Does it worth repeating that "fingerprints are usernames, not passwords"?
It is straightforward to copy someone's fingerprint. If technology does not include some additional biometric property (blood vessel arrangement, unique capacitance?!, unique heat signature that will not change over time?! ...) that is hard to obtain, it is pretty much useless, especially if someone is really keen to hack you ...
I’ve always found it helpful to think of two computers.
One of them is beige and from the 1990s. It has a keyboard and screen into which you type in your regular username and password. It is the computer that you actually use to get things done.
That computer is behind another fancier one though. The fancy one has a fingerprint reader and a robot arm. It reads your fingerprint (possibly incorrectly) and turns it into a password (also, potentially with inaccuracies.) The password might literally be “thumb with two loops that are 2034 pixels apart”.
The robot arm on the fancy computer then types the generated password into the 1990s computer. If anyone sees the password being typed, you’re out of luck. You can’t change your fingerprint to something different. There are no other inputs to the fancy machine. You’ll just have to use another finger.
You certainly wouldn’t be able to generate a meaningful username with the fancy computer. (Which is a finer point than simply fingerprints = usernames.)
What’s different with the Yubikey is that it’s trusted portable and tamper proof. It’s considerably harder for an attacker to intercept my fingerprint on the fancy computer with the fingerprint and robot arm if it’s either stuck in a USB port or in my pocket on my key chain.
Just getting the fingerprint of someone else does not allow you to log in as them. The fingerprint is only used as a presence check by the security key, which digitally signs a challenge using its own internal non-exportable key material. So you would have to both steal someone else's security key (note you cannot "clone" it, at least not trivially), and also get their fingerprint, if you wanted to "hack" them.
So, device is password generator, and fingerprint is the username.
What happens when you lose or brake your security key, is your PC locked forever, or it will stay that way until they send you replacement?
But if they can send you replacement, that means that "the company" (read government services) have sort off master key for your PC (they have fingerprint database) and they can get access to inside hardware depending on deal they have with technology maker (I am thinking China)...
I had a chat with a spokesman from a bank they had similar technology for a credit card, basically what he said is that key factor is time.
That is, if someone steal your card in bar and takes fingerprint from a glass you were drinking, only things that will protect you is time you will notice that your card is missing and reporting it to the bank. As person hacking will need a bit of time to replicate fingerprint. Which is about between 15 - 30 min with proper tools...
> What happens when you lose or brake your security key, is your PC locked forever, or it will stay that way until they send you replacement?
You register two security keys (which both have a separate private key) and keep one of them somewhere safe. Then if your main one breaks you switch to key 2 to login and register key 3 as your new backup key.
This is done for e.g. Google's advanced protection program [1]
> I had a chat with a spokesman from a bank they had similar technology for a credit card, basically what he said is that key factor is time
Yeah, that sounds about right for a bank which will have a much different threat model than a login for a website or my computer.
> But if they can send you replacement, that means that "the company" (read government services) have sort off master key for your PC (they have fingerprint database)
They very likely can't. These devices essentially generate a private key that is never able to leave the security key without major hardware attacks. The fingerprint is also just stored on the device to be able to unlock this secret key. It is never transmitted to the computer or anywhere else and it also isn't used to create the private key.
Essentially this key implements WebAuthn [2] (and similar technologies) and only allows access to the secret key after the fingerprint has been verified.
There could of course be backdoors in the key generation algorithm (think dual ec drbg). Once your threat model includes actors capable of backdooring modern encryption hardware and algorithms they probably have much easier ways of getting to your data though.
> What happens when you lose or brake your security key, is your PC locked forever
Not sure about macOS, but on Windows it would most likely use Windows Hello, even though they didn't mention it once in that blogpost. It doesn't allow you to have biometrics as the only method of logging in. You would have to setup a PIN too and the usual password will always be available. On Linux anything goes, depends on how you set it up.
All that FIDO2 stuff is for browsers mainly, unless MS would meet them in the middle and allow FIDO2 without AD for system logins in upcoming updates.
> If technology does not include some additional biometric property (blood vessel arrangement, unique capacitance?!, unique heat signature that will not change over time?! ...)
The fingerprint technology which is used appears to be from http://fingerprints.com/ . It means the tech is based on an "image" from capacitance, not optics. It also has what is called "liveness" detection - it will be able to differentiate between a dead object and a finger which is alive. So it would not even be enough to cut the finger off.
> Does it worth repeating that "fingerprints are usernames, not passwords"?
No, because that is nonsense. Fingerprints are something different to both usernames and passwords. They aren't the same as either of them. For example you can change both passwords and usernames but you can't change a fingerprint. Also fingerprints are more difficult to discover than usernames.
> No, because that is nonsense. Fingerprints are something different to both usernames and passwords.
In The Netherlands you can be forced to give your fingerprint to unlock your smartphone. You cannot be forced to unlock your smartphone via PIN, or share your password.
> For example you can change both passwords and usernames but you can't change a fingerprint.
Yes, you can. Your fingerprint can be unreadable under circumstances. With sandpaper you can remove it. Certain (physical) labour can damage it. Both of these are temporary. You also, supposedly, have 10 fingers, so in that regard you can switch (e.g. use a less common one, or one which isn't temporarily damaged). Other day I accidentally used a razor to damage my index finger, used an adhesive bandage, and had to add a different finger to my smartphone. I wonder if you can use your toe.
> Also fingerprints are more difficult to discover than usernames.
Inaccurate, and untrue. They're all over the place. This is Bob's phone. I wonder where Bob's fingerprint might be. Might it be... on the phone? "Oh, what a surprise, I didn't expect that!", the forensic analyst exclaimed.
I would argue the following: a PIN or fingerprint should not be used to protect serious data. One could, for example, perfectly fine use a PIN on their smartphone, for authorization of unimportant data. OSes are not yet able to make this distinction though. Moreover, any time you use a password in a public place which isn't one time, a camera can copy the data.
Slight tangent: other day I heard about a creep who stood on the bottom of a stairs, to make pictures below skirts of women. These pictures were then distributed between other creeps. I immediately imagined that being my daughter, and that thought scares the shit out of me. Given the advancements of things like cameras we need to think different with regards to security and privacy.
> In The Netherlands you can be forced to give your fingerprint to unlock your smartphone. You cannot be forced to unlock your smartphone via PIN, or share your password.
Ok that's why I said fingerprints are different to passwords?
> Your fingerprint can be unreadable under circumstances. With sandpaper you can remove it.
Please don't nitpick. You don't really think I didn't know that.
> Inaccurate, and untrue. They're all over the place.
Your username is `Fnoord`. How can I get your fingerprint just as easily? I did not say it is very difficult to get someone's fingerprint if you want, just that it is harder than getting a username. You can just ask people for their usernames, people will usually give them out to strangers. Try that with fingerprints.
In fact, if it is just as easy to get a username as a fingerprint, here's my username: IshKebab. Now can you find my fingerprint?
It is straightforward to copy someone's fingerprint. If technology does not include some additional biometric property (blood vessel arrangement, unique capacitance?!, unique heat signature that will not change over time?! ...) that is hard to obtain, it is pretty much useless, especially if someone is really keen to hack you ...