Hacker News new | past | comments | ask | show | jobs | submit login

Biometrics are a userid, not a password.



Biometrics are not usernames or passwords. They are a separate thing that has some similarly to both. A unique key is likewise neither a username nor a password but could act as both in the right circumstance.

The discussion of biometrics is not advanced by parroting this hollow statement again and again. Please stop. There are compelling arguments why biometrics can be problematic. “It’s username not a password” is neither compelling nor truthful.


I found their comment to be a useful way to easily explain it to those who are less technical. In that way I find it has value.

Your comment, however, has quite an aggressive feel. I don't think it was warranted.


It seems a bit harsh to me as well but since you read the "fingerprints are just user names" mantra way too often on Hacker News, maybe the author of the comment thought it was time to become a bit louder.

Here's my take on it:

If you enter a passcode anyone close to you can see you enter it. It's much easier to figure out what you're typing on a smartphone than on a keyboard, and the oily residue on the touchscreen makes it even easier.

A fingerprint on the other hand cannot be observed. Someone has to follow you or already know where you live and take fingerprints off doorknobs or something like it. Takes a lot of time and failure rate is still high. Then they have to use it on your device, so they have to have access to the device as well.

Fingerprint scenarios make sense for _targeted_ attacks_ when you are way more likely to be hit by a scalable attack.

It is much easier to brute force your password on a non-proof website or to find it in leaked password database. It scales very well and needs no physical access where no 2FA is enabled.

One could argue that most users still will use weak passwords in combination with biometrics.

Still, it pushes them to at least have a password.

And if you're a more professional user the combination of a strong and random password in a password manager plus fingerprint for convenience seems like an okay trade-off, especially since you will know how to deactivate it temporarily (reboot device or press power button 10 times on iPhone for example).


> A fingerprint on the other hand cannot be observed.

This is not correct [1].

It won't be that long before someone gets around to training some sort of ML system to scour photographs to extract fingerprints and start building a database of everyone's fingerprints. These databases will only expand in coverage/accuracy and the quantity leaked will only increase. Fingerprints for authentication will not survive the next decade.

[1] https://www.csoonline.com/article/3268837/busted-cops-use-fi...


Interesting, though the thing in the article is still a targeted attack. You will not remember the fingerprint of the guy unlocking his phone next to you.

But I agree that ML scale attacks can definitely change what I wrote in the future. They could also be used for CCTV evaluations of people entering passcodes.


Some “finger print” tech doesn’t use actual prints, but the deeper layout of the capillaries that can’t be easily observed. I believe Apple uses this on their devices that support “fingerprint” auth.


It is an inaccurate explanation and therefore low value if truth is the measure of value.

I also believe my comment was entirely warranted. This same misleading talking point comes up nonstop. It is unreasonable that dissent is expected to be buried under a pile of politeness. There was nothing particularly aggressive about the comment except that is was a clear statement of disagreement.


Not on iOS or Android phones. On most recent phones, they're both.


Which is why I will never enable fingerprint or face unlocking ever. I'm fine with physically typing in my password. I like real security.


I have an iPhone with Face ID and an 8 digit passcode. If I were to be arrested or whatever, all I need to do is press the power button 5 times in quick succession and Face ID is disabled and my passcode is required.

So I can choose:

- Unlock my phone with ease for 10’s of years and then quickly lock it once - Struggle to unlock it for 10’s of years to avoid having to quickly lock it once


Rebooting does that by default on android: it always requires your pin. No need to remember to press the x button n times. Just shut it down.

A good habit anyway: you don't want them to be able to poke the ram.


Rebooting resets the passcode requirement on iOS as well.


If they tell you to unlock it but you 5 tap instead, then it wouldn't surprise me if it counts as obstructing justice.

You'd need to do it quickly before the cuffs come on. And make sure the officer doesn't mistake you reaching for your pocket as you grabbing your gun.


If you enable voice control in accessibility you can reboot the device using a voice command “reboot this device”.

After which you will need your passcode/word to unlock the device. Handy if you foresee a time you won’t be able to reach your device and tap the unlock button 5 times.


Physically typing in a passcode is less secure that you think given the wide range of cameras everywhere. All I have to do is observe you entering it once with a camera (likely from any angle where your movements are visible) and your security now belongs to me. FaceID cannot be recorded in any way. Of course you have to occasionally enter the PIN so it's still not perfect.


For the average user whose password is 0000, maybe face unlocking IS more secure for them.


unfortunately for that user, face unlock doesn’t disable passcode unlock


Not really both. If anything, they are a temporary quick-unlock key. After a restart, before an extra-sensitive operation, and also after a certain amount of time/unlocks you can’t use your fingerprint to unlock things anymore and need to use your normal passcode/pattern.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: