Friday, April 21, 2017

Fingerprint security

Hardly anyone understands fingerprint security

Yesterday there was a post on slashdot about MasterCard adding fingerprint scanners to credit cards. Predictably, to me anyway, the post generated a host of dismissive comments saying it's a stupid idea... and in the process revealing that they do not understand biometric security. I replied at length, and, as I always do, thought "I really need to write a blog post to explain this, so in the future I can just post a link rather than typing a ton."

This is that blog post.

Claim: Fingerprint authentication is serious James Bond shizzle and it's totally secure.

No. No, it's not. See below.

Claim: Fingerprint authentication is insecure because you only have ten fingers, and when you've used them all you have no more new "passwords".

This is wrong, because it assumes that fingerprints (or other biometrics) are just a slightly different sort of password. They're not. Biometric authenticators are nothing at all like passwords; the security model is completely different. To understand how and why, we first need to understand the password security model.

Why are passwords secure? Passwords are secure when the attacker doesn't know them. That seems simple and obvious, but subtleties arise when you think about how an attacker might get them. There are two primary ways: stealing copies, and repeated guessing, also known as a "brute force search". These interact  in some cases the attacker can steal part and guess the rest  and there are many methods of optimizing both, but it all boils down to getting a copy, or guessing.

Suppose the attacker has obtained a copy of your password, without your knowledge. Your security is compromised, but now the attacker has a choice. He can change your password, lock you out of your own account/device and use it for his own purposes, or he can leave your password and make covert use of your account. In many cases, the attacker opts for the latter approach because the former is too noticeable and the account/device often quickly gets shut down. Or suppose the attacker has obtained a copy of your password but hasn't gotten around to using it yet. In either case, changing your password shuts off the attacker's access, closing the window of vulnerability.

There's another reason to change your password from time to time, to protect it against compromise by guessing. Depending on how the system is built, what information the attacker has to start with and the attacker's resources, the attacker will be able to make guesses at some rate. If you change your password before the attacker can guess your password, the attacker has to start over. Another way to look at it is that as the attacker guesses, he gains knowledge about your password, by knowing what it is not. When you change your password, that knowledge is invalidated.

In a nutshell: Password security derives from password secrecy, and you remove whatever knowledge the attacker has when you change it (assuming you don't just change a character or two). Another way of looking at it is that password secrecy erodes over time, and rotation restores it.

But your fingerprints are not secret. You leave them on almost everything you touch. From a security perspective the only reasonable way to think about biometrics is that they are public information. We have to assume the attacker already has your fingerprints. In the case of smartphone or a credit card, odds are good that there are nice fingerprints on the device itself.

The purpose of password rotation is to restore eroding secrecy, but fingerprints aren't secret to begin with, so rotating would serve no purpose. It's completely irrelevant that you only have a limited number of fingerprints. Also, if fingerprint authentication security relies on the secrecy of non-secret information, it's broken. So either biometrics are just insecure or the security comes from something other than secrecy.

Claim: Fingerprints aren't passwords, they're usernames!

People who sort of recognize that fingerprints really aren't like passwords often fall into this trap, aided by some widely-shared blog posts like this one. This idea that fingerprints are identifiers seems to be buttressed by the fact that the criminal justice system often uses fingerprints to identify people (except it really doesn't). So if fingerprints don't seem to fit the model of passwords, maybe they're usernames?

No. They're not. Biometrics are lousy identifiers. Good identifiers should have uniqueness guarantees, biometrics don't. Good identifiers should always either match or not match, biometric matching is fuzzy, every match is a judgement call. If your database of potential identities is at all large this fuzziness invokes an interesting little statistical fact known as the Birthday Paradox.

In the context of birthdays, the paradox goes like this: Suppose you're at a party with 30 people. What are the odds that two of them have the same birthday? Most people guess that the odds are low, since there are many more days in the year than people. Actually, assuming uniform distribution of birthdays (no days more likely than others), there is a 71% chance that at least one same-birthday pair exists. If you can get someone to give you an even-odds bet at such a party (and you know the other person doesn't have knowledge of the attendees birthdays), take it. You may lose (29% chance) but over the course of a few such parties you're guaranteed to come out ahead.

Why is the probability of a match so high? While there are only 30 people at the party, there are 30  29 = 870 pairs of people, and still only 366 days. That's a very handwavy justification; see the Wikipedia article for the math if you're really interested.

What does this have to do with biometrics? Well, birthdays are one way of classifying people into sets, and biometrics are another.

If you think about the space of all possible fingerprints then my right index finger is a point in that space. There may in fact be no other person with a finger occupying that same point. But measurement of fingerprints is imprecise, so a fingerprint matcher actually accepts any point sufficiently close to my finger as being my finger. How close is close enough?

It's a tradeoff. A very tight bound means that very often when I put my finger on the scanner, the matcher will say it's not close enough to mine to be me. This is a false reject and the rate at which is happens is called, sensibly enough, the false reject rate, or FRR. A very loose bound means that often when someone else puts their finger on the scanner, the matcher will say it's close enough to be me. This is a false accept, and the rate is the FAR. Tuning the bound allows trading FAR for FRR and vice versa.

So, for any given bound, within the space of all fingerprints there is a set of people with prints who match me, and I them, though not every time because remember that the scanning process is imprecise. It's not quite the same as the very crisp categorization of birthdays, but it's close enough, and it's definitely the case that the Birthday Paradox applies.

