Why securing devices using your fingerprint is not safe

Think about it: fingerprints are unique. Everybody has them and every one of them is unique, so it’s a secure way to prove your identity, right?


We all thought that passwords were easily hackable, if not by guessing, by brute force attacks. And we all know the “difficult” passwords: P@$$w0rd123 and 3AsyD03s1T. As if hackers are stupid! They’re not! Believe it or not, but these so called encrypted, but still “readable” passwords are easy to guess, just like your dog’s name and your mother’s birthday. I mean, a dog’s name is Bello, Spot, Rex, Fluffy or a dozen other names and as for birthdays: we only have to try every date since 1-1-1900, which is roughly only 115 x 365 = 42,000 dates which are there to try.


So a couple of years ago the industry came up with a unique way to use a personal identifiable item: the fingerprint. But is it really a safe way to identify yourself?

Are fingerprints really hard to steal? Let’s face it: we leave our fingerprints everywhere during the day: coffee cups, car handles, doors, chairs, tables, just about anything we touch has a nice copy of our fingerprints. On the website “Hackaday” Elliot Williams explains why fingerprints aren’t safe and how you can get other people’s prints.

Also, if a passwords gets stolen, you can relatively easy get a new password, but getting a new fingerprint, when somebody stole yours from a used cup of coffee? Think again.

And a third objection is that you cannot easily hash a databases consisting of fingerprints, simply because every print needs to be identifiable, even if it’s slightly distorted by a small wound or by pressing harder or somewhat softer on the scanner. So a near match is also a match, which isn’t the case with text passwords: !Passw0rd123 looks like !passw0rd123, but in a hash it differs a lot, so it’s clearly wrong and the hacker will never know he was close to solving the secret password mystery. Encrypting the database is the solution, but that makes the storage of passwords the weak spot.

Should we be using fingerprints (only) for sensitive data? If you read the above, your answer would be: “No”. But when combining it with passwords, text which are sent to your phone and RSA tokens or iris scans? Hmmmmm. A combination of these might do the trick.

Would you like to comment on this post?