By DPA
Darmstadt (Germany) : Police are not the only ones taking fingerprints these days. Starting on Nov 1, fingerprint data will even be stored in the passports issued by many countries.
As fingerprints are unique, they have also drawn attention from manufacturers of equipment designed to limit access to computers.
After all, pressing your fingertip against a reading device is simpler than learning and inputting a password. But are fingerprint sensors really more secure? The answer is both yes and no.
The bad news first: practically every fingerprint system currently on the market can be circumvented.
“There are many instructions on the internet about how to create fakes,” says Christoph Busch from the Fraunhofer Institute for Graphics Data Processing in Darmstadt, Germany.
It’s a “relatively simply exercise”, he says, to successfully masquerade as another identity in front of the sensors.
You just need to get your hands on a fingerprint taken from a glass, CD case, or disc. Together with a bit of technical know-how, an artificial mould can be created using superglue, a digital camera or scanner, image editing software, a negative form, silicon, latex, or wood glue as a base.
Consumers usually run across fingerprint systems in daily life as accessories on laptops, keyboards, or external USB devices. There are now a few cell phone models with this type of sensor too.
Verification occurs when the entire fingertip is laid on the sensor. But there are also systems where the user drags a fingertip across a strip. The first of these options is “more intuitive to use,” reports Hanover-based magazine c’t, “but bears with it the risk that an impression of the fingerprint – known as a latent impression – will remain on the sensor after use”.
For this reason, special systems that do not require the finger to be pressed on the sensor are often deployed in high security areas.
The systems scan the grooves of the fingerprint either optically, electrically or using electromagnetic fields. As manufacturers of the sensors know that forgeries represent a genuine threat, they also integrate additional sensors for bio detection.
The manufacturers are keeping secret information on what precisely is being measured, Busch says. The fact remains, however, that a gossamer-thin dummy glued to the finger is enough to trick the bio-detection. Graphite applied on the dummy can imitate the skin’s conductivity, for example.
Breathing on the artificial fingertip can temporarily bring it up to body temperature and manufacture some of the body’s natural moisture.
New tactics have been implemented to measure things like movements in the fingertip caused by the pulse, Busch says. Another approach does not examine the dead uppermost layer of skin, but rather uses an ultrasound to measure beneath it.
There is some good news amid all this fallibility by the sensors: all fingerprint systems are still better than weak passwords. “For added protection, you can combine biometrics and a password,” Busch recommends.
“The password login should always be allowed as an alternative option, with especially long and complicated passwords being mandatory,” c’t says.
Another important point is also to use a finger for the checks that otherwise is rarely used and hence leaves few valuable traces behind – such as a finger on the left hand for right-handers.