Monday

UPEK Fingerprint Login Security Not So Hot

A very widely used fingerprint login technology, available on a wide range of laptop models from major manufacturers, is apparently pretty useless as far as keeping your login information away from prying eyes. Your Windows login allows the bad guys to access your stuff and to potentially bypass any on-disk encryption you may have.




The problem, simply put, is a couple of things. First, when you set up the fingerprint access to your computer, you need to supply your username and password of course. The information is then stored in an encrypted format; but, apparently because of encryption restrictions in some countries, the method used is very weak (the lowest common denominator, if you will). So weak, that if the location of the data is known, it should be trivially easy to decrypt it - to expose the information.


This is A Bad Thing.


The location of that login data is now known, thanks to various articles about this issue, so this becomes a very real concern for those who may be using this method of logging in. Pending some kind of update of the method of encryption, the general advice is to stop using this type of login for now.


It's not that the idea of a biometric login is intrinsically bad or faulty, but the implementation here seems to be a real problem for now.
ArsTechnica

No comments :