![]() ![]() You are looking for a score better than X, where X is determined by what is an acceptable false accept Vs false reject rate. Salting doesn't work because you are never expecting an exact match. They are usually encrypted by the device itself before it gets returned to the software, which must return it later on.Ĭomparison involves a probabilistic score between the provided finger/hand/whatever and the template. Those measurements are typically a handful of KB in size. It is true that enrollment starts off as a captured image, but the device or SDK will convert that image to a set of measurements. This has included fingerprint (multiple technologies with multiple vendors), vein scan, and facial recognition.įirstly, these biometric templates are not stored as images. IANAL so I cannot comment on that side of things, but I have written the integration to numerous biometric devices for time capture, both embedded and PC based. I work for a direct competitor of Kronos, although I'm not aware whether we have customers in that particular jurisdiction. If it does, then that is extremely poor and well worth the company getting a kicking for putting its staff's biometrics at risk.ĭisclaimer. There is nothing particularly wrong with using a fingerprint for timekeeping in my view, easier than carrying a badge (although not necessarily more secure), but under no circumstance should anything related to that fingerprint or the algorithm value it generates be leaving the scanner. The only reason, other than laziness, which I can think of for sending the data elsewhere is that the scanner cant actually do the processing locally (massive failure - means it is sending the fingerprint data externally) or the scanner cant do a simple database look up (equally stupid failure) to assign the ID to the fingerprint value. Encrypt that Employee ID number for sure, but an ID number is not a password so hashing/salting is not particularly required. It can safely send an employee ID number with the details clock in/out time and it has done its job. If it needs to send details that person X has clocked in or out somewhere else, why is it sending anything related to the fingerprint. It should then be checking that against a local database to say, yep this is Person X. The scanner scans the fingerprint and uses some sort of algorithm to create a unique value. Guys, you're all thinking about this in entirely the wrong way. Therefore, the distribution of biometric data or data used to represent biometric data are necessarily more dangerous than passwords or hashes. A leak of such data can be used in a number of nefarious ways. It is meant to limit damage and increase the lead time for an attack, hopefully long enough for the compromised credentials to be identified and revoked. ![]() If data is added to a serialized string which fits a specific pattern, it would probably be a bit more evident and therefore easier to remove.įinally, the security afforded by salted hashes is not intended to protect passwords forever. If data is added in a fingerprint, it appears to me that that might affect the reliability of a scanning process, producing either false negatives or ways to authenticate with partial prints. Either the fingerprint data needs to have other data added somehow, or the model needs to be serialized and data added to that. In strings, some random chunk needs to be dropped into the string somewhere. I'm not sure how feasible it is to salt one. The difference between salted and unsalted is that my work is significantly less useful for breaking into others' accounts after I got into yours.įingerprints can be hashed I hope that happened here. However, if I have *your* salted password and the desire, I can break it. The salt also makes it less likely that the hashes can just be looked up in a list (a rainbow table). The salt, because it is different for each password, means that people can have the same password without that being obvious in a data dump. The reason for a salt in a hashed password is to protect large groups of passwords and insecure passwords. A salted hash of a fingerprint, if feasible, would still be inadequate safeguard. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |