biometric (fingerprint) locks

[sledge-it]

Has anyone had any dealings with fingerprint recocnition locks?
Are they reliable? Are any BS 3621 rated?

[32768]

I don't know about certification, but the inexpensive ones are notoriously easy to fool. They also have high false positive (opening for the wrong finger) and false negative (not opening for the right one) rates.

I think Bruce Schnier had something in cryptogram about these.

Also, check out this as a starting point:
Impact of Artificial "Gummy" Fingers on Fingerprint Systems
Matsumoto, et al., Yokohama National University, 2002
http://cryptome.org/gummy.htm

This paper reports that gummy fingers, namely artificial fingers that are easily made of cheap and readily available gelatin, were accepted by extremely high rates by particular fingerprint devices with optical or capacitive sensors. We have used the molds, which we made by pressing our live fingers against them or by processing fingerprint images from prints on glass surfaces, etc. We describe how to make the molds, and then show that the gummy fingers, which are made with these molds, can fool the fingerprint devices.

[sledge-it]

thanks for the info and the link.
I can see these types of lock being the future,but it looks like they have a little way to go! Not to mention the price ! I saw one on e bay for £600 !

[sj]

Fingerprint locks are useless, as are all biometric based locks. The problem is that biometrics are not secret, you leave your fingerprints everywhere, and your iris pattern anywhere you get your photo taken. There is no way for a computer to tell the difference between a real biometric and a fake.

The only time they can be used is when there is a well trained person looking carefully at the use of the sensor, and even that can fail. Fingerprints can already be changed in an undetectable manner, and it wouldn't be hard to make a fake iris-code contact lens. There are proposals to do "liveness detection" and tell the difference between real eyes/fingers and fakes but these can be trivially be broken.

[32768]

The other problem is that you can only change the combination on your fingerprint lock ten times. Fewer if you're a middle school wood shop teacher. Retinas are even worse...

[sledge-it]

Had to laugh at that woodshop teacher line!
So basically they are no good, except for perhaps some low security applications, and even then the cost makes them a non starter. The lock version of betamax!

[PickPick]

The problem is that with every product I've seen until now, the companies apparently don't understand how to use biometrics correctly (which is amazing if you consider developement costs for these toys).
While you can't use fingerprints as secrets/passwords obviously, because they're not secret after all, they make a decent identifier/username to use in combination with a pin or passphrase, a secret code that is carried in your head and nowhere else. While I still don't think these would be ok for high security, they offer the great advantage that you can't forget your fingers at home. But in no way can biometrics used as a stand-alone key.

Btw, a nice new technique for falsifying fingerprints was published recently by the Chaos Computer Club:
http://www.ccc.de/biometrie/fingerabdru ... anguage=en

[sj]

While you can't use fingerprints as secrets/passwords obviously, because they're not secret after all, they make a decent identifier/username to use in combination with a pin or passphrase, a secret code that is carried in your head and nowhere else.

They add a little bit of strength, but not very much - just extending a password by a couple of letters would be as good. For low security purposes where passwords are unnaceptable they may have limited use.Where they can work is attended situations, because someone can make sure that you are presenting a real biometric rather than a fake. Putting fingerprint readers on laptops and phones is just an expensive novelty, there are better solutions (passwords and physical keys, maybe mechanical, probably electronic).

Where biometrics are used for serious purposes, like entry control someone is always watching you, but even that is not alway effective. For example the CCC technique doesn't involve any suspicious behaviour, and if someone comes up with a similar technique for iris codes there will be problems. There are ways of defending against the CCC technique, which rely on looking at the spectral characteristics of the finger, but I would not be surprised if this can be broken soon.

[alias]

They use a fingerscan system at a place I used to work to monitor sign on and sign off times and I'm trying to convince a friend who still works there to get me a copy of the boss' fingerprint so I can knock up a bunch of dummy prints.

The system was notoriously bad at producing false negatives but appearing to have accepted the scan and the boss used to blame us for not scanning on and off so the plan would be to give a copy of the boss' print to everyone who works there and get them to sign him on or off everytime they walk past the machine. I'd just love to see his face and hear his explanation for why he signs on and off 20 times a day!

"Now Paul, you really only need to sign on when you get to work and then again when you're leaving - not everytime you walk past the machine"

Hell, with the ridiculous beauracracy in that place I could make one of my own print and get my friend to swipe me on and off a couple of times a week and they'd probably still pay me - now there's an idea!!

