Problem solve Get help with specific problems with your technologies, process and projects.

Implementing a fingerprint reader for Internet transactions

How would you go about implementing a fingerprint reader to verify a customer for Internet credit card transactions?

Very carefully. Biometrics done in any unsupervised way (where you don't have a reasonably competent person nearby overseeing things) are fraught with peril, and doing it over the network is the most perilous.

There are several problems that must be overcome.

First of all, all biometrics are pattern-matchers, and they are guesses. Unlike a PIN, which is either right or wrong, biometrics are guesses. The fingerprint reader is taking a picture of your finger (optically, electrostaticly) and deciding that it is close enough to another picture. At their best, biometrics are approximately 99.99% accurate, about as good as a four-digit PIN.

It can do this one of two ways. It can compare the picture locally (in the device or in the user's computer), or it can send the new reading over the network to a server that compares it.

In the first case, what ends up happening is that the server receives a "Yes" or "No" from the network. How does the server know that the response came from a real fingerprint reader and not some program that impersonates one?

In the second case, how does the server know that the reading came from a real fingerprint scanner? It could be a replay of an old reading or a slightly modified reading. Remember, biometrics are like horseshoes, close enough is good enough.

This is a major problem with biometrics over the network: How does the server know that whatever its partner told it is true? What it was told is either a yes/no or a whole reading, but it has to know that data is legitimate data from a legitimate fingerprint reader. That's a hard problem, and it's a lot of work for something that at its best will have the accuracy of a four-digit PIN.

On top of this, if the server is receiving a single bit (yes or no), that's relatively easy to spoof. But if, on the other hand, it is receiving the whole reading, then there is a new risk -- the risk of replay. If an attacker manages to steal that reading, they can impersonate the user's fingerprint.

Worse -- it's even easier than that. The German Magazine C't did some experiments with fingerprint readers. They found that some of them will give legitimate readings from latent fingerprints if you blow warm breath on the reader. Others would require a plastic bag with warm water. You can read their article. In any event, the devices themselves can be persuaded to give a reading that matches the user with a few tricks, and this is why a fingerprint reader shouldn't be unsupervised. Some trusted entity really needs to see that the reader isn't being abused. This is hard to do over the network.

None of this is necessarily impossible, but it is difficult. When you complete it, however, you're going to get a system that isn't substantially more secure than what you'd get with a PIN and arguably less secure than you could get with a smart card.

That's why you have to be careful. It will take planning and thought about exactly what you want to solve.

For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Biometrics improving but not perfect
Executive Security Briefing: Biometrics gaining more identity as security option
Ask the Expert: Market leader in biometrics

This was last published in July 2002

Dig Deeper on Biometric technology