Are fingerprint readers useful?

Topic

New Reply

I am thinking of buying a fingerprint reader. I am guessing that they come with some built in sw that both knows how various sites handle passwords, and can read data from a password keeper. Correct? I have 215 passwords in KeePass. What I am wondering is how many of those sites a reader will communicate with properly, and also read the info from KeePass or an export therefrom. An explanation of how this all works and / or practical experience would help to clarify my choices. Spending $C100 and then finding that the reader only works for a small fraction of my 215 would be very annoying!

Reply | Quote

Replies

petermat wrote:

I am thinking of buying a fingerprint reader. I am guessing that they come with some built in sw that both knows how various sites handle passwords, and can read data from a password keeper. Correct?

Fingerprint reader just let you unlock you device (PC, smartphone..) and has nothing to do with passwords, web sites…..
You can however guard access to password keepers, like KeePass database, using fingerprint reader.

https://keepass.info/plugins.html#winhello

There are some USB Biometric Password Managers.

Reply | Quote

The fingerprint reader on my iPhone not only unlocks the phone, it logs me in to some of my sites that have fingerprint login activated.

Reply | Quote

PKCano wrote:

The fingerprint reader on my iPhone not only unlocks the phone, it logs me in to some of my sites that have fingerprint login activated.

The sites does so only after iOS has verified your identity. The sites have no access to your fingerprints.
The sites invoke identity verification from iOS. iOS present fingerprint or pin screen, identifies you and sent a ok token to the site which let you auto login.
If for instance you change user-password for you site using the WEB, the next time you’ll use fingerprint to log in you will have first to enter the new user-password for the site.

I log into my bank with FaceId.

Reply | Quote

PKCano and Alex5723,

In your experience, what fraction of sites requiring passwords accept the fingerprint reader / OS OK token? 10%, 50% or 90%?

Reply | Quote

That is probably an Apple-specific thing.  I don’t know that you could use that with a non-Apple device.

I have a fingerprint reader on my Asus F8SN laptop from years ago, and it was mostly intended to be used to log into Windows.  If the password store for the browser was encrypted, they would be accessible via the fingerprint.

Once I was logged in to Windows, it was possible to swipe the fingerprint again and get some kind of a login thingy for various websites.  I never used it, so I am not aware of the specifics, but it did not use any kind of token or anything like that.  It would enter the password into the site by whatever means, with the site not knowing thar fingerprints were involved in any manner.

Fingerprints are a poor replacement for manually-entered strong master passwords.  They can be compromised in several ways, and once they are, you can’t just change your fingerprint like you would a password.  Biometrics can be an additional factor in multifactor authentication, but it is well accepted that they are not a replacement for passwords.

My Acer Swift has a fingerprint reader too, but its makers did not make a Linux driver, so it does nothing.  I would not use it in lieu of my strong encryption password, but along with it, if it had a driver.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Elly

Reply | Quote

To the original question on fingerprint usefulness, I would add these related questions that have bothered me enough not to use fingerprint readers in order to login into any computer so equipped I’ve ever had:

What happens after one cuts the “login” finger and puts a band aid on it? And if the cut leaves a scar big enough to confuse the reader’s software? Can one, usually, save more than one fingerprint, to use as backup in such a situation? Is it known if some fingerprint scanning applications don’t save more than one print?

I could have experimented to find out, of course, but I am not keen on making experiments with possibly irreversible bad consequences, so I have not.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

What happens after one cuts the “login” finger and puts a band aid on it? And if the cut leaves a scar big enough to confuse the reader’s software? Can one, usually, save more than one fingerprint, to use as backup in such a situation? Is it known if some fingerprint scanning applications don’t save more than one print?

The fingerprint software I have used allows (and encourages) enrollment of all ten fingers, so you could use any of them if you did that (which would also mean any finger’s print lifted could compromise the device).  Using the account password is always an option too, so if the reader malfunctioned, you would not be in trouble.

My experience with fingerprint readers is limited to Windows XP, 7, and 8, and just a little in Linux. I’ve never used one on a mobile device or Mac.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

OscarCP

Reply | Quote

[bratkinson]

My introduction to fingerprint readers was in 2008 at an hourly job where everyone had to punch in & punch out.  On my first day, the boss put it in ‘read’ mode and had me do 5 ‘views’ each of 3 different fingers.  That gave the reader multiple choices to verify me as well as allowed me to use different fingers.  Naturally, I used my universal symbol of peace, joy and unity on both hands plus the index finger of my right hand, which was most convenient to use when punching in.

