How does a fingerprint scanner protect its store of fingerprint data?

Question

On my fingerprint scanner, the fingerprints are stored in the device itself. I'm sure that this is the same as most of them.

How do the scanners protect/encrypt the fingerprint data, so that someone can't extract this information directly from the scanner and use it to authenticate? I know that this would require serious skill, but I'm sure that I'm not the only one who has thought of the possibility.

Answer 1

Fingerprint devices typically do not encrypt or store your fingerprint data. What usually happens is as follows:

• the scan of your fingertip is analysed for certain control points
• the position of these generates a token
• this token is used similarly to a password hash and is passed to the authentication app
• communication with the app may be encrypted with a key which is time specific, to avoid replay attacks

Which is similar to how a password hash is stored , as per @Wiso's answer, in a shadow password file, or in a SAM file under Windows.

So if you are looking at controls, the key elements are the algorithm the device uses to generate the token, the comms between the device and the application, and the storage used by the application.

Answer 2

I don't think your device encrypt your fingerprint data. Suppose it does, where will your device store the key to decrypt it? Usually from system password systems create an hash from the password using a salt, look at shadow password.