USB connected fingerprint scanners
While discussing testing biometrics (fingerprint scanners) for single factor authentication, one of the sales reps indicated his device encrypted the fingerprint (scan) prior to sending to the computer via a usb connection. I was wondering if this sounds true as the scanner would need additional hardware "buit in" to accomplish this. The second question is can a usb keystroke logger be used to capture the scan and play it back (man in the middle analogy)? I have researched the questions but not found any solid answers....
Software/Hardware used:
Software/Hardware used:
ASKED:
July 22, 2005 12:29 PM
UPDATED:
July 22, 2005 3:46 PM
Answer Wiki:
A - TWO factor Authentication PLEASE! GATTACA's DNA test with immediate apprehension is okay for single factor, but anything less is not suitable for 'secure' networks. NTFS logons have both user and system credentials for two factors.
B - A scanner that encrypts the fingerprint so that it is a different hash for each submission would be a good thing. [Anything on the USB bus can query time and date which with component ID lends itself to a onetime hash.] A scanner with thermistor to verify the finger is warm is a good thing. A USB recorder to capture packets is conceivable, but replaying to fool the reader's softare would not be trivial. Since they have physical access probably not you most important worry. A scanner that does NOT try to image the fingerprint is a good thing.
C - In amplification of the last statement preceding - The database of scanned fingerprints should NOT be evidentiary. Our job is authenticating users and protecting the network and its data. NOT collecting fingerprints for what ever government agency shows up with a warrant.
To see all answers submitted to the Answer Wiki: View Answer History.
Do you know if there are any vendors who actually do encryption at the scanner? I think the extra electronics would make it easier to do the encryption at the software level.