even with everyday items such as play dough. Fingerprint scanners are not protected under the Fifth Amendment, and although a password can be harder to remember, it can also be more difficult to guess. Below, I have a list of tips and tricks that can help make your passwords stronger and better. Tips and Tricks for Creating a Strong Password
Works CitedAlonso-Fernandez, F., Bigun, J., Fierrez, J., Fronthaler, H., Kollreider, K., & Ortega-Garcia, J. (n.d.). 4. Retrieved November 26, 2017, from http://dexal2.hh.se/staff/josef/publ/publications/alonso-fernandez09chapter.pdf. Brandom, R. (2016, May 2). Your phone’s biggest vulnerability is your fingerprint. The Verge. Retrieved November 26, 2017, from https://www.theverge.com/2016/5/2/11540962/iphone-samsung-fingerprint-duplicate-hack-security. USA, US Department of Justice, FBI. (n.d.). Fingerprint Recognition (pp. 100-109). Retrieved November 26, 2017, from https://www.fbi.gov/file-repository/about-us-cjis-fingerprints_biometrics-biometric-center-of-excellences-fingerprint-recognition.pdf/view. Greenberg, A. (2013, September 11). Motorola Bashes Apple’s iPhone Fingerprint Reader, Forgets It Sold One First. Forbes. Retrieved November 26, 2017, from . Lee, K. (2014, July 08). Four Methods to Create a Secure Password You’ll Actually Remember. Retrieved November 26, 2017, from https://lifehacker.com/four-methods-to-create-a-secure-password-youll-actually-1601854240. Linshi, J. (2014, November 6). Why the Constitution Protects Passwords But Not Fingerprint Scans. Retrieved November 26, 2017, from http://time.com/3558936/fingerprint-password-fifth-amendment/. Matsumoto, T., Matsumoto, H., Yamada, K., & Hoshino, S. (2002). Impact of artificial “gummy” fingers on fingerprint systems. Optical Security and Counterfeit Deterrence Techniques IV, 4677. doi:10.1117/12.462719. Waddell, K. (2016, May 3). Police Can Force You to Use Your Fingerprint to Unlock Your Phone. The Atlantic. Retrieved November 26, 2017, from https://www.theatlantic.com/technology/archive/2016/05/iphone-fingerprint-search-warrant/480861/. Is biometrics the most secure?These staggering statistics are leading many businesses and individuals to adopt biometric authentication as it been established as the most secure authentication method surpassing passwords and pins.
What are the benefits of biometrics over passwords?Many experts today argue that because biometrics identifiers are unique to everyone, biometric identification is ultimately more secure than traditional passwords, two-factor authentication, and knowledge-based answers.
Will biometrics replace passwords?More businesses are replacing passwords with fingerprint recognition because each fingerprint is unique and remains unchanged for a lifetime. Biometric authentication provides a more secure alternative to traditional passwords.
Why are fingerprints better security than passwords?Fingerprint recognition trumps PIN- and password-based authentication methods in terms of security. It isn't easy to hack a fingerprint scanner, and recent developments in scanning technology have further improved its security.
|