Everyone had problems with that reader, and after about 3 years, they replaced it with a palm print reader instead, which was far more accurate and got it right on first try vs 3-5 or more tries with a single fingerprint.

However, when I bought a new gun safe 5 years ago, I opted for a fingerprint model.  That way, I could open it in the dark, if need be.  The directions clearly state that I should do at least 5 ‘recordings’ of 2 or more fingers.  That way, it, too, can handle times when my finger is slightly angled, or too far up or down, rolled to one side, etc.  Naturally, when I got it, the first finger I recorded was the one finger salute, then the index finger.

I think I made 6 or 7 scans of each finger.  But I still had problems getting it to unlock and it took 3 to 5 tries for it to open.  Then I discovered if I rub my fingerprint finger along the side of my nose to get it a little oily, it opens the safe first try almost every time!  Isn’t technology great!

I, for one, will never use a fingerprint to unlock my laptop (it came with a built in reader) or cell phone.

First, I don’t do any banking or any other money-based activity on either device.  So if I lose it or it’s stolen, I’m out $200 or so.  So what.  The passworded sites I visit on those devices have annual subscriptions that I pay when I’m on my home computer.

Secondly, I strongly suspect that the ‘normal’, automatic, and mostly unknown to the user, cloud-based backup and recovery capabilities of  my cell phone would naturally backup my fingerprint as well.  That way, should I lose the phone, it can transfer everything to my new phone and I’m ‘good to go’.  Why would I want yet another copy of my finger(s) somewhere that may not have sufficient security.

Multiple law enforcement agencies have a full set of my fingerprints as I have a Massachusetts license to carry concealed weapons.  I don’t know if Massachusetts goes so far as checking my prints against Interpol, but I do know they check out my prints with the FBI in addition to the ‘main’ law enforcement computer in Massachusetts.  As far as I know, MA is second to New York for doing the most complete, stringent background check for all LTC permitted, non-LEO residents.

I take protecting my privacy to extreme levels.  I’m greatly upset that to get a drivers license with the ‘verified’ star on it (whatever they call that waste), I not only had to produce a number of documents proving who I am, but they scanned each one into their computer at the RMV.  I have little faith that the computers at the RMV are as securely protected from hackers as are LEO computers or the IRS.  A hacker with any smarts could break into the RMV computer, get 3-4 million well documented citizens information, and do very well opening new credit cards in my name, etc.

• This reply was modified 5 years ago by bratkinson.
• This reply was modified 5 years ago by bratkinson.
• This reply was modified 5 years ago by Bluetrix.

1 user thanked author for this post.

OscarCP

Reply | Quote

Thanks for all the advice – but not getting to the root of my question.  What I am trying to get a best estimate of is how many of these sites I routinely log onto – like, my bank, Microsoft, FileZila, Crucial, Corel, evernote, Fedex, . . . . will be serviced by a fingerprint reader? Obviously I don’t expect anyone to go through my list, but I am just trying to get a sense of the extent of this function.

Reply | Quote

Well, I tried to address that in my reply above, but I guess I am not quite getting what you are asking. What would you like to use the fingerprint reader to do?

The fingerprint reader is nothing but a little scanner that generates an image of the fingerprint.  Until some specialized software takes that image and compares it to reference images for the person in question (kind of oversimplifying here) and establishes that the print either does or does not belong to the person in question, it’s not very useful.  That software could be an add-on, installable program, as it was with my Windows XP and Windows 7 installations, or it could be part of the OS itself, as it is in Windows 10.

What that software does with that information (meaning “yes, this fingerprint belongs to the person in question”) depends on the software itself.  Windows 10 can natively use the fingerprint reader to log on to Windows, for example, and all of the fingerprint reader programs I’ve used have allowed that as well.

If you want to use the fingerprint reader to log in to web sites, that’s where it gets a little bit harder without knowing exactly what your expectations or desires are.  Web sites are not aware of the existence of a fingerprint reader on your PC, and without some proprietary API that would let it work to exchange security tokens with sites, which it sounds like Apple has for some sites that have adopted Apple’s technology, the way it is going to work is as part of a password manager program.

Password managers can be built into the browser, installed as an extension, or standalone programs (and often they’re both of the last two).  In order to prevent unwanted leakage of the info within the manager, it would be necessary to encrypt the data.  This encryption can be managed by the OS, like if you used Windows’ EFS (encrypting file system) to encrypt the password store.  In that case, the act of logging into the Windows account unlocks the encrypted files on the hard drive/SSD.  The fingerprint reader can be used to log into Windows, so in that sense, all the sites whose data is within the password manager will be served by it.

