magine being free to forget all of your passwords and use your fingerprint to log in to your online bank, eBay and email accounts. This tantalising vision has suffered a major blow: the scheme that makes it possible could also allow hackers to steal fingerprints and impersonate their victims.

Biometric-secured laptops store an image of your fingerprint, only letting you log in if you produce the matching finger. Proving your identity over the internet is more difficult, however, because the fingerprint data must be transmitted, giving snoopers the chance to hijack it.

Encrypting the fingerprint using conventional cryptography and then transmitting it is not an option as it would require the fingerprint scanned with your PC to exactly match the one stored by the website you wish to access. That isn’t possible because fluctuations in the way fingers roll over scanners makes the same print slightly different each time.

Instead, a cryptographic scheme known as the “fuzzy vault” was devised that does not require a print to look exactly the same each time it is scanned.

…

Now Preda Mihailescu at the University of Göttingen in Germany has shown that the fuzzy vault is not secure (www.arxiv.org/abs/0708.2974v1). His analysis shows that if more than about 500 chaff pairs are used, too much computing power is required to separate the true pairs from the chaff for the server to cope. Yet he also found that a fuzzy vault with about 500 chaff pairs can be broken in a day using a powerful desktop computer.

The original paper: http://www.arxiv.org/abs/0708.2974v1