[Pickey]

There's also another form of Biometric security that is being implemented in some major airports and banks and other high security places, it's called HandKey. This system is supposed to use "field-proven" hand geometry technology that maps and verifies the size and shape of a persons hand; while also recognizing the lines and loops/whirls in a persons hand.

[sj]

There's also another form of Biometric security that is being implemented in some major airports and banks and other high security places, it's called HandKey. This system is supposed to use "field-proven" hand geometry technology that maps and verifies the size and shape of a persons hand; while also recognizing the lines and loops/whirls in a persons hand.

The same principle applies to this as it does to fingerprint readers. It needs to be carefully watched while in use. In both of those places a security guard can be watching and press a button if there is something suspicious, but on a unattended door lock a synthetic hand could be used.

Locks like this also have the problem that one way to defeat them is to cut off a users finger/hand. While it may be more secure than a key, in some circumstances, at least you can hand a key over if threatened. It is like the Chip+PIN system in the UK, which is decreasing card forgery, but increasing cases where people are mugged for their card then the PIN is beaten out of them.

[sledge-it]

I suppose pulling a severed hand out of a plastic 'sainsbury,s' bag and flopping it onto a scanner would look a little suspicious! Though you could just say it,s a spare key you,ve just had cut!
I know these devices are expensive at the moment and are almost all used in a commercial setting,but what about in the future?
As the price drops and they become more reliable, may they not eventually start appearing on household doors instead of a cylinder lock? The security value would be the same.( A mortice lever lock is normally an added security measure to a nightlatch)
Just think. Less keys to carry. No more having the door slam behind you and you can,t get back in. It is just possible.

[^kimba^]

I beg to differ. We used a combined 42bit HID prox card and finger biometric on our data centre door, and a retina scanner and pin on the entrance into the server cage.

The biometric tests for heat, a pulse and slight moisture, so it's hard to use anything but skin on the plate. It also has a VERY low false positive, and sometimes even the valid used has to try a second time to gain entry.

The retina scanner is the same used by Dutch Passport Control who now use it for express entry and exit through their airports. It is VERY accurate, and can easily detect subjects distress (duress entry/tricker) and various other tales within a particular scan.


If you think you know a way to fool it, let me know and I will try it out for you, but it's not like entrapment/Charlies Angels II or any other Hollywood movie, it's the real deal, and very secure.

[sj]

For the fingerprint scanner, try variants of the gummy finger trick. This goes over your real finger so the pulse and heat will be there. Maybe it uses other properties, but these could be easily faked by adding chemicals to the mix.

For the iris scanner, take a photo of the eye you want to fake, cut out the pupil and hold it up to your own eye. The liveness detector looks at the pupil whereas the code is off the iris. Another technique sucessfully used is to film the iris and use a small LCD monitor to present it to the detector.

These both take a bit of practice to get right, but have been done.

I don't know about the HID card in particular, but these can all be broken using the wormhole technique. The bad ones (like Cotag) just send out the same number each time, and can be broken trivially with simple electronics. The better ones (like Mifare) are challenge response, but the problem is that an attacker could follow somone with the card and at the same time have someone go up to the door using a replay device, this gets the challenge from the door, sends it to the person following the card and gets the response back. It then sends it to the door the response from the card.

As for the PIN number, if only a one PIN number is used then dusting the keypad for fingerprints will tell you the digits, then you can try them out. If the PINs are not randomly generated you can be reasonably confident get a 4 digit PIN this in three tries (people tend to choose increasing numbers and lines on they keypad).

Of course there may be other ways to get in, bypassing the sensor, like directly signalling the locking mechanism or brute force.

I haven't been through Dutch passport control, but in the UK all the proposals involved the biometric sensors being at manned posts.

[Pickey]

As for the PIN number, if only a one PIN number is used then dusting the keypad for fingerprints will tell you the digits, then you can try them out. If the PINs are not randomly generated you can be reasonably confident get a 4 digit PIN this in three tries (people tend to choose increasing numbers and lines on they keypad).

Dusting wouldnt always work, there are many places that actually have the keypads wiped off.
Also, you never know if some doofus that worked at the place accidentally hit a wrong button or two, so more numbers could come up