Fingerprints are not safe
Passwords are difficult to remember. Across the hundreds of websites and applications I use on a daily basis, I find myself regularly having to spend an afternoon working through my encrypted spreadsheet full of passwords just to keep up-to-date, which is why I decided last year to make the switch to LastPass.
Last pass is a fantastic Chrome web browser extension that allows me to store the username and password for all of my favourite sites in one place. This shift was definitely convenient; however, it was also rather scary because if my laptop was stolen with LastPass active, all my information would be very easy to get access to, which naturally left me wanting a better solution.
This year I received my iPhone5s and thought that at least on my phone I would soon be able to do away with most of my passwords in exchange for the new fingerprint sensor technology that is included with many newer phones.
I therefore decided to investigate my options and found that there were some major issues with using my fingers as a password:
Fingerprints are not secret
Every time you touch something, you leave a near invisible copy of your password on it, including your mouse, keyboard, laptop, phone and probably everything on your desk.
Fingerprints are actually fairly easy to lift if you know how and to do so requires less than R100 worth of materials that are available at any hardware store.
Fingerprints are unrecoverable
Unfortunately, with your fingerprint there is no such thing as a reset option. Once your fingerprint is compromised, that is it. This means that once a copy of your fingerprint is obtained, a hacker can get into any of your current fingerprint-secured devices plus any other device you purchase in future. Some companies or organizations store employees’ fingerprints online which can be dangerous, as was seen in early 2015 when over 5.6 million fingerprints were stolen from US government employees.
Fingerprints are not hashable
Another problem with fingerprints is that they are not ‘hashable’. Hashing makes passwords strong and, without it, fingerprint protection is much weaker. Fingerprints aren’t hashable because ‘close is good enough’, and this needs to be the case. If I press my finger harder into one reader than into another, or swipe differently, or have a cut, I still want the reader to accept my fingerprint. Close matches are a fact of life with human flesh and real-world scanners. But a fingerprint with a tiny flaw will hash into something entirely different from the reference version.
After weighing-up all of the points above, I have concluded that I am going to stick to old-fashioned typed passwords and I don’t recommend you using your fingerprint as a password – they are not secret, recoverable or secure to store. What are your thoughts on the subject? Comment on social media with #FingerprintSecurity or #OnlineSecurity.