Password 1.0 Introduction. 1 2.0 How the systems work.

and Fingerprint Recognition Authentication Systems



Table of Contents
Introduction. 1
How the systems work. 2
How password authentication systems work. 2
How fingerprint recognition authentication systems work. 2
Security methods used by password authentication systems for protecting its
data. 3
Hash. 3
Salt. 3
Security methods used by fingerprint authentication systems. 3
False Acceptance Rate (FAR). 3
Strengths and weaknesses of each system.. 3
Strengths and weaknesses of password authentication systems. 4
Strengths and weaknesses of fingerprint recognition authentication systems. 4
Potential attacks against the systems. 5
Potential attacks against password authentication systems. 5
Phishing. 5
Brute force attacks. 5
Potential attacks against fingerprint recognition authentication systems. 5
Attacks on the template database. 5
Fingerprint overtness. 5
Comparison Table. 6
Conclusion. 6

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

1.0 Introduction

As humans we can
recognise other humans by their face, voice or even their smell, today computers
are able to identify humans by their unique characteristics too, like face,
iris, fingerprint and more. Until recently, password authentication systems
were dominating the security world until biometric authentication systems were

Most of
the companies have assets like expensive hardware and servers that contain confidential
data of their customers or employees, which are extremely valuable, not only
for money but also for legal issues. These assets should be available for
access and modification only from authorized persons like the system
administrator, but unfortunately that’s not always the case.

protect their assets and decrease the risk of human disaster threat, most
companies use the two most commonly used authentication systems, password and
biometric. This report is focused on password and fingerprint recognition
authentication systems, explains the way the systems work, their security
methods for protecting data and advantages/disadvantages. In addition, covers the
potential attacks that can be executed against them and finally recommends one
of the systems for medium size company.


2.0 How
the systems work

The purpose of both
password and fingerprint recognition authentication systems is to determinate whether
someone is in fact who is declared to be and as a result allow logical or physical
access to that person. To achieve their goal, the systems use different authentication


2.1 How password authentication
systems work

The way password
authentication systems work is by comparing a given username or ID and a password
with the corresponding credentials inside a database that holds all authorized
users and their password. With that authentication method, password
authentication systems have 100% chance of knowing whether someone is a
legitimate user or not.


2.2 How fingerprint recognition
authentication systems work

The first time a user
registers into a server by fingerprint recognition authentication system, a
procedure called enrolment takes place, which translates illuminated images of
the fingerprint into digital code.

the enrolment is complete, if the user wants to get logical or physical access
to the server, must scan their fingerprint again, then the verification
procedure happens, which uses a capacitive scanner that measures their finger
electrically. When a finger is pushed on a surface, the ridges in the
fingerprint touch the surface while the hollows between the ridges stand
slightly clear of it.

A capacitive scanner
builds up a picture of the fingerprint by measuring these distances and then
translates that picture into a digital code, which is finally compared with the
previously stored sample. Even if this comparison is happening in less than a
second, there is no clear answer whether a fingerprint scanned is the same as
the one saved inside the database, but only a percentage of similarity called
authentication threshold of the two samples in term of distance pattern, which
is set by the system administrator.

3.0 Security methods used by password
authentication systems for protecting its data


3.1 Hash                                                                                                                                Password authentication systems are not
saving passwords in the database as clear text but as an irreversible coded
form which is generated using hash algorithms like MD5, SHA-1, etc. Just using
hash algorithms is not enough for a password to be protected, because if two
users have the same password then the hash counterparts would be the same, and
as a result leaving the system more vulnerable to potential attacks. In addition,
if a hacker manages to break through a system he can use a precomputed table
which is reversing cryptographic hash functions named “rainbow table”.


To fix this security
vulnerability, a computer random generated component called salt is added to
the password before is inputted into the hash algorithm, by doing that, every
password in the database is unique even if is identical to another. In
addition, “salting” a hashed password
increases the level of complexity and ensures that any exposed confidential
data will need many years of work for extracting any usable passwords.


4.0 Security methods used by fingerprint
authentication systems


4.1 False Acceptance Rate (FAR)

The false
acceptance rate, or FAR, is the measurement of a possibility that a
biometric authentication system will falsely allow logical or physical access to
an unauthorized person. A system’s FAR is defined as the ratio of the number of
false acceptances divided by the number of identification attempts. For
example, if the FAR is 0.1 percent, on the average two out of 2000 impostors
attempting to breach a system will be successful. In other words, the
probability of an impostor being identified as an authorized person is 0.1
percent. If a system administrator sets the FAR to the lowest possibility he
dramatically decreases the chance of a false acceptance into the system.


5.0 Strengths and
weaknesses of each system

Not a single authentication system in
the world is completely secure, every system has its own strengths and vulnerabilities.
The correct use of each system’s strengths can overcome most of the


5.1 Strengths and weaknesses of password
authentication systems

The main strength that
can be easily turned into a weakness is the length of the password chosen by
the user. A long password increases the total number of combinations that a
hacker must check to find any useful information. For example, a 6-digit
password can have 1,000,000 different combinations. To even increase the
different combinations that a 6-digit password can have, different character
types like uppercase letters, numbers and symbols should be used.

