MonThruThurs

Awesome, keep up the good work!

writerguyfl

Here's how it was explained to me: Upon entry, the scanner picks X number of random points out of Y possible details. (That Y is a very large number.) It takes those X points and creates a algorithm based on order of the points and relationship. While it's theoretically possible to reverse engineer that data to create a fake fingerprint, that print would only work on that same system. A non-related biometric scanner would have chosen different data points. The likelihood that the same scanners would have selected the same random data points is infinitesimally small.

In the event of a data breach of biometric information, you only are at risk to that set of data. No one will be able to take that data and break into other secured biometric databases. And, in the case of Disney, even then it's not an end-of-the-world scenario as they require two methods of identification (biometrics and RFID).

That said, I get why some people are wary. Any smart private company will offer an alternative. (Disney does.) It's just not going to be convenient or seamless as biometrics.

IsleOfMan

As a Disney Annual Pass-holder for the last 8 years (my wife is an addict), I've been pretty desensitized to the idea of fingerprint bio-metrics. If an alternative is offered to those who want to opt-out, I'd be all for the added convenience of not needing documents or even my phone at hand to check-in and board.

coastalguy

And...I'm pretty sure everyone has a face, so problem dealing with finger-less people *solved*! ^ #thumbprint #myfaceismypassword #crapwhataboutfacetransplants

ryan182

Close, it's a one way hash though not encryption. Encryption needs to be reversible, given the correct key, hashing algorithms are not. A hash also produces a fixed length output from a given input where as encryption algorithms produce an arbitrary length output based on the input and key. Lastly to say a leak would be useless is not necessarily the case, an unsalted and/or week hash can be quite readily brute forced (md5 and a couple GPUs) or susceptible to rainbow table attacks. Now if properly done (bcrypt, script, or sha512 plus a unquie salt per hash) it becomes fairly impractical to recover the source data, today. Not sure how much I'd trust an airline, most of which seem to have IT infrastructure from the 70s with doing things right.

98103

I trust Alaska not to abuse my fingerprints more than I trust Disney. But then again, I don't trust the vermin at Disney at all.

I've been using the finger entry at the SEA Boardroom. Sometimes it takes more than one try, but its still better than standing in line.

Seattlenerd

Thanks!

Column on GeekWire's site is now live: "Alaska Airlines' biometric boarding pass: Lifting, or giving, a finger?"

It mentions FlyerTalk, too.

IsleOfMan

A few of us (myself included) were quoted directly in the GeeksWire article.

WhIteSidE

Yay! GeekWire FTW! (and you guys sometimes say nice things about us too!)

As others have stated, an actual image of your fingerprint is not stored. This would both present data theft problems and (historically) be slow, because of the requirement to transmit an entire image.

Instead, the scanner internally converts your fingerprint to a string, such as abc123. This string may be further encrypted, but as a general statement, it should be impractical to take the string and reproduce the image of a fingerprint from it.

When you scan in, the scanner may produce a string such as abc124. The controller will have a comparison function which determines if the presented fingerprint hash is sufficiently close to the original has that the system is confident it's really you.

Overall, I'm quite comfortable with AS storing this data. Even if it's breeched, there's virtually nothing nefarious that can be done with it. Even knowing the desired output, it's supposed to be impractical to generate and input that will produce that same output again.

My biggest concern would be how well these algorithms have been studied. As mentioned above, the usage of MD5 and SHA1 as the basis of online security for many years means that they've been exhaustively studied and weaknesses found.

A quick search of the literature didn't reveal much in the way of direct attack attempts on the fingerprint hashes (although of anyone knows of papers on the subject, please post). It seems most of the fingerprint scanner attacks are on the scanner itself, although it seems that many of these may be overcome using full frame scanners (as I suspect CBP does), instead of pixel shift or "broom" sensors.

In any case, I also signed up for the scanner in the boardroom as soon as I saw it.

MonThruThurs

Nice read! Can't wait for the next geekwire event.

Seattlenerd

I'll be at the Gala. Say hello.

And I might sneak in another column about AS between now and then.

gum

In former times - not so long ago - fingerprinting was strictly limited to criminals. Until now even the Canadian passports don't have fingerprints.

Using the fingerprints as a biometric recognition feature is the most intrusive option. And exactly for that reason it is used.

The new biometric photos are safe enough.

And by the way: The brutal and inhuman terrorist attacks can't be prevented by fingerprinting. Suicide bombers who throw their lives away even transmit propaganda videos of their terrorists.

So IMHO every fingerprint taken is a setback for the values of the Western world and the transatlantic partners. The best way would be to communicate these values openly and slash all the ID requirements for domestic flights.

And soon you will see: A new sense of freedom will spread.....

And will on the long run dry out the supplies for all those terrorist groups due to the fact that the US will becomea stronghold of freedom.

Thus terminating the violence by a good archetype.

Ronlap

This could be fun - I don't have readable fingerprints. My line of work requires me to get periodic background checks and the FBI needs to reject my prints twice before they do the check based on my name - which takes 30-45 days from start to finish. I have a Clear membership and use the iris scan otherwise people behind me would be there forever.

Seattlenerd

Alaska has stated it would be an optional replacement for a paper or mobile boarding pass, just as fingerprint scanning is optional at the Board Room. So you'd likely have alternatives if it ever is adopted.

UA Fan

Chill please. It was a very creative title.