Is fingerprint authentication secure?

Solution 1:

The security of the scanner likely depends largely on the quality of the hardware. I'm guessing most scanners that come with laptops these days are pretty cheap and not intended for high security situations. Even higher quality scanners meant for door locks aren't impervious to fingerprint duplication. This Mythbusters clip proves as much.

Like Harley said though, multiple challenges are always more secure than a single challenge.

Solution 2:

The problem with most biometric systems is that they're inherently 'noisy', which requires software to sift through the noise to the true signal. A password is a few bytes where exactness needs to be perfect. A biometric fingerprint, or iris scan, or retina scan, or voice print, all need to have a 'close enough' threshold because biometrics change from day to day or week to week. Defeating such systems takes advantage of the 'close enough' nature of biometric authentication technology.

Because of this, a simple biometric is, in my opinion, less secure than a correctly selected password. And that doesn't even go into implementation details such as signal capture/replay possibilities between the scanner and the authenticator, or easily subverted skin conductivity sensors (lick the paper!).

When used in conjunction with a password, it can enhance security. But as I said, it shouldn't be used instead of a password.


Solution 3:

Fingerprints are generally more secure than a password, but it's all relative.

But you know what's more secure than a fingerprint? A fingerprint and a password. Something you have plus something you know is far, far more secure than either alone.


Solution 4:

  • Is OS authentication more secure by using fingerprint reader than a (strong) password? Can that be hacked easily?

At one point, it was thought to be so. Since that time, there have been several methods developed to defeat the cheaper versions of these scanners.

If it is used as part of a two-factor or multi-factor authentication process, then I believe it will enhance security by raising the difficulty of entry. Here's someone discussing this.

  • By the way, where is the fingerprint stored? On the hardware chip or on filesystem?

Typically the filesystem. Many scanners simply turn the impression into a hash that is transmitted to the host PC. Kronos Touch ID is a corporate solution meant for use as a timeclock; it stores the data in a Paradox table(!) as a hash, so it's pretty clear where their profit margins are coming from with this device....

  • Is that dependent from reader's hardware?

There are many readers, each with their own methods. While I can't speak with any authority on this, it seems that "yes" is a pretty good answer to this question.

  • Is that dependent from the library/OS implementation?

Again, I think it depends on the type of reader. Some actually transmit more than a hash (the actual fingerprint image), while others don't.


Solution 5:

The problem with all biometrics is that when your security material (such as your fingerprints, retina or DNA) is compromised, it's very difficult to change.

Biometrics is a form of identification, not authentication.

Edit: Following up, I found this great article: Authentication and Identification.