In case anyone’s genuinely curious about fingerprint removal, rather boringly the best solution in practice is just to wear gloves. The alternatives are mostly temporary and much more painful than you’d expect, such as branding, abrasion, or chemotherapy drugs such as capecitabine.
And what's worse is when utility companies require me to "authenticate" over the phone with my name, address & dob: all publicly (to varying degrees) available information.
My pet peeve is an incoming call with authentification demand (name, dob) before we speak. As if I'm going to tell my personal info to random id, no matter is it publicly available or not. At the same time they easily send me sms with private accounting info.
There are many people who get scammed through such calls. I believe it is up to the technology and technology security savvy people to constantly educate others.
Even today when I speak about info security they look like you're wearing a foil hat. Another scam is people knocking into doors to "deliver useful social information" and asking for your ids/signature in the end. It may be marketing info collection or even simply visual wealth evaluation, but sure there are those who believe it's done for good [edit:] intents.
I'm usually let them tell their tale (out of my room, of course), ask a lot of questions, nod with them happily, and in the end I say thanks, but I'm sorry, I don't disclose my info, full stop. Their butthurt is sometimes too cool to watch without popcorn.
Lifted it off a glass/phone/anything else you touched. Or it can be "compromised" in the same way your SSN can be compromised through hacking. The millions of people who were exposed in the OPM hack all have records of their fingerprints now floating out on the darkweb somewhere.
It could also be someone lifting it off through software on your phone if you had a device with a terrible implementation for handling fingerprints. See this piece about the HTC One Max from two years ago - the fingerprint was stored as a bitmap image in a "world readable" folder and refreshed with the image from the latest touch!
1) lifted it off some surface.
2) got the right fingerprint when they did it
3) modeled a fake fingerprint well enough that it would fool touchID
4) Was able to get access to your touchID device while you weren't aware or unable to stop them
Most experts recommend that you instead use a pin-code of at least 6 numbers, or a password of at least 12 random characters using at least one number, and at one punctuation mark. In that case the attacker's algorithm changes to
1) Check for posted note containing password on computer monitor, or
2) Check purse or wallet for posted note containing passcode
A badly-written program that stores the fingerprint data in a reversible/plaintext manner. Once their database gets pwned (and/or is left wide open on the cloud) your biometrics can be reconstructed and used to authenticate as you.
Believe it or not it's actually nineteen times, not nine. Though the last ten introduce a fair amount of inconvenience and eww-factor when unlocking your phone.
I don't know about Apple phones, but I had luck getting my phone to unlock by using my chin. It wasn't really reliable (stopped working after a few hours, probably because of the beard growing), but I'm sure we can figure something out.
It's not too difficult to get access to the full 50000-odd combinations (see https://support.apple.com/en-us/HT204587 for where that number comes from) Apple hardware can identify with a little work.
This is irrelevant, because if you believe that you're at risk from your fingerprint data being compromised, you can always fall back to not using biometrics at all. They aren't your primary authentication mechanism.
Whether you can fallback to not using biometrics is irrelevant to whether biometrics is equivalent to usernames or passwords. In fact, your point that one can fallback to not using biometrics once it is compromised proves that biometrics is not equivalent to passwords.
At no point have I argued that biometrics are equivalent to passwords. But to conclude that biometrics must be equivalent to usernames because of that fact would be a false dichotomy. Biometrics serve an auxiliary role in security as an optional, subservient supplement to passwords.
Yes. If you read about how biometrics are implemented on handsets, a user is required to enter their password every time that the device is rebooted. The password is also required at random intervals, once every few days or so. And if the biometric scanners log a handful of failed accesses, the handset is locked and a password is again required to enter.
If your fingerprint scanner is based on simple ridge profiles, then it's shouldn't be used for security. For example, some recent Apple keynotes claim they now use sub-dermal features for identification.
Implementation matters more than what the sensor is authing with.
It would be more unique but it would take away the convenience of having your phone unlocked nearly instantly with your finger. If you're going by security, a password plus fingerprint would be most secure but inconvenient.
No. A key to your house can be easily changed. You can not change your biometrics without surgery, and even then, you still often can't really change them.