Another advantage that
password authentication systems have, is the ability of a company to apply
password policies that forces the employees to use a “strong” password, for

characters long.

types of characters (uppercase, numbers, symbols).

change at regular intervals (every two months).

not share any password with another person or write them down on a publicly
visible location.

system disables the account after several failed logon attempts.


On the other hand,
password authentication systems carry a lot of weaknesses. Many users take
security lightly and choose “weak” passwords which can be easily cracked or even
guessed. If a company doesn’t apply password policies then the employees might
write their password on their desk or share it with a co-worker, and as a
result making the life easier of unauthorized people who want to damage or
steal from the system. In addition, the easiest way possible for a password to
be stolen is when is inputted into the system, that when an impostor can
physically see the password being typed and eventually steal it.


5.2 Strengths and weaknesses of fingerprint
recognition authentication systems

Unlike passwords,
fingerprints cannot be “forgotten” or written down and are always available
when needed. Every human has its unique features like fingerprints which
automatically denies most of the attacks that can be used against passwords.
Moreover, fingerprint recognition is extremely convenient for a user to use
since it only requires one small movement of the arm. In addition, the very
high accuracy and the relatively low cost comparing to other biometric systems,
makes fingerprint recognition the most used biometric authentication system.

The other side of the
coin, fingerprint readers need to be installed on all machines or doors which
can be cost inefficient. In addition, fingerprint recognition has a medium
acceptability from the people because is related to criminal identification. Moreover, a huge disadvantage is the false
acceptance rate (FAR) which is the percentage of people who can be incorrectly authenticated
as valid users into the system. Finally, unlike passwords, that don’t necessarily need the person to
get hurt so it can be obtained, one of the ways that impostors can get the fingerprint is by cutting the persons finger.


6.0 Potential attacks
against the systems

                In the past, most of the attacks executed on a server were
targeting to damage or even destroy the entire server or sometimes just for
fun. Nowadays, almost all the attacks have one goal, money. By executing a
denial-of-service attack, which can make a machine or network resource
unavailable to its users for a period by interrupting services of a host
connected to the internet, hackers ask money to restore the services back to
normal and the normally get them.

6.1 Potential attacks against password authentication



is one of the easiest forms of cyber-attack for a hacker to execute. Phishing
is most of the times carried out over e-mails by attempting to trick a target
into giving confidential data. The way phishing works is by sending an email to
the target saying that is from the company he is working, and he must update
his old password by clicking the link they provide, if the target clicks on the
link then a bogus website which looks exactly like the legitimate one is opened
but it has not actual functionality rather than stealing the data the target entered.

6.1.2 Brute force attacks

Brute force attack is a
trial and error method used by programs like John the ripper to decode
encrypted confidential data such as passwords, through exhaustive effort. A
brute force program is trying all possible password combinations until it finds
what is searching for. Even though, brute force has 100% of finding what is
searching for, the process might take very long time (even decades for strong


Potential attacks against fingerprint recognition authentication systems


Attacks on the template database

This type of attack is
focusing on manipulating the biometric template that is store inside the
database. By doing that, the attacker can delete or even add his own template inside
the database and as a result have unauthorized access inside the system.

Fingerprint overtness

In this type of attacks
the attacker can obtain the biometric traits of a legitimate user either by
using gelatine fingers that are specifically designed with the user’s
fingerprint and body temperature or by cutting the fingers of the user. The
system cannot distinguish whether the fingerprint is from the legitimate user
or the impostor.



7.0 Comparison Table



Password Authentication Systems

Fingerprint Recognition Authentication

Cost (Door Locks)

Average of $270 each for
high quality product. 40$ each for first time installation and $2500 for the
server and the licences every year.

Average of $650 each for
high quality product. $90 each for first time installation and $2000 for the
server and the licences every year.


Passwords can be stolen

Fingerprints cannot be stolen


Passwords are used

Not acceptable by


Passwords can be forgotten

Fingerprints cannot be forgotten


Passwords can be changed

Fingerprints cannot be



8.0 Conclusion

Both password and fingerprint
recognition authentication systems have their advantages/disadvantages and
applications. With cyber-attacks and human disaster threats increasing
dramatically over the last years, everyone and especially companies must
protect their confidential data with any way possible. The choice of which
system to choose can be hard since security needs money, money need security
and companies need money.

To conclude, assuming a
medium size company makes a respectable income each year, has a strong customer
base and is employing a minimum of 90 employees, then there is no excuse of not
using fingerprint recognition authentication systems. As long as the employees accept
this biometric system, then every room should be protected from physical threats
using fingerprint recognition, in particular high priority rooms like the server
room. If this company has ~40 rooms then 40*(650+90) + 2000 = $31600 are needed
for the first year and then only $2000 for the server license + ~$2000 for any repairing