Identification by fingerprint is a bad idea for security, but a great idea for Security Theater and for wasting money. If your goal is to waste as much money as possible or to give an illusion of security then you might as well stop reading now.
Using biometrics such as fingerprints for identification is good for security theater because it is easy to understand, is physical, and can be dramatic. It is used often in movies and television to add drama and visual flair. It is common to watch a crime drama where investigators use special tools and expert skill to carefully lift fingerprints from a crime scene. Often the drama has a scene where the found fingerprint is matched to a print on file with a computer.
“We have match! We found our perp!”
Another place where biometrics are used in dramatic fiction is where the protagonist is shown entering a super-secret, highly secure facility. Our hero presents his or her eye to a laser for a retina scan1 or hand for a hand scan. In the movie The Bourne Identity, Jason Bourne gets a full hand scan to capture his fingerprints to identify him before he is granted access to his assets in numbered bank box. That is a fun scene and shows how Bourne can access his assets without a memory for pass-phrases, etc. It is easy for us to recall these scenes from movies and television and associate biometric authentication factors with strong security. This association makes biometrics great for security theater but, of course, does not make biometrics good for actual security.
A part of a song comes to mind. The lyrics goes something like “Money Money Money Money!”. Great theater can mean great potential for making money. The Transportation Security Administration (TSA) has used all kinds of expensive new equipment in their security efforts. The effectiveness and safety of said equipment and procedures are actively debated. It is however, important that the TSA appear to be doing something new and different or the traveling public might start asking uncomfortable questions. It is easy to accept biometrics as useful security since it is reinforced so often in popular media fiction. The security theature used by the TSA is a whole different subject that deserves, at least, its own article. Security expert Bruce Schneier has spoken volumes on this issue. If the subject interests you, check what Bruce has written.
Well that is the theater aspect, lets get back to biometrics. If you work as a licensed professional, that is to say, you work in some profession that is controlled by a government entity such that you are required to obtain permission, in the form of a license (see Licensure), then you may be required to provide this entity with your fingerprints. This concept of licensure smells like a scam to me, but then I admit that I do not understand it. It seems to me like its whole purpose it to make government seem important, or perhaps to control competition in profitable professions, or both. I suppose it is like getting knighted by your servants, in this case public servants, in order that you may prove that in addition to knowing how to practice medicine, or wash hair or whatever, you also know how to please the State. How grand it is to be knighted…
So why not capture biometric data for licensing? If you want to work as a licensed professional you will need to comply with whatever hair-brained requirement is asked of you. I understand that to renew a nursing license in Texas, at the time of me writing this article, one must provide a full set of fingerprints from both hands! What great security theater! Why not a retina scan and a stool sample too? Perhaps those will implemented in the future. What is especially nice is the money that can be made from getting these fingerprints. I applaud MorphoTrust for being so well connected to the State(s) and opportunistic to profit from State fingerprinting requirements. Make an appointment online, pay your money and then they will take handle the intensely difficult job of putting your hands in ink then pressing them to paper. Is a ceremony involved? I hope at least that they have a cha-ching sound every time they press your hand to paper. I wonder if these people are licensed?
Fingerprints are good for security theater, have potential for extracting money from licensed professionals, but what about their use as an authentication factor2? There are many smart folks who have devoted significant time and money to determine just how unique different biometric authentication factors are, and if you want the details you can find them proudly displayed all over the web. To simplify this lets just assume that something like your fingerprint is unique.
How do you expect that a fingerprint would be used? In the case of a professional license, do you think that perhaps the fingerprint would be digitized and stored in a database? Perhaps this print would then be compared with prints already stored in the database? This means that your very unique information is stored someplace outside of your physical control. Who has access to this information? How safe is this from unauthorized access, say from an identity thief? How long is this information stored? How do you know that your digitized fingerprint is correctly associated with your data? What do you think could happen to you if somehow your information got associated with a different set of prints? What happens to your information after it is no longer needed for authentication?
The most important problems with using biometric factors for authentication are the following.
- Problem of Scope
- Typically one would not want to use an authentication factor in one place that is identical to one used in another place because if the factor becomes compromised, then all places employing the factor will be compromised. An authentication factor’s use should be confined to one place so that it is targeted to the specific need. Some uses require better or different quality factors than others.
- Problem of Longevity
- A biometric factor such as a fingerprint should be persistent for one’s entire life. This expands the time that such a factor can be compromised beyond the typical need for the authentication. Imagine if your fingerprint was used to authenticate you for entrance to your place of employment. Most people do not stay employed with the same employer for their entire lifetime. If all employers authenticate employees using fingerprints then with each new employer, one would leave one’s fingerprint history with a prior employer for which authentication is no longer required. How well would one expect an employer to protect the biomentric data of former employees? Another example would be the fingerprint scanner on a company laptop. What happens to the stored representation of one’s fingerprint when the laptop is returned to the employer? The fingerprints may not be stored in the same place as the user’s files. Would every employer know or care to properly destroy this information on reciept of such a laptop?
- Problem of Compromise
- This is related to the Problem of Longevity, but deserves its own explanation. When a traditional authentication factor, such as a pass-phrase, is compromised, then one may simply take steps to invalidate the compromised factor and replace it with a fresh one. This is not feasible with a biometric factor such as fingerprint. Getting new fingers when one’s fingerprints are compromised is simply not realistic. One might think that a biometric factor like a fingerprint can not be compromised. This is incorrect. Biometric factors can and are compromised just like any other factor. Recall that to check the fingerprint pressed on a scanner, there must be a digitized and version to compare against. So to compromise a biometric factor one need not have any physical contact with an actual finger. All that would be needed would be to get a copy of digitized version then trick the scanner into reading a match. There are other ways to defeat biometrics, but that is not in the scope of this article.
Biometric identification such as use of a fingerprint scan is great for creating the illusion of security without actually providing true security. Because its use is dramatic, simple and reinforced in popular media, it is widely accepted and thus has good profit potential. What you can do to protect yourself is to avoid services that rely on biometrics for authentication. If you need a fingerprint to rent a car, perhaps you can find different transportation. Lets focus on actual security and leave the illusions to magicians.