1. Then you have the option not to use it, and always will (biometrics are used to augment passwords, not replace them).
2. Using passwords as a security measure increases the likelihood that a malicious actor will beat them out of you with a five-dollar wrench (and this does not mean that passwords are a bad idea).
Seriously the amount of fingers cutted since the introduction of iPhone 5s amount certainly to zero or we would have heard the information buzzing around on all cheap news networks almost immediately.
So I'm pretty confident now that this argument is moot by now.
Yet we still don't have enough mileage to determine if face peeling will be a more likely issue with iPhoneX. But I could bet that "face offing" relatively is not more likely than finger cutting...
If someone is willing to cut off your finger to access your device, that means they have access to you and the device and the means to convince you to unlock it.
Cutting off someones finger to access their phone is like using high explosives to blow up a door you can easily kick open. Criminals actually don't want to get caught.
Maybe the first one won't, but the next time they most definitely will.
Stealing a phone is one thing, cutting someone's finger is another risk-wise.
So if you have to dramatically increase the potential penalty for getting caught, you'll make sure it actually works before doing it repeatedly, and this kind of info is shared among thugs
A name has to be unique. But it can simultaneously be used as a password if it is impossible to detach (copy) it and associate with another thing. One way to do it is to simply hide it like private keys and normal passwords but in this case it cannot be used as a name. An alternative approach is to make it difficult to copy/reproduce (similar to normal car or house keys). In the case of fingerprints, they can well be used as a password (in addition to its role as a name) until it is impossible to create artificial fingers and attach them to other persons.
Fingerprints are not private though, so they fail your very first criterium of passwords. Fingerprints are also not arbitrary[1], it is possible to combine two (or more) fingerprints resulting in a new "fingerprint" in its own right, as well as being a fingerprint that is similar enough to the two (or more) original fingerprint to have a high chance of fooling most sensors on smart phones for all fingerprints involved. Also, uniqueness vs. arbitrariness smells like a false dichotomy to me. Something can be both arbitrary and unique (see for example uuids).
Why is this getting reposted? I’d argue this is very shortsighted especially coming from a security professional. TouchID has been a huge leap forward in consumer device security.
Security design must take into account usability. Fingerprints (and now faces) make it easy to use stronger passcodes. If you don’t use biometrics, people use weak passcodes. That’s clearly a worse outcome.
Sure, it’s even stronger to not use biometrics and enter a strong high entropy passcode every time you want to unlock your phone. But to actually advise something like that as a better approach in a consumer device than TouchID is simply to advocate a guaranteed worse security outcome. Maybe you “cover your ass” as a security acolyte and blame the compromised user for not following your stringent prescriptions, but that’s not owning the outcome. You have to consider usability.
First of all TouchID is layered on top of a passcode, so you still have good protection from being compelled to provide a fingerprint.[1]
Second, you’re missing the point. Passcodes do not “always 100% of the time beat out” biometrics if the passcodes are weak or nonexistent. Which was the case prior to TouchID.
I’m not sure why protecting my device from the police is that big of an issue. I’m not worried about cops stealing my phone and buying stuff using Apple Pay.
And to use your door metaphor, do we install doors to keep our the police? Is that really the average person’s concern?
You make it sound like everyone is a drug trafficker or some kind of mobster. I don’t lock my doors to keep out the police; I lock them to keep out criminals that want to steal my stuff.
Considering that most people don't use secure passcodes, for the entire population of users biometrics will ALWAYS, 100% of the time, beat out any supposed passcode security advantage.
No, they're really not either. The whole username vs. password debate is like asking whether the key to your house is a username or password.
Biometrics are used as the key that unlocks a device (or app or asset within the device). And like the house they require physical proximity. And, yes, just like the house key there's a decent chance that someone who lives near you has the same key type (device type -- apple/samsung/lg/etc.) and keying (fingerprint data points) on their front door (phone).
But those odds are basically irrelevant as an attack surface.
For a native app on a phone the "username" is proxied to the device id, once linked to the user.
I think the article being 4 years old reflects a 4-year-old fear of the new and misapprehension of where security problems would arise in the future on biometrically locked phones.
I can rekey my house locks, I can change my password, I can.... what my fingerprints?
The reason that fingerprints are a username is that they're a static value associated with the identity of the person, which is later impossible to change.
