Fingerprint Salted Hashes

TL;DR

Using a fingerprint as a salt for password hashing adds an extra layer of security. This guide explains how to capture the fingerprint, convert it into a suitable salt format, and integrate it into your hashing process using Python. It’s important to remember that while this improves security, no system is foolproof.

Capturing the Fingerprint

1. Hardware: You’ll need a fingerprint scanner connected to your system. Many laptops now have built-in scanners.
2. Software Library: Use a library like pyfingerprint (or similar, depending on your scanner) in Python to access the scanner. Install it using pip:

   pip install pyfingerprint

3. Capture Process: The following code snippet shows how to capture a fingerprint image:

   import pyfingerprint
   
   fingerprint = pyfingerprint.Fingerprint()
   if fingerprint.verify_device():
       print("Device found!")
   else:
       print("No device found.")
       exit()
   
   image = fingerprint.get_image()
   if image is not None:
       print("Fingerprint captured successfully.")
   else:
       print("Failed to capture fingerprint.")

Converting the Fingerprint to a Salt

1. Raw Data: The get_image() function returns raw fingerprint data. This isn’t directly usable as a salt.
2. Hashing the Image: Hash the image data itself using a strong cryptographic hash function (like SHA-256) to create a fixed-length string.

   import hashlib
   
   def hash_fingerprint(image_data):
       sha256_hash = hashlib.sha256()
       sha256_hash.update(image_data)
       return sha256_hash.hexdigest()

3. Salt Format: The output of SHA-256 is a suitable salt format (a hexadecimal string). This will be prepended or appended to the password before hashing.

Integrating into Password Hashing

1. Hashing with Salt: Combine the fingerprint salt with the user’s password before hashing. Use a strong key derivation function like bcrypt, scrypt, or Argon2.

   import bcrypt
   
   def hash_password_with_fingerprint(password, fingerprint_salt):
       salted_password = password + fingerprint_salt
       hashed_password = bcrypt.hashpw(salted_password.encode('utf-8'), bcrypt.gensalt())
       return hashed_password.decode('utf-8')

2. Verification: When verifying the password, repeat the process:
   1. Capture the current fingerprint and generate its salt.
   2. Combine the entered password with the *current* fingerprint salt.
   3. Hash this combination using the same key derivation function.
   4. Compare the resulting hash with the stored hash.
3. Important Note: Always store the hashed password (with salt) and not the original password or the fingerprint image itself.

Security Considerations

• Replay Attacks: An attacker who captures a user’s fingerprint during login can replay it later. Mitigate this by requiring additional authentication factors (e.g., something they know, like a PIN).
• Fingerprint Spoofing: Fingerprints can be spoofed. This method is not foolproof and should be combined with other security measures.
• Scanner Security: The fingerprint scanner itself could be compromised. Ensure the scanner has appropriate security features.
• Data Storage: Protect the stored hashed passwords (and any associated metadata) from unauthorized access.