For those of us concerned with security, it seems like there is a never-ending race to produce security measures that are hard to crack. Currently the basis for human authentication relies on at least one of the following:
- Something you know (e.g., a password).
- Something you have (e.g., a smart card).
- Something you are (e.g., a fingerprint).
Multi-factor authentication has traditionally required more than one of these forms of identification to be presented to allow authentication, which can mitigate against the compromising of one form of access. There are always issues around maintaining the security of these types of identification; passwords can be forgotten and smart cards can be stolen (or hacked).
Fingerprint data has traditionally had appeal as it has had the appearance of being difficult to hack – and you’re unlikely to forget your fingers or leave them behind on the train. Unfortunately, there are a number of relatively easy ways to get around that method of authentication, from good old fashioned sticky tape to gelatine.
It seems now that neural networks have made the job of hacking fingerprint data a whole lot easier. A team of researchers has demonstrated that, with the help of neural networks, a “masterprint” can be used to fool authentication systems. A masterprint, like a master key, is a fingerprint that can be used to open many different doors. In this case, it does this by tricking a computer into thinking the print could belong to a number of different people.
So what could be used as alternatives? Bearing in mind that most of the physical world can be reduced to a series of ones and zeroes in the form of data, and that data can be copied, altered or approximated, it could be argued that this is ultimately doomed to failure, that the hackers will always catch up. There are a number of different methods of obtaining unique biometric data that are currently in play, e.g., iris scanning, that would be harder to manipulate than fingerprints.
But the benefits of using fingers to authenticate extend to the ease of use. Who wants the fun of providing authentication for a bank account with a retina scan when you’re in a bar? One alternative that I’ve come across which is not as easy to hack is FingoPay by a company called Sthaler. This company has created a form of authentication based on the vein pattern within your fingers. They claim that this pattern cannot be damaged, stolen or forged, unlike fingerprints. The vein pattern is scanned with a pulse of near-infrared light which is then converted into a personal digital key. Fingopay is currently used to authorise payment at a pilot venue (Proud Camden) and allows individuals to identify themselves, pay for drinks and food and access an event by using only their finger:
|Register a card to your finger
|Use your finger to pay
|Receive your receipt via email
In my opinion it is unlikely that any system can have a totally foolproof method of authentication. However the emphasis is on the systems integrator or IT partner to ensure that the cost and risk associated with a chosen authentication method is managed appropriately to allow methods appropriate to the importance of the data and the impact it will have if compromised.
Terence Stamp is a senior applications consultant at Capgemini.