There's no reason you can't also use a username as a password (though there are lots of reasons you shouldn't), but it's clear that fingerprints are closer to username than password.
By contrast, the key to your house is clearly a password -- it a changeable value used to authenticate to a mechanism that you're authorize to operate it.
>I can rekey my house locks, I can change my password, I can.... what my fingerprints?
Years of poor security have taught us that we need our authentication to be easily changeable in order to be secure. It's not true. Passwords need to be changed because they can be guessed. They can be leaked. Any person sitting down at any keyboard could type any random string of characters and, given enough time, figure out someone's password. It doesn't work the same for fingerprints. There is no number of times I can press my finger on your scanner and trick your scanner into thinking I am you. Your fingerprint only needs to be changed if someone steals your finger and keeps it in a state where modern fingerprint scanners will still recognize it. That is exceedingly difficult to do.
We need to get it out of our mind that "we change our passwords regularly, we should change our fingerprints too". Bad security advice led to routine password expiration, and that bad security advice lives on. It's still bad.
>it's clear that fingerprints are closer to username than password
That is not clear in any way, either in theory or in practice. The entire argument works on "fingerprints are publicly visible and cannot be changed" which would suck for a password, but fingerprints are not a password. That's why there's an entirely different name for it. Yes, I can see your fingerprint. But TouchID isn't going to be fooled by a piece of scotch tape lifted from your desk, so it doesn't matter.
Fingerprints are neither a username nor a password. They are a uniquely identifying attribute. Usernames and passwords are not. There is no comparison between the two authentication systems.
> There is no number of times I can press my finger on your scanner and trick your scanner into thinking I am you.
Or I could print random patterns on gel circles I put on my finger and try until one works, which is the equivalent of your password example. (There are digital equivalents of spamming fingerprint reader values to the security chips, which in practice are faster.)
It's exceedingly easy to try a fake fingerprint, and even if it weren't, it would still be possible to generate fake signals between the sensor and verification chip or fake signals to the sensor. There's no difference here between finger prints and passwords.
> Passwords need to be changed because they can be guessed.
lol, no.
Passwords need to be changed when they're compromised -- a good password is exceedingly hard to guess, to the point we should never expect it to happen, but they can be leaked through other means.
Similarly, you leave you fingerprints everywhere. So you actually leak your fingerprint values constantly while leaking password values only occasionally. This makes passwords substantially more resistant to capturing the value out-of-band than fingerprints.
> we change our passwords regularly,
This isn't best practice and isn't what most of us do; we change our passwords when they become compromised, which happens through a variety of mechanisms. (Or when we suspect that they may be compromised.)
> Bad security advice led to routine password expiration, and that bad security advice lives on. It's still bad.
Everyone knew this was bad, and NIST recently updated their recommendations against routine password expiration. However, that has nothing to do with what we're talking about in terms of username-versus-password status for fingerprints.
> it's clear that fingerprints are closer to username than password
> fingerprints are not a password
Well, I'm glad we agree.
> But TouchID isn't going to be fooled by a piece of scotch tape lifted from your desk, so it doesn't matter.
But it is fooled by easy-to-produce prints placed over my finger based on the Scotch tape lifted from your desk. This has routinely been demonstrated with fingerprint scanners, including on iPhones.
> They are a uniquely identifying attribute.
That's what a username is, lol.
I'm going to recommend you learn more about most of these things before you make security recommendations, because you were factually wrong a few times, and made erroneous conclusions based on that.
Your opinions are based on exceedingly bad and outdated security practices, and you seem proud of this for some reason.
I'm wondering what you might say if you were living in the time when cars began to replace horses. Would you have said cars were a terrible mode of transportation because they won't defend themselves against a thief and don't consume hay?
Yes, your argument is based on the idea that fingerprints can't be leaked in practice, which is false.
It's worked for years against a variety of scanners, and is likely always going to be viable because of how scanners work -- a thin overlay can be made of things that are indistinguishable from a finger surface to the scanner, but which triggers the critical points.
If you think that's changed in the past few years (which you seem to), I would appreciate something a little more substantive than your random comment on HN.
The debate about username vs. password can be more formally described as a debate about public part of the credentials vs. private part of the credentials. Let us call them public identifier and private identifier.
