Is OS authentication more secure when using a fingerprint reader than a (strong) password?
Can that be hacked easily?
By the way, where is the fingerprint stored? On the hardware chip or on filesystem?
Is that dependent from reader's hardware?
Is that dependent from the library/OS implementation?
The security of the scanner likely depends largely on the quality of the hardware. I'm guessing most scanners that come with laptops these days are pretty cheap and not intended for high security situations. Even higher quality scanners meant for door locks aren't impervious to fingerprint duplication. This Mythbusters clip proves as much.
Like Harley said though, multiple challenges are always more secure than a single challenge.
The problem with most biometric systems is that they're inherently 'noisy', which requires software to sift through the noise to the true signal. A password is a few bytes where exactness needs to be perfect. A biometric fingerprint, or iris scan, or retina scan, or voice print, all need to have a 'close enough' threshold because biometrics change from day to day or week to week. Defeating such systems takes advantage of the 'close enough' nature of biometric authentication technology.
Because of this, a simple biometric is, in my opinion, less secure than a correctly selected password. And that doesn't even go into implementation details such as signal capture/replay possibilities between the scanner and the authenticator, or easily subverted skin conductivity sensors (lick the paper!).
When used in conjunction with a password, it can enhance security. But as I said, it shouldn't be used instead of a password.
Fingerprints are generally more secure than a password, but it's all relative.
But you know what's more secure than a fingerprint? A fingerprint and a password. Something you have plus something you know is far, far more secure than either alone.
At one point, it was thought to be so. Since that time, there have been several methods developed to defeat the cheaper versions of these scanners.
If it is used as part of a two-factor or multi-factor authentication process, then I believe it will enhance security by raising the difficulty of entry. Here's someone discussing this.
Typically the filesystem. Many scanners simply turn the impression into a hash that is transmitted to the host PC. Kronos Touch ID is a corporate solution meant for use as a timeclock; it stores the data in a Paradox table(!) as a hash, so it's pretty clear where their profit margins are coming from with this device....
There are many readers, each with their own methods. While I can't speak with any authority on this, it seems that "yes" is a pretty good answer to this question.
Again, I think it depends on the type of reader. Some actually transmit more than a hash (the actual fingerprint image), while others don't.
The problem with all biometrics is that when your security material (such as your fingerprints, retina or DNA) is compromised, it's very difficult to change.
Biometrics is a form of identification, not authentication.
Edit: Following up, I found this great article: Authentication and Identification.
Bruce Schneier wrote a great analysis of biometrics where he explores the positives and negatives of using techniques such as finger-print readers for authentication. He points out that fingerprints are difficult to forge, but they're trivial to steal. Personally, the week I spent locked out of my own server room after I cut my finger badly enough to damage my fingerprint is enough to swear me off fingerprint readers.
I'll come back and edit this URL as soon as I'm not a "new user"
http://www.schneier.com/blog/archives/2009/01/biometrics.html
I personally dislike biometrics quite a bit. If I was shelling out the money for a fingerprint system I'd rather use PKI and password + certificate for ID.
Depending on the application and level of security required, biometrics can have a literally fatal flaw. Let's pretend that the bad guys really want whatever's protected by the security system, and are willing to kidnap and/or kill someone to get it.
Yes, it's pretty easy to hack off a finger from an authorized person and use that to pass the fingerprint reader. Or, the bad guys may put the person under duress and force them to put their finger on the scanner.
On the other hand, a password system can be set up with one password to give access, and another "duress" password to not only deny access, but also call for help if it's entered.
Personally, I don't work on any system that's so important that I'd want to lose a finger over it. If someone wants in badly enough, I don't even want them to be tempted to take my finger...
How is the fingerprint scanner attached? Does the scanner you are looking at use some kind of encryption between the scanner and computer. If it doesn't what would stop me from inserting a device between your scanner and your computer and then capturing your fingerprint?
You can't really change your fingerprint. If I can capture a fingerprint in a way that I can simply send the same data again and again then your system is broke.
Finger print securiy is based on biometrics where the concept is simple that thumb impressions of all individuals living on this earth are different. The logic is true but it totally depends on the technology you are using if the program or hardware malfunction then it can be risk too.