This article was and remains wrong, and at least in the comments so far most people appear to be missing the point, which in turn weakens security. Biometrics are neither user names nor passwords, they're a perfectly valid factor (along with something you know and something you have) with their own strengths and weaknesses vs various threat models. One of the most absolutely fundamental mistakes that can be made with security is sacrificing the good at the alter of the perfect, because overall security is always, 100% of the time an economic equation, a time/resource expenditure tradeoff between an attacker and defender for a given value of information. "Security" as a field also exists almost exclusively for the benefit of and requiring interaction with humans, which means that the human factor must always be a fundamental consideration as well. Or more pithily, a "security" system is garbage if its users can't use it, won't use it, find it too easy to screw up, or even if the costs it imposes are greater then the benefits provided.
Biometrics, including finger prints, are human friendly, and that instantly makes them worthy of consideration as part of a system. Touch ID or the like can enable a person to use an extremely strong password that would otherwise be completely uneconomic, and the combination of a limited time, extremely fast biometric shortcut with a very strong core password, particularly if combined with coercion code use (only possible for now via jailbreak but something Apple or another manufacturer could and should implement at all levels), remote lockout (long available everywhere), etc., may be significantly better then merely a PIN code alone.
Threat models cannot be ignored for a security system, because they define the system. The greatest threat most people face are remote attacks, with the next greatest being scatter shots of various sorts (in other words, somebody was looking to steal or attack a device, not your device in particular). Persistent targeted threats are an entirely different situation and a password alone is not even necessarily better in a mobile scenario, because in a mobile scenario you often do not have even a modicum of control over your environment. A fingerprint might be possible to lift and use as the author links, but a PIN code or password can be taken, often even more easily, via shoulder surfing or cameras. In fact in the modern first world environment bird's eye view (ceiling/pole-mounted etc) surveillance cameras are becoming ever more ubiquitous and ever higher resolution. Are people going to seriously suggest nobody use their mobile device anywhere with a surveillance system? More and more, how will you even know that? Taking advantage of the ever increasing cost/performance/size/power improvements powered by the smartphone revolution, retailers are interested in ever more camera use not for thieves but for metrics, to figure out exactly what shoppers are doing down to precisely what they're looking at and for how long. The retailers of course have no interest in your phone info, and in fact an interest in not making people worried about that sort of thing. But if we're going to consider someone going to the specific trouble to rapidly spoof biometric identity for a specific device, then it's necessary to consider that once the cameras exist at all access for non-intended purposes may be just a hack or national-security-directive away.
Basically, it's frustrating to still see people pointing to "somebody broke into this security system!" as if it means anything without thinking about the time/resource cost and threat model. Biometrics absolutely have a role to play in general authentication for the general population for the foreseeable future. There are paths for improvement there just as in other areas, perhaps culminating in fusion technologies like security authentication implants wired into our brains someday, but we'll need functional authentication to get us that far and passwords alone do not cut for most of the population as currently implemented.
I think you may also be misconstruing the point. Saying that fingerprints aren't passwords is _not_ the same as saying a fingerprint shouldn't be required to unlock a phone.
(as with most web logins, its userid + password. But shouldn't be one or the other)
The key point though is that security tokens must be changeable/revocable and and bio-metric data is not-so-much.
Please describe the threat model in which fingerprint is insecure because it can't be revoked. Without threat model, evaluation of "security" is useless
How is this strawman even a little bit relevant to the question posed? You don't write your password down on everything you touch even though it is revocable.
It doesn't answer the question. Passwords can be revoked and you still don't want to leave them everywhere. Need for revocability has nothing to do with maintaining the "secret" and everything to do with mitigating the impact of a compromise.
If a password is leaked, you need to revoke it in order to mitigate the potential damage. If a fingerprint is leaked, do you need to do the same? No, because the security of the fingerprint is not tied to its secrecy. Fingerprints are not secret. They are just hard to reproduce.
Trying to equate fingerprints to passwords or usernames will inevitably result in absurd comparisons because fingerprints are neither of these things. They are an entirely different type of entity.
Fun fact: fingerprint access to banking info on your phone constitutes two factor authentication. Factor one is the fingerprint (something you are). Factor two is the phone containing the already-authenticated app (something you have). Arguably this is a more secure way to access your bank than the typical one factor username+password you would use online.
What do you mean by "passwords can be revoked"? I only have one fingerprint and unlike usernames, it cannot be changed. Once an attacker gets hold of my fingerprint i can no longer use it. (This is an honest question btw).
A changed password is revoked. You revoke the old password when you create a new one. So passwords support revocation whereas fingerprints do not. The question posed above is whether the inability to revoke (or change) a fingerprint matters.
at least on iOS, the fingerprint works in conjunction with a password. You must enter your password and then, for a limited period of time, you can use your fingerprint for access. The fingerprint is used to generate something more like a session key. If you change your password, the fingerprint no longer gives you access, you have to reauthenticate with the password before the fingerprint will work again.