One very important property that I expect any private identifier to satisfy is that it can be changed once I believe it has been compromised.
My fingerprint data cannot be changed, once compromised. Therefore it cannot be a private identifier. Thus this is not a password. What is not private should be considered public by Kerckhoffs' principle. Thus fingerprint data should be considered to provide the same level of security that a username provides.
But even assuming that your fingerprint is publicly known, depending on the quality of the scanner, it can still be very difficult/expensive to create a good-enough artificial finger. Even more so for FaceID, I imagine.
That's where comparison with user names or passwords breaks.
Original author here. This article is more pertinent today than ever before!
Your face is your username, not your password.
Use it like you use your username. But never as something secret, personal, unknown like your password.
The same goes for any biometric. Fingerprints, voice, iris, gait, DNA, etc. No matter how much they try to sell you authentication through biometrics, it's total b.s.
I said this in a previous thread [1], but I'll restate here:
Your face or fingerprint is neither your username nor your password. It's a form of identity. The combination of username and password is another form of identity. A certificate chain is another form of identity. Not all forms of identity are separated into two components like username and password. And different forms of identity have different properties and applicability.
Trying to shoehorn a form of identity like a face or a fingerprint into the username/password template is counterproductive and will only add unnecessary confusion. Please stop. Dumbing down security and removing the nuance is how people get it horribly wrong.
Security is very dependent on context. Authenticating with a phone is very different from authenticating over the internet which is very different from authenticating in a situation where you're physically present with another human being (credit card, bank teller, etc). Authentication schemes need to be designed for the specific use case in which they're used and no rule is universal.
My big issue with this argument is that usernames and passwords are a means to an end. That end is (in many cases) establishing identity. One can establish identity in other ways. For example: every morning when I open the door to my house after my early morning run, my wife greets me in the kitchen and asks me how my run was. She (thankfully) does not hit me on the head with a frying pan and call the cops about an intruder. My biometrics work awesome for establishing that I'm "me" in the real world. I don't think it's too big a stretch to imagine a world where my computer is as good at looking at me and identifying that I'm "me" as my wife.
The main property of fingerprints just like faces and other biometrics are supposed to be not detachable from the thing (person) they represent. Therefore the authentication processes based on them should somehow guarantee the presence of the person itself. Usernames on the other hand are separate entities and therefore it is necessary to provide a secret for authentication. A key from a house can be also passed to other persons and hence that person without any protection, and hence that person should additionally authenticate itself as a true owner.
Biometrics are good for unlocking X if the persob who cares about the security of X is the person who oversees the registration of the biometrics.
In this case you are the person and X is ... the phone. That's it, the phone.
You should not be using biometrics-derived data for any passwords except to unlock your phone (or that place with the security guard making sure you registered your face the first time). Because REPLAY ATTACKS.
After that you're supposed to use challenge-response by some auth app on a device. So your fingerprint IS a password for the device but not for external services.
Passwords in general are vulnerable to replay attacks!
Fingerprints are tokens, just like usernames and passwords.
Oddly enough, from a trust calculus standpoint usernames are not particularly valuable; we could do away with them entirely and the logic of authentication wouldn't change (though usernames add some very nice logistics that from a practical standpoint we don't want to give up).
At a very basic level, a single token suffices to authenticate: something you have, know, or are does prove you are who you claim to be (usernames just give a convenient handle to that). So, a 1TP from a fob, a password, or a fingerprint at a very basic level is enough.
This overly simplifies things. Passwords are primary authentication, biometrics are secondary authentication. Biometrics should only be used when a password has already been established, and then only as a shortcut to entering that password; furthermore, authenticating via biometrics should put one into a limited-access state that disallows tampering with primary authentication mechanisms. The result is that anyone spoofing a fingerprint would be unable to completely own another device.
The tradeoffs inherent to this are well-described elsewhere: a lower degree of absolute security in exchange for a higher proportion of users with any security at all; in lieu of the convenience offered by biometric authentication, enormous swaths of users leave themselves wide open. And since biometrics are just a convenience, anyone who does require absolute security can easily choose to forgo them entirely.
