While shopping for a USB fingerprint scanner for my PC, I found two types:
*match-on-host*, which lets the computer read the fingerprint scan’s data to verify your biometrics,
and *match-in-sensor*, which verifies your biometrics in the scanner itself then tells the computer that it succeeded.
Wouldn’t it be possible to make a USB device pretending to be a fingerprint scanner which responds to the computer’s request to scan with a pre-programmed success response? There must be some way for the computer to know whether a fingerprint scanner actually verified a fingerprint other than simply receiving a “yes it matches,” or it would be trivial for a bad actor to make a master key for any computer with biometric login and a USB port.
Does the computer store a digital key on the fingerprint scanner to confirm it’s the same hardware that the biometrics were originally set up with? or vice versa?
In: Technology
normally some type of cryptographic data would correspond to a particular fingerprint but it’s always going to be up to the device to not lie about which “key” was a match when scanning a particular finger.
using the crypto method prevents other people from spoofing but afaik there’s no way to reliably tie a specific fingerprint to some other kind of data that a device *can’t* lie about.
Latest Answers