A New Look at Salted Biometrics and Multi-factor Authentication


image source: neowin.net
I have seen several people concerned with the fact that biometric authentication has not completely replaced passwords by now. Answers vary, but the two primary reasons are that they are not trusted and that they have been known to take longer to authenticate, due to frequent false positives. There is currently no proven and trusted technology or vendor for biometric authentication.
Although rough, this solution came to me while trying to transition from a night shift schedule a few days ago. I can’t tell you why, but for some reason I was trying to think of a way to reduce the number of false positives and false negatives in fingerprint scans. The solution that many unfortunate organizations have been forced to do is to change the sensitivity of the system. What if there were a way to add another factor, without requiring more from the user? This way, organizations could reduce the amount of false positives by turning down the sensitivity, while increasing security by adding another check.
I don’t know how much my readers know about encryption, so I will give a very brief explanation. If you already have a good understanding of it, please skip to the proposal below. More than likely, you know more about it than I do and I don’t want to hear about it. Encryption is taking a set of data and hiding its contents by changing it. This is achieved in several ways, but that is the gist of it. When it comes to authentication, it is normally the password that gets encrypted in the system so that in the case that someone gets their hands on the password file, they will not be able to see what the password is. This was the practice for quite some time, but eventually password crackers were able to reverse the encryption (or decrypt) of the password. To combat this problem, cryptographers implemented the practice of adding random information, called “salt”, to the password before it is encrypted. If password crackers do not know what the “salt” is, their decryption will be useless. The only way this works however, is if the “salt” that is added to the password is the same each time.
In the case of biometric authentication, the fingerprint and the pin, if used, is encrypted and likely salted. My challenge was to find a way to add another factor in the authentication so that the system sensitivity could be reduced, while maintaining “salted” encryption and a high level of security. My solution is to use what is already there. The common factors processed in biometric authentication are the fingerprint (for comparison between the one stored and the one presented by the user) and the pin (to demonstrate additional security by requiring something that is “known” by the user).
Why not use what you already have to create an additional factor of authentication? Instead of simply using the fingerprint for visual comparison and adding “salt” later, why not put data from the visual comparison, the pin, and an algorithm from the fingerprint (as “salt”) together before encrypting, then comparing the new hash against the stored one? The algorithm used could be something as basic as measuring the distance between several lines toward the center of the print and multiplying the sum by the number of lines. I’m sure it would not be that simple of an equation, but I think you get the point. This third factor could also be configured by the local administration, so each organization’s “salt” is unique.
What do you think? If something like this already exists, please leave information about it in the comments section below. I have been successful in over-thinking my way into being interested in this topic.
Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.