>it is significantly harder to be forced to use a password that exists only in your mind
That's debatable, but it's also significantly easier to steal or guess a password than it is to steal or guess a fingerprint. The evidence for that is how many password breeches we've had over the years compared to the number of fingerprint breeches.
But it doesn't matter because it's trivial to put a gun to someone's head and force them to give up their password. As soon as you're open to using physical force, there's not much you can't do.
That's a very interesting perspective! But you must recognize that it's a very abstract approach, no?
I mean, when someone identifies themselves through biometry, there's clearly an element of intent. And if they write down passwords on sticky notes, or anywhere else really, it's about as available as a fingerprint is, if not more.
When someone identifies themselves, yes; what about when we identify others through biometry?
The scene I'm reminded of is the on in Minority Report(?) where the main character is walking through a bank of bio-sensing ad displays, and has to not look at them to make sure they can't identify him from his iris/retinas.
As an analogy, imagine you take a picture of someone at an antifa vs. alt-right protest that turns violent.
All the picture tells you is they were there; it doesn't tell you whether they supported antifa, or supported the alt-right; it doesn't tell you if they were there as a police officer trying to keep the peace, or if they were simply trying to get in the front door of their apartment building when a clash broke out outside.
The biometry reveals their presence - it doesn't reveal their intent.
I was really thinking in biometry as used in a more ordinary situation, like a laptop fingerprint reader. With the most likely form of malicious behavior here being that of identity theft by a small-time attacker. Having to dodge biometric sensors or trying to avoid having your photograph taken at protest are more an issue of surveillance, either by government or by private citizens.
Sorry for not making myself clear at first, but what I mean is that passwords aren't a sufficient guarantee of intent either. If anyone has access to them, they can spoof someone's identity. I reckon that this doesn't really fit a civil rights discussion, because we haven't (I think) reached such a point yet, but government-backed attacker might spoof someone's identity in order to either infiltrate or hijack a civil organization. Essentially, a virtual mole.
> I mean, when someone identifies themselves through biometry, there's clearly an element of intent.
If I grab your finger and press it to your device, so that I can access your data, the intent is mine, not yours. Ideally, an auth method works with the intent of the user and only the user. That's his point. You can't grab/cut a passcode out of someones brain and place it on the scanner.
Yes, but it only exists in the world during user intent. This isn't the case for an auth method which is entirely based on physically having something within your proximity. If I stand close to your, you auth method is now in my proximity, available for me to use, or possibly even take.
I see this argument a lot, but I don't really see it accompanied by an argument about what the passwords should be. Companies are gravitating toward biometric authentication methods because consumers have "password fatigue". They can't memorize a long secure password for every site, app, and device, so they resort to using a single password everywhere (which may or may not be displayed on a postit note stuck to their monitor).
All this article offers is:
> For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated.
Okay, so fingerprints aren't passwords, but what we need instead are passwords, which we know don't work either. Best practices for password security are ignored by consumers because they're onerous, and biometric authentication seems to be insecure by default. What's the solution then?
Proper modern approach adds thermal, or at least 1 other biometric sensor. Just as Windows hello relies on more than a pic, plus IR, + thermal. I suspect Apple X does this minimum.
More features can, but not always, improve the model. As pointed out by Tim Cook it goes from 1 in 50000 odds of duplicate result to 1 in 1,000,000. And that's 1,000,000 that would need to try on your phone.
FBI is probably running load tests now to see if they can brute force.
That falls under the "too onerous" category I think. I'm not speaking for myself, but for the fact that password managers exist, and yet we still have issues with password security. So that doesn't seem to be a fix for the problem.
We're really fighting human nature here, so maybe the solution is psychological, rather than technological.
For many services, I have a few 'default' words or phrases that I'll use as a base for the password to build up length, followed by a word or two that tie to the specific service; to make up an example, for Twitter it might be "extrawordsthensocialchirpynoise".
Of course then the symbol/number/upper/lower rules become a pain in the arse - unless you build them into the extra words: "3Xtraword$thensocialchirpynoise".
Though all that said, I can't actually remember what my HN password is...
I'm not typing a 13 character phrase every 15 minutes when I unlock my phone. Before TouchID, I didn't even bother with a PIN since it was such a PITA to unlock
I've been checking the xkcdpass utility (available on Debian). Generated 50 sets of 100,000,000 passwords each, comprised of six words (the default), then sorted these uniq, and counted the output lines.
