While shopping for a USB fingerprint scanner for my PC, I found two types:
*match-on-host*, which lets the computer read the fingerprint scan’s data to verify your biometrics,
and *match-in-sensor*, which verifies your biometrics in the scanner itself then tells the computer that it succeeded.
Wouldn’t it be possible to make a USB device pretending to be a fingerprint scanner which responds to the computer’s request to scan with a pre-programmed success response? There must be some way for the computer to know whether a fingerprint scanner actually verified a fingerprint other than simply receiving a “yes it matches,” or it would be trivial for a bad actor to make a master key for any computer with biometric login and a USB port.
Does the computer store a digital key on the fingerprint scanner to confirm it’s the same hardware that the biometrics were originally set up with? or vice versa?
In: Technology
Take this product spec manual for example:
[https://az31609.vo.msecnd.net/literature/3caadb6a-4675-4821-b063-47d36ca98154.pdf](https://az31609.vo.msecnd.net/literature/3caadb6a-4675-4821-b063-47d36ca98154.pdf)
The product claims SSLv3 for secure session establishment and TLS1.2 for secure communication.
Which I assume each scanner has a unique TLS certificate and on-sensor private key, this prevents MITM attacks if the Windows Biometrics service requires previously enrolled fingerprint authentication results to come from the same hardware signed by the same certificate private key, which I assume it would.
To make it somewhat ELI5, asking the sensor for results is similar to connecting a banking website using HTTPS, the host checks the certificate the site/device presents for authenticity and will only trust certificates signed by trusted CAs, or previously explictly trusted certificates (during enrollment).
I didn’t check the WBS implementation details, above is only speculation.
Latest Answers