Password managers also have the capability of encrypting themselves, usually.  The one built into Firefox will salt and hash your master password, and use that salted hash as the encryption key for the password store.  No one who does not know the master password will be able to see any of the passwords inside.

To unlock the password store, you’d have to enter your master password when prompted by the browser, however you would have that set up.  You could have it remain unlocked for the rest of that browser session, or you could have it re-lock after a specified amount of time, requiring you to provide the master password again before accessing the password store.

I am not sure if the fingerprint reader software has the ability to enter the master password into Firefox.

I use Firefox as an example because I’m not very familiar with anything else, btw.  I don’t know what Chrome, Edge, or Safari do.

It’s quite possible that the fingerprint software has a password manager function (and certainly I would expect the major password manager programs to be able to use the fingerprint reader too).  In those cases, the swipe of the finger can unlock the password store.  It could also do other things, but without studying the software itself to see what it offers, there’s no way to know.

The gist of this is that the fingerprint reading and authentication is not happening at the web site level.  It’s happening in your local system (your PC), which can then use the password manager function to log into various sites for you. The fingerprint reader talks to the fingerprint software (built into Windows or otherwise), and that software fills in your passwords for you on websites.  The exact details depend on how you want to set it up and which programs you’re using.

Just about all of the web sites, if not all of them completely, should work with the password manager.  Some sites direct the browser to not allow pasting of data into the password field, but password managers have ways around this. They can often simulate the user typing the password in on the keyboard, for example, so the browser would never know it wasn’t actually typed.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

I used to use a fingerprint reader to unlock KeePass, but it only typed my master password so it was merely convenient.

I would never rely on a fingerprint reader to secure my passwords because you only need to lose the PC that has the reader to be without your passwords. Passwords need to be portable and recoverable with ease.

Why not use the quick unlock plug-in if you want convenience?

cheers, Paul

Reply | Quote

Paul T wrote:

I would never rely on a fingerprint reader to secure my passwords because you only need to lose the PC that has the reader to be without your passwords. Passwords need to be portable and recoverable with ease.

If you mean that you should never put yourself in a situation where the fingerprint reader is necessary to unlock the password store, I certainly agree with that.  Even if the fingerprint reader is used as a 2FA, there has to be an alternate way of getting in there that does not require the reader.  It’s not just the possibility of the PC with the reader being stolen, but also that the reader could malfunction.  If you have dry or calloused hands, sometimes the reader just won’t work.  Fingerprint readers can be temperamental and annoying.

Even if someone insists on using a fingerprint reader with no plan B on that device, it may well be possible to sync the passwords with another device that does not have a fingerprint reader.

If you use the fingerprint reader to log in to Windows, and you have some kind of encryption that unlocks when you do that, then you’re still fine, as the option to log in with the password is still there, at least in the setups I used.  You could use a fingerprint, but you were not obligated to do so.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Thanks for all the input folks. I have learned or confirmed much of the technical background from your inputs.

In terms of practical experience about accessing sites without having to enter a password, I see  PKCano says it “not only unlocks the phone, it logs me in to some of my sites” – which is good to know, but whether “some” is 10% or 90% is not clear.  A quote from a bestbuy blurb on the Bio-Key HW-3000100 perhaps provides more insight:

“Use EcoID and Windows Hello to access your device and soon, your favorite applications and websites with a simple touch. Using EcoID and Windows Hello, customers will be able to use their fingerprint to sign-in to websites and applications using Fl DO 2.0/W3C Web Authentication specification.” (My bolding)

So it seems that what I am looking for is only available in a limited way now, but is coming “soon”. I think I will revisit his topic in six months or a years time.

Thanks again for your inputs – I have not “Thanked” any individual replies cos I cannot see how to!

1 user thanked author for this post.

Elly

Reply | Quote

More information:

I have downloaded each site’s app from the App Store and it is through the app that the fingerprint is recognized in place of a password. You have to enable it in the app.

Perhaps the way to answer your questions is for you to see if the sites you use have an app for your phone’s OS that includes fingerprint recognition.

Reply | Quote

anonymous wrote:

“not only unlocks the phone, it logs me in to some of my sites” – which is good to know, but whether “some” is 10% or 90% is not clear.