Any duplicates would result in fewer than 100,000,000 lines.
All fifty trials had no dupes.
Took most of a week to run that, on an older box :)
Something you have. Something you know. Something you are.
The problem with the third factor has always been a balance between cost, inconvenience and how easy it is to turn it into just another something an attacker has.
Retinographic analysis is gold standard but it's hellishly expensive. Fingerprints can be copied. Easily. Facial and behavioural analysis sit somewhere in the middle, with too much scope for false negatives.
So fingerprints aren't a username or password because they're not that factor... But used alone, they can be as weak as a username, in many senses.
This argument seems especially dated in retrospect. Since Apple introduced Touch ID in 2013, I can't recall even one single case of criminals or law enforcement using biometrics to access someone's iPhone. Same for any other phone manufacturer.
This sound like an Apple Watch feature! Watch removed, or your pulse stops for more than a few minutes, or your pulse goes too high without physical activity (adrenaline), a passcode is required for all devices on next use.
Agree about fingerprints, as they are left around everywhere and thus easy to capture. However, FaceID should be significantly better. As Apple talked about, FaceID only works when your eyes are open and also tested/hardened against modeling.
this is a common argument by those who do not understand biometrics
a biometric is a username and a password
- yes, i know the purpose is to say that the biometric should be used as a password, but that changes the declarative statement quite a bit in my opinion
I think it's a common argument for people who think biometrics are a bad idea for security.
IE. You can change your password, you can't change your thumb/face/biometric (easily).
At best, a fingerprint establishes identity, therefore it has more in common with a username, drivers license, social security number, etc. than it has in common with a password.
The problem is these people are thinking in terms of absolute security.
Ideally you have a user name, a password, some sort of 2FA and also biometrics.
But the alternative for iPhones was leaving them without even a PIN because entering a 4 digit numeric pin was too much hassle for most people... so Apple lowered the bar and increased security with biometrics.
They are trying to do it again.
If you want ultimate security ,then you can have a very long alphanumeric password, and turn off touchID and faceID
Honestly, a biometric used solely on a device in your possession is not that bad. It is not being transmitted or stored remotely, which would be worse. But it would have been better if it were not a biometric that was being left everywhere.
Nope. At best a fingerprint establishes identity in a unique and authoritative manner. My name is an identity, and anyone can say or write my name. My SSN is an identity, and anyone can say or write my SSN. No one else can speak, type, write, or otherwise express my fingerprint. That is far beyond simple "identity".
That's the point. It's not something I know, it's something I am and only I am that thing.
And unlike a password, if you want my fingerprint you have to be physically near me, and if you want to authenticate as me you need my authentication hardware. A Brazilian hacker isn't going to unlock my iPhone without first flying to the US and then locating me in both space and time to gain access to my fingerprint and my phone simultaneously. But with a password, they could easily go to www.gmail.com and type whatever they want from the comfort of their own home.
There is no identity without authentication. A fingerprint gives a little bit of weak authentication, in the clear, easily observed, easily forged, and irrevocable -- as bad as it gets.
Yes, but the author preaching to the choir. The real problem here is educating the public at large as to why it's insecure and in what situations biometrics are unacceptable.
Is it? If say the public has a pretty good intuitive idea of the security properties of fingerprints. Better than the author here anyway who seems to think fingerprints are as easy to copy as usernames.
The problem is with how security is depcited and movies and television series. Cinmatographic Things will always recive more eye-candy value and feature bigger.
So to educated the audience security wise, one would need to raise the eyecandy value of good passwords.
I'd rather use my fingerprint on my phone than have a hacker look at the finger oil smudge patterns on the glass to decipher my password. And with my fingerprint I don't need to worry about hiding my password entry.
I'm don't even like the idea of biometrics for user names. I don't want malicious actors to easily correlate distinct accounts (this guy's fingerprint has an account at Facebook, Reddit, Chase Bank, ...).
This is a much more pragmatic take on it by Troy Hunt, the person behind “Have I been pwned?”: https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pra...
> The first point I'll make here as I begin talking about the 3 main security constructs available is that they're all differently secure.