Fingerprint Protect Your Computer

6 comments

Never knew these Gizmos existed, but you can plug one in to your USB port and only your fingerprint will allow access to the data. The Register reports a test on 3 of them ranging from £30 to £150. Worth looking at if you have something to protect on you computer?

Comments

They are nothing new

The guys over at EyeNetWatch have been selling them for three or four years.

They have a range of USB Fingerprint Devices - these are most often used to protect data that you want to carry around with you, rather than data you keep on your PC all the time.

If you want to protect the data on your PC you are probably much better off with a USB Security Token which encrypts data on your hard drive leaving it accessible only when the token is in place or encryption software such as Security Box

As with all security/encryption devices you get a performance hit in data access, though this is not as big a factor as it used to be.

The real benefit appears to be the opportunity to protect data that is on a laptop in case of theft of the laptop.

beware of trust

Careful what you trust, as usual. The whole concept of security using a fingerprint reader (or any biometric for that matter) lies in the trust of the registrar ... the place where you enrolled your fingerprint as you. The point of attack for these devices is often that enrollment process. How does it ask you to enroll your fingerprint for future authentication checks? What does it store, and where does it store it?

Many of these have been spoofed with wax impressions of lifted fingerprints. Others have been compromised by monitoring the USB data stream during authentication. There have been devices that were found to actually store your fingerprint on them (if it is lost, someone can reproduce your fingerprint). Biometrics are a non-recallable authentication token. You can't change your fingerprint if it has been used in identity theft.

I think the second-best way to deal with confidential data on your computer is to use an encryption key as Kali noted, but again make sure you enroll that key on a *different computer* than the one you use the key to secure. You might be surprised to know how many people buy those keys, and install both the key management program and the security system on the same computer (kind of like storing your keys in an unlocked box next to the locked door).

Some of what you say is spot on John

Different fingerprint scanners have different characteristics and it is a case of finding one that suits your security requirement.

The better scanners aren't fooled anywhere nearly as easily as some of the cheaper models - and use lifesign detection tests as well as the fingerprint itself.

Most store a binary template of the fingerprint, which you can reconstruct back into a fingerprint, some however store the image - these should be avoided unless you have a specific requirement for it.

All fingerprint scanners at the present time have a false acceptance rate of about 1 in 100,000 - yes that means in 100,000 people you are likely to find someone with a fingerprint that is an exact match for your own.

I have one

I bought one in December and love it. Also have one that I can take with me that stores all my passwords. It is important to spend the extra money for the high quality ones. I bought a cheap one first and it had a lot of trouble.

The 3 seconds of joy I get a day from swiping my finger and seeing the print show up with confirmation makes me feel like the porn and 80's music stored on my hard drive is safe. That is until someone kills me and chops off my thumb to get at my collection of Richard Marx.

Is it possible to hack into

Is it possible to hack into the fingerprint thing and steal someone's fingerprint? I mean, I woudl think it'd need to have an 'image' to compare it to...

that's the problem...nobody knows

They should not store a fingerprint, or even an encoded fingerprint or enough data to reproduce a fingerprint. They should store a hash code made *from* part of the fingerprint and part of something else, just like all the other public/private key encryption systems out there. And that's the issue.

Not only isn't there any way to know what they do inside their particualr device, but you can't know if they did it correctly or not. That plus the fact that researchers have uncovered commercially available devices with such "errors". You can't recall your biometric ID, so once it is compromised, what can you do? (I suppose you have 10 fingers LOL)

I like to think of it this way. If top router makers with all their techno gurus still produce encryption software full of security holes, then it is certain that biometric device makers will suffer the same deficiencies.

Here's a thought for you. The biometric ID does not have to say "I am John Andrews". It only has to say "I am the same guy who bought and configured the device to block everyone but me, and I am back now here's my identifier to prove it is me". If that is true, the device does not need to know my fingerprint. It can do just fine with a one-way hash of the uniqueness in my fingerprint combined with some unique pass phrase I make up. Only that should be stored...not my fingerprint, and not my unique phrase.

Now what vendors can we trust to implement that properly so there is no cached copy of my fingerprint, no backup copy, no "administrative copy", no phoned-home copy, no latent image of my fingerprint in memory, etc etc etc.

Beware the point of trust for it shall be the target of exploitation.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.