Comments on a recently proposed Privacy Preserving Lightweight Biometric Authentication System for IoT Security

TL;DR

This paper critically examines a lightweight biometric authentication system for IoT, revealing security flaws and privacy vulnerabilities that question its suitability for biometric security applications.

Contribution

It identifies specific security and privacy vulnerabilities in a recent lightweight fingerprint matching adaptation, clarifying its unsuitability for biometric use.

Findings

Intruders can successfully authenticate illegitimately.

The lightweight adaptation has significant privacy vulnerabilities.

The original Minutia Cylinder-Code algorithm remains unexamined.

Abstract

In this paper, we show that a recently published lightweight adaptation of a Fingerprint matching algorithm called the Minutia Cylinder-Code may not be secure as intruders may be able to illegitimately yet successfully authenticate themselves to the system under consideration. We also show that the lightweight adaptation has other privacy related vulnerabilities that make it unsuitable for use in Biometrics. We make it clear that we are neither investigating nor commenting on the security of the original Minutia Cylinder-Code algorithm by itself, rather we highlight the vulnerabilities of the lightweight adaptation. In the process of doing this, we provide a high-level overview of the role of one-way functions in cryptography and biometrics to provide a context to the aforementioned lightweight algorithm and its deficiencies.