and Fingerprint Recognition Authentication Systems
Table of Contents
How the systems work. 2
How password authentication systems work. 2
How fingerprint recognition authentication systems work. 2
Security methods used by password authentication systems for protecting its
Security methods used by fingerprint authentication systems for protecting its
False Acceptance Rate (FAR). 4
Strengths and weaknesses of each system.. 4
Strengths and weaknesses of password authentication systems. 4
Strengths and weaknesses of fingerprint recognition authentication systems. 5
Potential attacks against the systems. 5
Potential attacks against password authentication systems. 5
Brute force attacks. 6
Potential attacks against fingerprint recognition authentication systems. 6
Attacks on the template database. 6
Fingerprint overtness. 6
Comparison Table. 7
As humans we can
recognise other humans by their face, voice or even their smell, today computers
are able to identify humans by their unique characteristics too, like face,
iris, fingerprint and more. Until recently, password authentication systems
were dominating the security world until biometric authentication systems were
the companies have assets like expensive hardware and servers that contain confidential
data of their customers or employees, which are extremely valuable, not only
for money but also for legal issues. These assets should be available for
access and modification only from authorized persons like the system
administrator, but unfortunately that’s not always the case.
protect their assets and decrease the risk of human disaster threat, most
companies use the two most commonly used authentication systems, password and
biometric. This report is focused on password and fingerprint recognition
authentication systems, explains the way the systems work, their security
methods for protecting data and advantages/disadvantages. In addition, covers
the potential attacks that can be executed against them and finally recommends one
of the systems for medium size company.
the systems work
The purpose of both
password and fingerprint recognition authentication systems is to determinate whether
someone is in fact who is declared to be and as a result allow logical or physical
access to that person. To achieve their goal, the systems use different authentication
2.1 How password authentication
The way password
authentication systems work is by comparing a given username or ID and a password
with the corresponding credentials inside a database that holds all authorized
users and their password. With that authentication method, password
authentication systems have 100% chance of knowing whether someone is a
legitimate user or not.
2.2 How fingerprint recognition
authentication systems work
The first time a user
registers into a server by fingerprint recognition authentication system, a
procedure called enrolment takes place, which translates illuminated images of
the fingerprint into digital code.
the enrolment is complete, if the user wants to get logical or physical access
to the server, must scan their fingerprint again, then the verification
procedure happens, which uses a capacitive scanner that measures their finger
electrically. When a finger is pushed on a surface, the ridges in the
fingerprint touch the surface while the hollows between the ridges stand
slightly clear of it.
A capacitive scanner
builds up a picture of the fingerprint by measuring these distances and then
translates that picture into a digital code, which is finally compared with the
previously stored sample. Even if this comparison is happening in less than a
second, there is no clear answer whether a fingerprint scanned is the same as
the one saved inside the database, but only a percentage of similarity called
authentication threshold of the two samples in term of distance pattern, which
is set by the system administrator.
Figure 1, How biometric system work, by ()
3.0 Security methods used by password
authentication systems for protecting its data
3.1 Hash Password authentication systems are not
saving passwords in the database as clear text but as an irreversible coded
form which is generated using hash algorithms like MD5, SHA-1, etc. Just using
hash algorithms is not enough for a password to be protected, because if two
users have the same password then the hash counterparts would be the same, and
as a result leaving the system more vulnerable to potential attacks. In
addition, if a hacker manages to break through a system he can use a
precomputed table which is reversing cryptographic hash functions named
To fix this security
vulnerability, a computer random generated component called salt is added to
the password before is inputted into the hash algorithm, by doing that, every
password in the database is unique even if is identical to another. In
addition, “salting” a hashed password
increases the level of complexity and ensures that any exposed confidential
data will need many years of work for extracting any usable passwords.
4.0 Security methods used by fingerprint
authentication systems for protecting its data
4.1 False Acceptance Rate (FAR)
acceptance rate, or FAR, is the measurement of a possibility that a
biometric authentication system will falsely allow logical or physical access to
an unauthorized person. A system’s FAR is defined as the ratio of the number of
false acceptances divided by the number of identification attempts. For
example, if the FAR is 0.1 percent, on the average two out of 2000 impostors
attempting to breach a system will be successful. In other words, the
probability of an impostor being identified as an authorized person is 0.1
percent. If a system administrator sets the FAR to the lowest possibility he
dramatically decreases the chance of a false acceptance into the system.
5.0 Strengths and
weaknesses of each system
Not a single authentication
system in the world is completely secure, every system has its own strengths
and vulnerabilities. The correct use of each system’s strengths can overcome
most of the vulnerabilities.
5.1 Strengths and weaknesses of password
The main strength that
can be easily turned into a weakness is the length of the password chosen by
the user. A long password increases the total number of combinations that a
hacker must check to find any useful information. For example, a 6-digit
password can have 1,000,000 different combinations. To even increase the
different combinations that a 6-digit password can have, different character
types like uppercase letters, numbers and symbols should be used.