I think this is the key point. If fingerprints were like public-key authentication mechanisms, they'd be fantastic. If it was mathematically impossible or even just very difficult to fake them just by intercepting previous authentications, that would be incredibly useful.
That's not the case though.
They're easily reproduced in moments using putty[0] or play-doh[1]. Or duplicated using household materials, even from a fingerprint collected from the targeted iOS device itself.[2] Some teams have found difficulty using some of these methods against a MS fingerprint scanner, but still found success using a toy wax kit from Crayola.[3]
But the general point about revocation is this: you should imagine, whenever designing a security system, "what's my fallback when this fails?" Biometrics can fail for lots of reasons, not only due to adversaries.[4] You need to have some idea of how to recover from those failures beyond just insisting that those failures don't happen or are unlikely.
Revocation is a handy fallback in those situations for a lot of systems. It's so common that people probably wrongfully assume it's the only way to recover. Fingerprints can't offer revocation, but they may have other fallbacks. Maybe you have a guard checking photo IDs if a scanner doesn't work for entry to a facility.
Scanners for devices might need to simply fail to require usernames and passwords for some users after they've been compromised. That could still offer convenience for other users, but over time, fewer and fewer users would get that benefit.
Or maybe fingerprints are just not designed to be that secure, and maybe that's ok. Anyone can get through the standard household locks in seconds with about 30 minutes max of research on youtube. They're not perfect security and not intended to be, they just put a small barrier (mostly social) to prevent the most nuisance level entries.[5]
[4] See Yager and Dunstone on the Biometric Menagerie for an interesting classification system for the wide variety of failure cases you have to tune any biometric system against.
[5] If you want more about this philosophy / interpretation of locks and security, or even if you don't, there are fewer better ways to spend an hour than by listening to the brilliant Schuyler Towne at RVAsec on the history and social function of locks and lock-making. No seriously, it's amazing. https://www.youtube.com/watch?v=3nROJz_UNQY
EDIT: moderated my views in the last two paras, sorry for any whiplash.
So there are two things I would like to address. First, fingerprints do not need to be cryptographically secure to be sufficient for a great many purposes. As you noted, a house lock can be picked in seconds by someone with moderate skill and yet they are sufficient for physical security on most cases.
Second, and more important, we need to stop pretending that passwords actually work well when we have these sorts of conversations. The reality is that most people reuse the same passwords everywhere and when they are forced to use secure/unique passwords they cope by doing things like writing them down on sticky notes attached to their monitors. The reality is that most people are probably using a compromised password for their bank access because they used the same password on a dozen sites that have been compromised. When we compare fingerprint security to passwords, we need to stop comparing it to the mythical unique passphrase because essentially no one is using that.
I'll also point out that copying someone's fingerprint when they cooperate by taking a clay mold is quite different from lifting a fingerprint off, e.g., a glass. But nonetheless, I do not dispute that it is quite feasible to clone fingerprints.
Sorry that's gated, but tl;dr, there are marginal cases in biometric systems where some individual's data doesn't work well, or messes with the recognition/exclusion of others.
From what I know about biometrics they use heuristics to authenticate, whereas a key-secret-salt tuple is deterministic. That alone makes me not want to use them.
As someone who completed their PhD in biometrics, they do not use heuristics to authenticate. Though that terminology is very broad. There's usually a match score threshold which is a heuristic based on some measured false acceptance rate, but with regards to determining the actual match score - it's often much more complex than a few heuristics.
My problem with all biometric authentication mechanisms are "what do you do when your fingerprint/eye/face signature is stolen?" Since these are non-replacable signatures they are vulnerable as they can't be replaced.
My background is in EE, so forgive me if this is a stupid question. Are there any cryptographic hash functions which support a closeness metric? Having written that out, it seems that such a thing would be contradictory, as to be able to compute their closeness would give information away about their nature and thus make them possibly reversible.
There is certainly such a thing as homomorphic encryption (https://en.wikipedia.org/wiki/Homomorphic_encryption), which allows one to perform transformations on encrypted text without being able to decrypt it. As long as one of the transformations that can be performed is a measure of closeness (which is certainly the case for fully homomorphic encryption (https://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_h... )), and as long as you know the ciphertext of the possible numerical responses, then you can read off closeness without being able to decrypt the hash.
The emphasised bit is a drawback, but it demonstrates the theoretical possibility; and, although I don't know of an implementation, nor do I see anything inherently contradictory about a (non-reversible) system designed intentionally to reveal closeness information.
Off the top of my head, it would at best severely weaken the strength of the hash function. Instead of having to brute force to find an output that matches exactly, you would only have to brute force for one that was sufficiently close, then use a greedy search to move from there to the actual key.
