Reply to post: Re: Salt free

Clock blocker: Woman sues bosses over fingerprint clock-in tech

Anonymous Coward
Anonymous Coward

Re: Salt free

Disclaimer. I work for a direct competitor of Kronos, although I'm not aware whether we have customers in that particular jurisdiction. IANAL so I cannot comment on that side of things, but I have written the integration to numerous biometric devices for time capture, both embedded and PC based. This has included fingerprint (multiple technologies with multiple vendors), vein scan, and facial recognition.

Firstly, these biometric templates are not stored as images. It is true that enrollment starts off as a captured image, but the device or SDK will convert that image to a set of measurements. Those measurements are typically a handful of KB in size. They are usually encrypted by the device itself before it gets returned to the software, which must return it later on.

Comparison involves a probabilistic score between the provided finger/hand/whatever and the template. Salting doesn't work because you are never expecting an exact match. You are looking for a score better than X, where X is determined by what is an acceptable false accept Vs false reject rate. These two ideals work against each other, so the balance is decided by your use case. Guarding a bank vault would be a much higher threshold than letting you clock out.

Identify is just a special case of comparison where all templates are considered. Most algorithms today are in the 10K+ judgements per second, with some an order of magnitude better.

In terms of why you might transfer the template, there are two use cases I know of. One is where the identification is performed on the server side which some systems do. Another is where the devices are set to sync with other devices where that employee may also clock.

I doubt Kronos would be dumb enough to upload it to their own, but I would believe if they offer a hosted platform on Azure/AWS which might be what she is complaining about. And that system is likely to contain her name, phone, address, email, date of birth, salary, leave entitlements, work schedule, and in some cases tax or bank account details.

But for perspective, if someone was really after her prints for some reason, starting with her office glass or the dozens of other surfaces that she would have touched would be a much easier avenue to head down.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019