Biometrics are not usernames or passwords. They are a separate thing that has some similarly to both. A unique key is likewise neither a username nor a password but could act as both in the right circumstance.
The discussion of biometrics is not advanced by parroting this hollow statement again and again. Please stop. There are compelling arguments why biometrics can be problematic. “It’s username not a password” is neither compelling nor truthful.
It seems a bit harsh to me as well but since you read the "fingerprints are just user names" mantra way too often on Hacker News, maybe the author of the comment thought it was time to become a bit louder.
Here's my take on it:
If you enter a passcode anyone close to you can see you enter it. It's much easier to figure out what you're typing on a smartphone than on a keyboard, and the oily residue on the touchscreen makes it even easier.
A fingerprint on the other hand cannot be observed. Someone has to follow you or already know where you live and take fingerprints off doorknobs or something like it. Takes a lot of time and failure rate is still high. Then they have to use it on your device, so they have to have access to the device as well.
Fingerprint scenarios make sense for _targeted_ attacks_ when you are way more likely to be hit by a scalable attack.
It is much easier to brute force your password on a non-proof website or to find it in leaked password database. It scales very well and needs no physical access where no 2FA is enabled.
One could argue that most users still will use weak passwords in combination with biometrics.
Still, it pushes them to at least have a password.
And if you're a more professional user the combination of a strong and random password in a password manager plus fingerprint for convenience seems like an okay trade-off, especially since you will know how to deactivate it temporarily (reboot device or press power button 10 times on iPhone for example).
> A fingerprint on the other hand cannot be observed.
This is not correct [1].
It won't be that long before someone gets around to training some sort of ML system to scour photographs to extract fingerprints and start building a database of everyone's fingerprints. These databases will only expand in coverage/accuracy and the quantity leaked will only increase. Fingerprints for authentication will not survive the next decade.
Interesting, though the thing in the article is still a targeted attack. You will not remember the fingerprint of the guy unlocking his phone next to you.
But I agree that ML scale attacks can definitely change what I wrote in the future. They could also be used for CCTV evaluations of people entering passcodes.
Some “finger print” tech doesn’t use actual prints, but the deeper layout of the capillaries that can’t be easily observed. I believe Apple uses this on their devices that support “fingerprint” auth.
It is an inaccurate explanation and therefore low value if truth is the measure of value.
I also believe my comment was entirely warranted. This same misleading talking point comes up nonstop. It is unreasonable that dissent is expected to be buried under a pile of politeness. There was nothing particularly aggressive about the comment except that is was a clear statement of disagreement.
I have an iPhone with Face ID and an 8 digit passcode. If I were to be arrested or whatever, all I need to do is press the power button 5 times in quick succession and Face ID is disabled and my passcode is required.
So I can choose:
- Unlock my phone with ease for 10’s of years and then quickly lock it once
- Struggle to unlock it for 10’s of years to avoid having to quickly lock it once
If you enable voice control in accessibility you can reboot the device using a voice command “reboot this device”.
After which you will need your passcode/word to unlock the device. Handy if you foresee a time you won’t be able to reach your device and tap the unlock button 5 times.
Physically typing in a passcode is less secure that you think given the wide range of cameras everywhere. All I have to do is observe you entering it once with a camera (likely from any angle where your movements are visible) and your security now belongs to me. FaceID cannot be recorded in any way. Of course you have to occasionally enter the PIN so it's still not perfect.
Not really both. If anything, they are a temporary quick-unlock key. After a restart, before an extra-sensitive operation, and also after a certain amount of time/unlocks you can’t use your fingerprint to unlock things anymore and need to use your normal passcode/pattern.