This is a Letter to the Editor that I sent in a while back, and I am finally putting it on my blog. Enjoy.
The November 9th edition of the Daily Journal featured an article describing Greenwood Community School Corporation's use of fingerprint scanners to secure its computers. The article quoted Joe Huber, GCSC's director of information systems, saying, “there's no combination of letters or numbers to try to crack”.
That statement is false. As any knowledgeable computer user knows, all information that goes into and is stored by a computer gets converted into a series of ones and zeros. The same goes for a fingerprint that is scanned by a computer. Thus to a computer a fingerprint is no different than a combination of letters and numbers. Just because an attacker can't crack the “password” doesn't mean that a biometric system is more secure.
Using one's fingerprint as a password only gives the appearance of security because it's a fingerprint. It is no more secure than using a single, really long password. It's actually much less secure than a different password for each system because every system would be using the same “password”. An attacker would either have to capture the raw fingerprint data to gain access to all the information that that fingerprint is allowed to access or get a hold of the entire database of fingerprints. Either way using fingerprints alone only decreases the overall security of the information it's trying to protect.
Biometrics also presents another problem: a user's fingerprint can't be changed. There are only a handful of “passwords” available unless their toes are counted too, and if their toe-prints get captured by an attacker then there's not much left to scan on the body.
There are two possible solutions that are more secure: password managers or a public key infrastructure. Password managers are just that, programs that manage and securely store a list of passwords. The only password that can be captured is the one that is used to open the list of passwords, instead of a password that grants access to a system.
While using a password manager doesn't get rid of the multitude of passwords, a public key infrastructure can provide the only secure means of verifying a user's identity on a computer network while using a single password. In a public key infrastructure the only password that is used is used to unlock the user's key. With the proper setup a public key infrastructure can be used as the basis for a secure login along with other benefits. To be completely secure, a public key infrastructure would require smart cards that store the user's key and can also perform encryption on the card.
Both, password managers and a public-key infrastructure, offer greater security than a biometric fingerprint scanner appears to and can ever offer, and if Joe Huber believes that biometrics is a cure-all then he's either not paranoid nor informed enough to be in charge of a school corporation's computer security.
Free CyberScrub KeyChain Password Manager
At work we use a free password manager, CyberScrub KeyChain Password Manager http://www.cyberscrub.com/keychain and we really love it. here is some info I copied from their site:
Manage ALL Passwords with One Phrase. When you log on to KeyChain with your Master Pass Phrase you will have instant access to all of your password protected websites. Select your destination from a special list you have created- then simply "Click & Go". It's that easy! Each time you visit a site requiring a user name and password KeyChain auto enters this information and logs you in. It even prompts you to add these passwords to the program if you have not already done so. Never manually fill in credit card details again. Online shopping is a snap because KeyChain automatically enters your selected credit card details, Shipping and Billing address and more. All of your data is secured with strong encryption. Only you have access to the sensitive data within KeyChain. All information, including passwords, credit cards and other data, is protected with strong encryption algorithms. The USB flash drive also synchronizes with your host computer to back up your encrypted password list. This is an important feature should your PC crash or fail. You may also utilize the USB flash drive, if desired, for Dual User Authentication. This requires the user to not only enter the Master Pass Phrase, but also to plug the USB flash drive into their computer. Easy to use, backed award winning CyberScrub Customer Support.