Another advantage that
password authentication systems have, is the ability of a company to apply
password policies that forces the employees to use a “strong” password, for
types of characters (uppercase, numbers, symbols).
change at regular intervals (every two months).
not share any password with another person or write them down on a publicly
system disables the account after several failed logon attempts.
On the other hand,
password authentication systems carry a lot of weaknesses. Many users take
security lightly and choose “weak” passwords which can be easily cracked or
even guessed. If a company doesn’t apply password policies then the employees might
write their password on their desk or share it with a co-worker, and as a
result making the life easier of unauthorized people who want to damage or
steal from the system. In addition, the easiest way possible for a password to
be stolen is when is inputted into the system, that when an impostor can
physically see the password being typed and eventually steal it.
5.2 Strengths and weaknesses of fingerprint
recognition authentication systems
fingerprints cannot be “forgotten” or written down and are always available when
needed. Every human has its unique features like fingerprints which
automatically denies most of the attacks that can be used against passwords.
Moreover, fingerprint recognition is extremely convenient for a user to use
since it only requires one small movement of the arm. In addition, the very
high accuracy and the relatively low cost comparing to other biometric systems,
makes fingerprint recognition the most used biometric authentication system.
The other side of the
coin, fingerprint readers need to be installed on all machines or doors which
can be cost inefficient. In addition, fingerprint recognition has a medium
acceptability from the people because is related to criminal identification. Moreover, a huge disadvantage is the false
acceptance rate (FAR) which is the percentage of people who can be incorrectly authenticated
as valid users into the system. Finally, unlike passwords, that don’t necessarily need the person to
get hurt so it can be obtained, one of the ways that impostors can get the fingerprint is by cutting the persons finger.
6.0 Potential attacks
against the systems
In the past, most of the attacks executed on a server were
targeting to damage or even destroy the entire server or sometimes just for
fun. Nowadays, almost all the attacks have one goal, money. By executing a
denial-of-service attack, which can make a machine or network resource
unavailable to its users for a period by interrupting services of a host
connected to the internet, hackers ask money to restore the services back to
normal and the normally get them.
6.1 Potential attacks against password authentication
is one of the easiest forms of cyber-attack for a hacker to execute. Phishing
is most of the times carried out over e-mails by attempting to trick a target
into giving confidential data. The way phishing works is by sending an email to
the target saying that is from the company he is working, and he must update
his old password by clicking the link they provide, if the target clicks on the
link then a bogus website which looks exactly like the legitimate one is opened
but it has not actual functionality rather than stealing the data the target entered.
Figure 2, Example of email phishing, by ()
6.1.2 Brute force attacks
Brute force attack is a
trial and error method used by programs like John the ripper to decode
encrypted confidential data such as passwords, through exhaustive effort. A
brute force program is trying all possible password combinations until it finds
what is searching for. Even though, brute force has 100% of finding what is
searching for, the process might take very long time (even decades for strong
Potential attacks against fingerprint recognition authentication systems
Attacks on the template database
This type of attack is
focusing on manipulating the biometric template that is store inside the
database. By doing that, the attacker can delete or even add his own template
inside the database and as a result have unauthorized access inside the system.
In this type of attacks
the attacker can obtain the biometric traits of a legitimate user either by
using gelatine fingers that are specifically designed with the user’s
fingerprint and body temperature or by cutting the fingers of the user. The
system cannot distinguish whether the fingerprint is from the legitimate user
or the impostor.
7.0 Comparison Table
Password Authentication Systems
Fingerprint Recognition Authentication
Cost (Door Locks)
Average of $270 each for
high quality product. 40$ each for first time installation and $2500 for the
server and the licences every year.
Average of $650 each for
high quality product. $90 each for first time installation and $2000 for the
server and the licences every year.
Passwords can be stolen
Fingerprints cannot be stolen
Passwords are used
Not acceptable by
Passwords can be forgotten
Fingerprints cannot be forgotten
Passwords can be changed
Fingerprints cannot be
Both password and
fingerprint recognition authentication systems have their
advantages/disadvantages and applications. With cyber-attacks and human
disaster threats increasing dramatically over the last years, everyone and
especially companies must protect their confidential data with any way possible.
The choice of which system to choose can be hard since security needs money,
money need security and companies need money.
To conclude, assuming a
medium size company makes a respectable income each year, has a strong customer
base and is employing a minimum of 90 employees, then there is no excuse of not
using fingerprint recognition authentication systems. As long as the employees
accept this biometric system, then every room should be protected from physical
threats using fingerprint recognition, in particular high priority rooms like
the server room. If this company has ~40 rooms then 40*(650+90) + 2000 = $31600
are needed for the first year and then only $2000 for the server license + ~$2000
for any repairing needed.