[cryptography] Generating passphrases from fingerprints

Marsh Ray marsh at extendedsubset.com
Sat Dec 4 17:18:45 EST 2010


On 12/04/2010 03:08 PM, Jens Kubieziel wrote:
> Hi,
>
> recently I had a discussion about biometric data. The following problem
> occured:
> Assume someone wants to register at a website. He swipes his finger over
> his fingerprint reader. The reader generates strong passphrase from the
> fingerprint and other data (hostname of the targeted site, user name
> etc.) and creates a strong password. This will be the users login
> password. Everytime the user wants to log in again he swipes his finger
> over the reader, password is generated again and sent to the site.
>
> We were not sure if it possible to generate the same passphrase again
> and again.

Even if it were...what do you do when it gets compromised?

How would the site (or the user) ever change it?

How would the site prove to the user that the user wasn't delegating the 
authority to the site to use that fingerprint credential at any other 
site that used that technology?

> Does anyone know if such systems exist?

The local parks and rec dept went with a fingerprint scanner. They 
insisted on taking the fingerprints of everyone who joined the community 
pool, adults and children alike. They said people wouldn't need member 
ID cards any more because fingerprints didn't change as you age. They 
went back to the old system within a season or two.

> Will generating the
> passphrase work?

There's probably a way to generate something unguessable and repeatable 
out of a fingerprint.

A passphrase needs to also be secret though and fingerprints are not. I 
printed my fingers onto at least a half-dozen glasses yesterday and gave 
them out to untrusted wait staff without a second thought.

Your system would need a way to make them secret.

> I'd glad to hear some opinions about this.

The technology to do something with fingerprint auth has existed for 
decades. There's no inherent reason it should be any more difficult than 
a simple credit card reader terminal is. But for a variety of reasons, 
fingerprint auth hasn't exactly taken off:

1. Fingerprints aren't secrets and it's relatively easy to forge them.

2. They're hard as heck to revoke or change, and you're only issued a 
few of them at birth. This is why they're better for catching criminals 
than for authenticating logins.

3. They're difficult to "bind" to a specific transaction from the user's 
point of view. A customer might be willing to sign a check and give you 
money. But they'd be reluctant to sign a blank piece of paper (carte 
blanche).

So it seems like they have very similar biometric propterties to old 
fashioned signatures made by hand with a physical stylus, and they suck 
as a form of authentication. We have signatures on checks and signature 
pads for credit card transactions, but they're more of a ritual than an 
actual authentication. I can't remember the last time anyone actually 
looked at my signature and have never heard of anyone's transaction ever 
being rejected for a bad match.

Additionally, in America at least, having one's fingerprint taken is 
associated with being arrested for a crime. For example, IIRC, there 
were some laws requiring police to delete prints of people if they were 
later not convicted. So fingerprinting is tantamount to accusing someone 
of being a criminal suspect. Not something a merchant wants to do to a 
customer at the point they have the credit card out in their hand.

- Marsh



More information about the cryptography mailing list