The stronger you make the "closeness" guarantee, the weaker the function becomes to this kind of thing.
I'm glad to see this post getting upvoted because I've had to argue with people repeatedly on HN who claim its private / a valid authentication factor.
Look folks, maybe as part of some second or third factor it might be okay...but you still need a password.
Common security practices define authentication factors as: 1) Something only you know [password], 2) Something you have [hardware security token], and 3) something you are [fingerprint, iris scan, etc]. And you should need at least two of these to authenticate to a system.
> I'm glad to see this post getting upvoted because I've had to argue with people repeatedly on HN who claim its private / a valid authentication factor.
No, you didn't. There is nothing in your history regarding this subject, except for this post.
I create a new account on every site I use roughly once a year. I've no interest in reputation and there's no way to gain from keeping one account going. I know I'm not alone in doing this.
since fingerprints are "measured" they MAY be usernames.
Damn errors, and false positive refusing to let stuff be non ambiguous.
And, like everything that can be measured ... it can be duplicated... without the knowledge of the owner of the metric.
Damn analogic world refusing to enter the modern didgital world. (pun digit = finger in latin)
That's the wrong way around though. It shouldn't be the case that there are consequences for me if someone else presents my fingerprint or SSN. They obviously aren't secrets, knowing them shouldn't be treated as authentication.
(I guess if you have a human watch someone use a tamper resistant fingerprint reader you have accomplished some degree of authentication)
something you have, something you know, something about you. Nothing has changed in 40 years. The key is making them reputabiable. It's hard to get new fingers.
It's not, not to much of the general populate. This has been reinforced by decades of science fiction in which fingerprints or handprints get characters access to secure resources. It's also been reinforced by Apple's messaging about the fingerprint reader on recent iPhones: it replaces a pin or password, and so people think of it as a password as well.
Not saying I disagree, but a layperson paying attention to a sci-fi movie could figure this one out on their own. How often does the protagonist circumvent the fingerprint scanner with a) A piece of tape, or b) the hand of the armed guard who was standing right next to the scanner?
I think he has a point, but do we really have better alternatives?
Soon enough computers will be able to check every possibility for passwords as big as we can remember them. With good algorithms predicting what is likely to be a valid password, maybe they already can.
Even though I agree fingerprints aren't a good solution, passwords aren't either. Any ideas?
Maybe we could have some kind of card that would have big keys stored on it.
Typing out a lengthy phrase on a phone keyboard, without being able to see any visual feedback because the letters are replaced with dots, is an exercise in frustration.
I do this on a regular basis because I have an entire sentence as my LastPass passphrase.
I usually hit the "make visible" button on LastPass' password entry slot, to be honest. I usually make sure nobody's got a good view of my phone when I do this.
Usually.
I should never become a spy, my security technique is laughable.
There are a couple of things here: I think the most important is that without rate-limiting, there are no such things as passwords. There can only be passphrases. That is, if "something you know" is a shared secret, it need to be high entropy, effectively around 128 bits. That's much harder than most people think.
You could probably make a list of 256 common, short words that are distinguished by their first two letters[1], but to encode 128 bits of entropy, you'd need 19 words, (or 16 if you managed to get use 512 words). Even if you picked only the first two letters, that's best case 32 characters. It's a lot to type blind, it's a lot to remember, it's complicated to cycle the phrase.
So it's better to not have to remember the password - use a password manager. Or, if you could somehow avoid the possibility of off-line attack, and guarantee solid rate-limiting -- much less entropy might be needed. A 4-digit pin is probably on the low side (consider that on a site with ~100.000 users, if you tried any set of three pins, you'd probably compromise many accounts, assuming uniform distribution of pins).
Another way, is to continue using a shared secret, but prove knowledge in a different way: eg using TOTP[2]. On the other hand, TOTP shares some of the disadvantages of unsalted passwords: the secrets are stored in plain text both on your one-time token generator (your insecure smartphone), and on the server. On the other hand, they're harder for most users to re-use than passwords are (users typically don't know the secret used to generate one-time passwords).
But all these have another problem: how to you protect your secrets? You could use full disk encryption... protected by ... a password?
Still, the idea of using a fingerprint for authentication, especially on a device filled with your fingerprints seems like a pretty bad idea. Never mind the fact that once compromised they can never be changed.
As for your last point, I do think the combination of something like a yubikey neo[3] along with NFC is probably the sweetspot for practical security right now. You can use it to unlock your smartphone, and your computer.
[1] (26^2=512, but not all combinations are common, fitting 256 should probably be possible, even if the more common combination of vowel+consonant is only ~6*20=120. Possibly in combinations with the numbers 1..99)
I think that fingerprints are fine for low security things, but I would never use it as authentication for anything that touches my bank account.