A quote from a bestbuy blurb on the Bio-Key HW-3000100 perhaps provides more insight: “Use EcoID and Windows Hello to access your device and soon, your favorite applications and websites with a simple touch. Using EcoID and Windows Hello, customers will be able to use their fingerprint to sign-in to websites and applications using Fl DO 2.0/W3C Web Authentication specification.”

Interesting.  I had not heard of “FIDO” before, but it looks like an attempt to launch a standardized way to use biometric authentication without using a password as a go-between. That wasn’t a thing, as far as I know, when I set up my fingerprint reader on my F8SN.  The FIDO site has a list of some entities that have deployed it.  Most of them seem to be built into mobile apps rather than web sites on a desktop. The blurb cited above does say that the reader in question has software that is FIDO compliant, but how useful that is on a Windows PC remains an open question.

I’m not sure what it would take to integrate a fingerprint reader into a browser such that it could work directly with something like FIDO.  Perhaps the extensions that Firefox and Chrome now use would be able to do it, but I don’t know.  They’re deliberately restricted from a lot of things for security purposes, and fooling around with hardware access and passwords could be one area that they don’t want addons getting into.  It could be that the support for the fingerprint reader software’s FIDO APIs have to be built into the application (the browser, in this case), which would explain why it’s certain mobile apps that have that ability. When or if that ability would come to Firefox or Chrome natively, or if it would need to, is anyone’s guess.

I’ve already mentioned my own dim view of the practice of using biometrics instead of manually-entered passwords, but if you are still interested in this, you can still set it up such that you never have to enter any password yourself, whether or not the site supports FIDO.

The FIDO site mentions the “password problem,” and it lists reuse of passwords and other related things as part of that problem.  Those are not really problems with the concept of passwords, per se, but of the idea that people should remember them.  If you use strong, unique passwords for each site, which is a really good idea, it’s impossible to remember them all for regular humans.  To me, the answer is not to eliminate passwords, but to stop trying to remember them yourself.  Computers are great at remembering those sorts of things, so why not use it for that?

A password manager can do the work for you, and when you use one, you don’t ever have to enter or even see the passwords yourself.  I haven’t seen the majority of my passwords; I wouldn’t begin to be able to tell you what they are.  They’re randomly generated and entered into the web form at the time I create an account at any given site, and from that point forward, are stored in the password manager and entered automatically as needed.

The password store is encrypted, and as long as that encryption holds, no one can get at my passwords.  The strength of that encryption is related to the strength of my master password.  Whether that master password is in the form of the Windows login or in the password manager itself, its security depends on any would-be bad actors from being able to brute force or guess the master password.  It still needs to be a strong password, but you only need to remember one of them, rather than trying to remember dozens of them, as well as which sites they correspond with.

That’s the method I use.  I have encrypted data volumes on all three of my “main” PCs, and my password store is on that volume.  At boot time, my PCs ask for the encryption password, and I enter that.  That unlocks the encrypted volume, and along with it, the password store.

There are other ways of accomplishing the same thing.  If you use a password manager that can work with the fingerprint reader, or if the fingerprint reader software has its own password manager, you can use that fingerprint in lieu of a password, though it’s still very important to have an actual password to get in also, as fingerprint readers can fail.

In practice, this can work much the same as directly using a fingerprint to log into a given web site. You can have the password manager set to re-lock after each use, so the effect would be that if you want to log into site A, you’d go to that site, the login screen would appear, and the password manager would prompt you to scan your fingerprint.  When you did that, the password manager would unlock, allowing it to enter your password for site A.  After a minute or so, or however long you set the locking timeout, the password manager would lock again, and the next time you need to log into a site, you’d have to scan the finger again.

That’s just a rough guide, as there are a lot of different nuances about how you set it up and how it all can work, with varying degrees of security and convenience.  In this model, it’s really the password manager that does the heavy lifting… all the fingerprint reader does is remove the need for typing the master password (whether that be a dedicated master password in the password manager, a Windows password that also locks the password store, or some other thing).  This works with all sites, including the large majority of them that do not and will never support FIDO.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Elly

Reply | Quote

Ascaris wrote:

I’m not sure what it would take to integrate a fingerprint reader into a browser such that it could work directly with something like FIDO.  Perhaps the extensions that Firefox and Chrome now use would be able to do it, but I don’t know.  They’re deliberately restricted from a lot of things for security purposes, and fooling around with hardware access and passwords could be one area that they don’t want addons getting into.  It could be that the support for the fingerprint reader software’s FIDO APIs have to be built into the application (the browser, in this case), which would explain why it’s certain mobile apps that have that ability. When or if that ability would come to Firefox or Chrome natively, or if it would need to, is anyone’s guess.

