« What do you think ... can Six Sigma fix bad management? | Main | Software as a Service (SaaS) ... haven't we done this before? »

March 23, 2006

Are fingerprint scanners better for security? Better not have Silly Putty around

From Coding Horror, Jeff talks about a problem we all have ... what is my login name and/or password.  If I had a dollar for every time I had to request/reset a password on a system and two for the number of times I needed the username too ... I'd be a wealthy guy.  Right now people are talking about (including IBM/Lenovo with some new ThinkPads) using fingerprint scanners.  Carry your password with you they say ... sounds great but ...

   

One particular pitfall is the idea that your fingerprint is a secure substitute for your password. This review of a typical USB fingerprint reader illustrates just how foolish that misconception is:

   

The jelly fingertip peeled off the putty very easily, as you'd expect - clean, cold Silly Putty doesn't stick very well to anything but itself. The gelatine was full of bubbles from my stirring, but the jelly thumb nonetheless had a pretty good complement of print-ridges on it.

   

       

Ugly and bubble-y the jelly thumb was, but the scanner loved it. It thought the jelly finger was a real one more than 50% of the time. And since you can attempt recognition about once a second, that means it'd be trivially easy to log in with a thing like this, even with people watching. Trim the jelly so it fits over the end of your real finger, and some very rudimentary prestidigitation will keep your fakery from the attention of onlookers.

       

I also found it was possible to enroll the jelly thumb as a new finger. It took me four attempts to do it, and its recognition rate wasn't any better than when I was trying to match it to my real finger. But that's still quite good enough to be useable in an, um, covert situation.

   

Oops.  Jeff hopes new InfoCard solutions will help.  I hope so, because my piece of paper is getting might crowded.

Tags: , ,

Posted by Tris Hussey on March 23, 2006 | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/384091/4512631

Listed below are links to weblogs that reference Are fingerprint scanners better for security? Better not have Silly Putty around:

Comments

Post a comment