[Posting on behalf of Roger Grimes]
Don’t Be Faked Out By Fingerprint Authentication
By Roger A. Grimes
It’s popular to believe that because each of our fingerprints are purportedly unique in the world, that fingerprint authentication would give us really great authentication. Nothing could be further from the truth.
Are Fingerprints Globally Unique?
We aren’t even sure fingerprints are globally unique. It’s true that even twins have different fingerprints, but we don’t know for sure that fingerprints are truly, globally, unique. I think there is substantial evidence to show that they are probably ALMOST globally unique. For example, the United States Federal Bureau of Investigation’s Integrated Automated Fingerprint Identification System (IAFIS) (https://en.wikipedia.org/wiki/Integrated_Automated_Fingerprint_Identification_System) system stores over 31 million people’s fingerprints, and as far as I heard, none of those prints have been identical to another.
But 31 million people’s print is not nearly 7 billion which is the total population of the world. Until we have everyone’s prints, we won’t know whether two different people have the same fingerprints or not. This PBS show (https://www.pbs.org/wgbh/frontline/film/real-csi) claims there has been at least one documented case where two people shared the same fingerprint.
Although a single, publicly known match out of potentially tens of to hundreds of millions of non-matches is pretty strong evidence that fingerprints are probably unique enough for us to trust them most of the time, especially if there are other corroborating evidence and factors. We might even be able to trust them for digital authentication if it wasn’t for the next fact.
Fingerprint Authentication is Highly Inaccurate
People who sell fingerprint authentication systems don’t want you to know this, but most of their systems have far higher false-positives and false-negative rates than what you have probably been led to believe. And it is tough to fix this problem.
First, every fingerprint authentication system has to capture an image of a person’s fingerprint, and no matter what technology they use, the fingerprint image is never completely accurate. It’s just a fact of life. Either it doesn’t capture all parts of the fingerprint or it overweighs or underweighs minute details of the fingerprint, in such a way that the captured fingerprint just isn’t 100% accurate.
They really don’t want to capture 100% accurate fingerprints anyway. Our fingerprints are the same day to day. Everyday use of our fingers produces micro-changes (e.g. small cuts, abrasions, melts, smears, etc.) to our fingerprints. So, if the fingerprint scanner is too finely tuned, it would pick up the minute changes, and create too many false-negatives (where it doesn’t correctly recognize your fingerprint day to day). So, all fingerprint scanners are de-tuned to be less accurate. This produces more false-positives (where your fingerprint could be mistaken for another).
So, even though your fingerprint is ALMOST unique in the world, in the world of fingerprint authentication databases, they are certainly NOT unique. How unique your fingerprint is within a particular fingerprint authentication database depends on who else’s fingerprints are in the system and how finely tuned the system is in taking fingerprint images. Remember, if too finely tuned, the system will not recognize your fingerprint when it should.
In fact, at my current company, my index finger fingerprint “matched” someone else’s index fingerprint and that was out of a company with just over 500 employees (at the time). To compensate, I had to submit a different finger (my middle finger) than everyone else. I’ve since learned this same “false-positive” match has happened to two other employees. So, we have three people in a single company with matching fingerprints.
This is not to dog my company’s fingerprint recognition system. This happens with all fingerprinting systems which get exposed to lots of fingerprints. You’ll have a hard time finding a fingerprint authentication administrator who hasn’t seen the same thing.
There are more accurate fingerprinting technologies and all systems can be more finely tuned to detect differences, but remember as accuracy is increased, false-negatives are also. I’ve been at a few high security buildings where it took the legitimate person trying to authenticate with their fingerprint 10 to 20 seconds of trying over and over to authenticate. I’ve been with a few people which had to give up and be verified using another authentication method.
I don’t even want to spend time on how each fingerprint system can be faked in multiple different ways (I’ve participated in two projects dedicated to detecting fingerprint authentication vulnerabilities) or what happens when your fingerprints are stolen (as mine were as well as over 1 million other people in 2015 from the U.S. government agency (https://www.npr.org/sections/thetwo-way/2015/07/09/421502905/opm-21-5-million-social-security-numbers-stolen-from-government-computers). How can your fingerprints ever be considered accurate for authentication purposes once they have been stolen by an adversary?
I don’t want to dog fingerprint authentication. All authentication techniques can be hacked one way or another. Just don’t believe that almost unique fingerprints mean strong authentication, because there is a world of difference.