Microsoft Edge has included FIDO2 support for nearly two years:

You should now be able to sign into websites on Edge using your face, fingerprint, a PIN, or a FIDO 2 security key.
Microsoft Edge gets Web Authentication specification support

Web Authentication and Windows Hello [Microsoft Edge documentation]

Probably other browsers too:

Supported Natively Across Browsers and Platforms
Supported in Windows 10 and Android platforms, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) web browsers.
https://fidoalliance.org/what-is-fido/

1 user thanked author for this post.

Ascaris

Reply | Quote

anonymous wrote:

accessing sites without having to enter a password

This is not a good idea IMO. What happens if you leave your PC unattended and someone wanders up and logs into your stuff?

cheers, Paul

Reply | Quote

I have a little bit different problem with fingerprint readers. My fingerprints have pretty much worn off. From washing my hands for many years I’m guessing. The state police couldn’t do a background check on me after a couple of tries taking my fingerprints and they finally gave up and did the check with my SSN and other personal information. I can’t unlock an iPhone that uses fingerprint, and the fingerprint reader I had for a while was useless. All those things work for me unpredictably probably about every 10 or 20 tries. Ugh.

1 user thanked author for this post.

OscarCP

Reply | Quote

The Pixel phone from Google has a fingerprint reader.  It works well.  It unlocks the phone.  Many sites, like Chase Bank, American Express, and others allow fingerprint sign in from their own App.  On a PC, I use eWallet which jumps to the desired site and puts in the password and userid for me.  I have no need for a fingerprint reader on the PC as long as I have that.

Reply | Quote

This solution would have been excellent for all users except that where I live – India many sites like Banks, Financial Institutions etc while asking to change pass word every 60 or 90 days  accept a password only if it meets with their standards. Some specify particular pattern of numerical and special characters, some ask for interchanging Caps and lower cases etc. I wonder if any Password managers would be able to comply with such requirement from each and every web site unless they employ a high Artificial Intelligence to study the requirement and meet the need?

Reply | Quote

Password managers usually have a way to generate passwords that meet a specific criteria, but it has to be manual.

Forced password changes and arbitrary rules are a dumb idea and should not be used.

cheers, Paul

Reply | Quote

Here’s this again… I posted this before, and it’s not here.  Nothing offensive or off-topic about it, so (??)

anonymous wrote:

This solution would have been excellent for all users except that where I live – India many sites like Banks, Financial Institutions etc while asking to change pass word every 60 or 90 days accept a password only if it meets with their standards. Some specify particular pattern of numerical and special characters, some ask for interchanging Caps and lower cases etc. I wonder if any Password managers would be able to comply with such requirement from each and every web site unless they employ a high Artificial Intelligence to study the requirement and meet the need?

A password manager will work just fine with those limitations.  If you log in and it tells you to make a new password, you enter the new password, have the password manager remember it, and it will be used the next time.  The thing that could be tricky is the password generator, if you use one.  You can change the rules by which one is generated so that any given password will work, or you can just do like I do… I keep throwing passwords at it until it stops telling me it’s invalid.  If that doesn’t happen after a bunch of tries, then I have to do some of it manually.  Usually, I just find out what the problem is with the password that I last tried, then delete the characters that don’t work.  I’ll generate another password after that and use some of that to get the length back to where I want it (at least 12 characters, with more being better).

Once you get the password generated, the rest is easy.

It’s unfortunate that some places persist in the password change rules.  Those used to be considered best practice, but that’s generally not the case now.  Passwords should be changed if there is evidence of a possible compromise, but every x days just encourages the use of weak passwords that are easier to remember.

Even with the password changing rules with the varying requirements for what a password should look like, a password manager is still pretty much a requirement, IMO.  If you use strong passwords (to the extent that you can with any given site), you’re going to need something to remember them for you, whether they’re a year old or if they change every month.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Elly

Reply | Quote

Does it have to be a fingerprint reader, or would some other kind of authentication fob work?

The Yubico folks at https://www.yubico.com/why-yubico/for-individuals/ have been leading the authentication key world for years, and security admins like their products. Their Web site also explains about various standards like FIDO2.

I have one YubiKey to use at work and another to use at home, and love both of them. My only complaint is that I need a quick-release thing on my key ring to reach the computers. But now there are “near” YubiKeys using Bluetooth/NFC as well, if you want.       
snissen

Reply | Quote

They are great until you lose / break one.

cheers, Paul

Reply | Quote