Of course, fingerprint matchers distinguish much more finely than birthday categorization. Common systems have FAR values of 1:50,000 or less, whereas birthdays are 1:365.2425. But people want to create databases with far larger numbers than attend a party. If you have a database with 1,000 people in it, you have 999,000 pairs of people in your database and that 1:50,000 FAR looks pretty skimpy. Bump this up to databases with millions, or hundreds of millions, or billions of people and the FAR would have to be impossibly low to reliably and uniquely identify every one of them.

With usernames we address this problem by enforcing uniqueness. If you try to create an account with an already-taken username, the system demands that you pick a different username. We can't do that with biometrics.

So biometrics in general, and fingerprints in particular, are not good usernames.

Claim: Fingerprints are bad usernames (not unique, fuzzy) and bad passwords (not secrets), so fingerprints authentication is useless.

This is also wrong. This view implicitly assumes that the only possible authentication security model is the password model, which relies on secrecy. It's not. The reason passwords have to be secret is because if the attacker knows the password, the attacker can present the password to "prove" his identity. Biometrics are different. Merely knowing what your fingerprint looks like does not enable the attacker to present it to the system. More is required... and that more is the source of security provided by biometrics.

So... just how hard is it for an attacker to fake your fingerprint? It depends. On a lot of things. Can the attacker bypass the scanner and provide a digital image of your fingerprint directly to the matcher? If so, then the fingerprint is a password, and we've already seen that fingerprints are not secret. But, systems can and do implement countermeasures to prevent this attack, such as having the scanner cryptographically sign the images it sends and having the matcher reject any that don't have the correct signature. Plus, this sort of attack requires hardware hacking that is beyond the skill level of many potential attackers (I'll come back to this point).

If the attacker can't inject digital data directly, that means he must somehow create a fake fingerprint and get the scanner to accept it as a real one. Scanners implement some "liveness detection" countermeasures that attempt to make this difficult, with varying degrees of success. (Liveness detection also hopes to defeat the more gruesome stolen-finger attack). Again, though, creating a fake finger that will work takes some skill and some effort which is beyond the capability of many attackers. In addition, getting it right often requires some trial and error, especially if the attacker doesn't actually know the fingerprint to use, but only has a set of prints lifted from surfaces you touched, some of which may not be yours, and some of which may be yours, but not the right finger.

In some contexts, stronger countermeasures can be implemented. For example, military access control systems that use biometric authentication often have an armed guard who is trained to look for finger fakery. This makes using a fake (or stolen) finger harder and increases the consequences of failure. Luckily for him, the systems Mr. Bond encounters always seem to be unattended, or attended by an easily-subdued guard.

Claim: Fingerprint authentication isn't useless in all circumstances, but the way it has to be implemented in a smartphone or a credit card or a personal computer makes it useless.

Fingerprint security depends not on secrecy but on the difficulty of presenting a known fingerprint that is not the attacker's own. How hard that is depends on the details of the system. Whether that is hard enough depends on the attacker: motivation, tolerance for risk and ability. What sorts of attackers are interested in defeating authentication is determined by how much value they find in defeating it. If the fingerprint auth is the only thing protecting a billion dollars, or nuclear weapons, or any other very high-value target (to some attacker), then motivation, risk tolerance and ability will all be high. If it's protecting my contact list... not so much. Especially since if the attacker can drum up some plausible reason for needing to know my contact list, he can just ask me (this is called social engineering).

So, how valuable is a credit card? A few thousand dollars at the outside, and there are non-trivial risks and difficulties in getting that money and getting away with it. There are certainly people willing to brave the risks for the rewards, but they tend not to be people with high levels of technical skill or a taste for the tedious, detailed work required to lift good prints and make good fake fingers. Those sorts of people can generally acquire thousands of dollars in risk-free, socially-approved ways. Some choose not to, but they're very unusual.

Also, you have to consider what the fingerprint authentication is replacing, because this is an augmentation of an existing, well-understood and reasonably well-functioning system. What is it replacing? Essentially... nothing. The US does not use chip-and-PIN so the only form of user authentication we have now is signature. Which is nothing. No one checks it, and no one knows how to check it if they want to, except at the crudest level. So in the context of credit cards, fingerprint authentication is an unambiguous improvement, as long as the existing backend-based risk management systems are retained.

What about smartphones? Their value varies tremendously. At the low end, there is the resale value of the device itself. At the high end, they may contain immensely valuable secrets. Donald Trump's Twitter password can move stock markets. Larry Page's email likely contains the details of multi-million dollar acquisition proposals. Somewhere in between the low and high end, attackers are willing and able to hack hardware and fake fingers.

But, again, you have to consider the alternative. At the low end, the majority of smartphones without fingerprint scanners have no password, and so no security at all, other than some degree of care to retain physical possession. People don't password their phones because it's inconvenient to enter a password many times per day. Others are willing to put up with a little inconvenience in the name of security so they use a password, but choose a very weak one, easily guessed or shoulder-surfed. Or if they choose a middling password (basically no one chooses a good one for their phone), they set the lockscreen timeouts to be very high so that they don't have to enter it often — very convenient for the attacker who finds/steals the device.

For the vast majority of smartphone users, then, a fingerprint is an unambiguous improvement in the security of their device.

Bottom line:

Biometric authentication is not perfect, nor is it useless. It works differently from password authentication, has a different security model with different tradeoffs. Whether it's workable for a particular context depends on the details; you have to understand the security model and analyze the situation in detail considering risks, expected sorts of attacker, and alternatives. And it's actually pretty good for most smartphone users and most credit card holders.

My collection is complete(ish)!

I drive an electric car, a Tesla Model S. Generally, I never worry about how or where to charge it. It has a large battery and a long range,...