This has been taken to be fact for about a decade.
Has anyone ever replicated this? CCC presenters have a tendency to, exaggerate, a little.
The only presentation given on this topic, at CCC, demonstrated an attack against fingerprint readers where a fingerprint was reconstructed from imagery, cast into a physical fake finger, and then authenticated against itself. Not that a fingerprint was reconstructed from imagery and authenticated against a scan of the actual finger.
I can totally botch a reconstruction of a fingerprint based on some blurry imagery such that it looks like the number six side of a die, load the reconstruction into a fingerprint reader, and then authenticate against a gelatin finger with an imprint of six pips on it but I cannot say that I have reconstructed THE fingerprint.
Even if it worked perfectly, this kind of thing is probably very time sensitive and short lived. Did it still work on the very next years model of phone?
I think there are weaknesses all over the place still today, and wide variation between manufacturers and price points, but I assume the details change and get harder all the time, or at least change, making an example from 10 years ago of limited interest today, UNLESS the same thing also still worked today.
Another aspect of that would be how the tools on both sides progress not just one side. A casual photograph from a common camera or phone from a reasonable distance today having a lot more information in it for instance. Or maybe other tools like fabricating a physical model from data by 3d printing etc, where the tools are both better and more readily available so the bar is lower even if the fundamental process is the same. That difference alone may make things go from possible to practical.
I'm waiting for someone to start selling fake fingers and eyeballs that I can put on my keychain. I'll get one for each ignorant device, site, or service that requires biometrics. That way even though I can't reset my fingerprints or iris, I can easily throw away the compromised fake part and register the print/iris of a new one.
Then I'll just need a set of masks for facial recognition... maybe a couple gloves with palm prints. Man, passwords are looking more manageable all the time.
Makes me think of Steve Gibsons Security Now episode on the 4 factors of security:
1: Something you know (Password)
2: Something you have (OTP)
3: Something you are (Bio)
4: Someone you know (3rd Party)
In 2024, the last 2 seem a bit more challenging. With AI voice and biometric data being able to be lifted from internet media, there's some more to think about when designing these systems. These are fun challenges to think about. I'm glad Steve decided to break the 1000 podcast limit, I highly recommend checking it currently along with the archive.
Seems like it's 2024 and still nothing can beat a complex password saved in a password manager. With OTP as a good way of annoying users, and other ones being totally useless.
The problem I have with hardware based authentication, such as Yubikey is that it's a physical thing that can be taken away from you (or just break, or get lost), which makes me nervous.
Maybe it's stupid, but the scenario I always have in mind is one from "Bourne Identity" movie, with Jason Bourne found in the sea, with nothing on him, no wallet, no phone. And it's not far fetched scenario either: I travel a lot, internationally, so I always imagine being mugged, having my phone and wallet taken away from me. Being able to login to my accounts, and more importantly, access my money in the bank with nothing but a password stored in my brain is important to me.
A lot of places with hardware authentication will provide a recovery key you can store somewhere you can access (e.g. as an encrypted file on an cloud storage service with no 2FA/geolockouts). Obviously the passwords for the file and the service are memorized. If all your possessions are stolen you could say use a borrowed computer to access that file and bootstrap yourself.
For services with TOTP you can store the secret in that encrypted file, so you can reload it back into your authenticator app. Or you could just use a Keepass file or similar which would store all the passwords and keys in a single encrypted binary.
> For services with TOTP you can store the secret in that encrypted file, so you can reload it back into your authenticator app.
Though you do have to be very circumspect in choosing that app: the news of Authy's desktop app (which you could pull the tokens from) being discontinued is still fresh in my mind.
Thinking about this, I observe that the problem of the factors of security is in fact tied to the problem of identifying someone : If you can prove that "someone/something" is "you", then you are giving "someone/something" the permissions to act as "you".
There are lots of tricks we invented to evade the problem; I am pretty sure our common knowledge (yours and mine) of these tricks includes the one about "knocking three time on the door in a specific rythm" or the one about "You will ask this specific question and I will answer with that exact sentence".
I would like to enquire about the problems of security and identification; cannot we do better than what we're currently doing, and why is it that any effort we do aiming for better resembles these tricks I talked about ?
What's funny about this problems is the fact that in the context of everyday life, you sometimes prove that you are you by showing e.g. an ID card to a police officer. If I had a twin, that twin could do a lot of things as me, he could do nice things, but he could also do bad things. What would stop my twin from being identified as me by others would be the fact e.g. he doesn't possess my ID card; but a card can be stolen (OTP).
My evil twin could also be suspected of not being me if for example, he didn't know something people know I know; it could also be mistaken for silliness, but okay. He could learn everything I know, or be spying on me enough so that he knows what I know (Password).
When no one doubts about you being you, it means that everyone agrees with the fact that you are yourself, i.e. every "party" identify you as yourself, and the fact that every other party is identifying you as yourself makes individual parties even more sure that you are yourself. But on what evidences rely the third parties confidence in you being you ? How can you trust that third parties aren't corrupted or mistaken ?
Take the most extreme case : you must tell if someone is lying or not about its identity AND if you're wrong, you die. I could trust third parties only if they brang some crucial facts; passwords and possession are unsignificant evidences in that context.
But if the quantity of third party is enough, and if each third party knows a different passord AND if you know a different password AND the person to identify gave the correct answer for each and everyone of them, it is becoming more and more unprobable that the person is not the one they claimed to be.
But I am not satisfied with this, there must be some more elegant and trustful way of identifying people. Now that we're able to imitate the voice, fingerprints, and etc... what other trick can we find that is not a trick ?
One issue is that for asserting ownership of assets, society traditionally prefers a kind of identity broader than a physical individual: if "you" die, then an executor should be authorized to access all "your" assets to distribute them. (Imagine having to unlock a bank account with the thumbprint of a corpse!)
The security model is that everyone expecting a share claims it, and if they disagree, then they duke it out in the courts with what evidence they have. And you must hope that no one can compellingly fake your death prematurely. But there's no first-principles solution for absolute security, short of an infallible death register and next-of-kin register.
Sure, but false positives and false negatives are inevitable, since there's no indicator of death that can't be spoofed or missing. The best you can do is to reduce false positives by requiring very strong evidence of death (and very weak evidence of being alive), or a very long interval of presumed death. In a perfect world, perhaps you could tack on a public insurance fund for wrongfully being considered dead.
But in those cases, you get back to the issue of proving identity, since if you've been in a situation where you're presumed dead, you might not have anything left but your body. Also, such situations are rare enough that they'd be dwarfed by more mundane cases of others trying to claim the identities of the dead, so there would be net pressure to make proof-of-liveness more stringent.
Fingerprint is so insecure. So exposing your credentials unencrypted (except for winter) all the time? I mean you wouldn't even store your private keys unencrypted in the ssh dir... so don't get me started on FaceID!
What an easy attack vector. A finger is probably the easiest body part to snatch.
(Which i was actually scared of, in case i ever accidentally got top secret files on my drive and some three letter gang was after me).
Interesting but... this applies to well known people. As an average joe, I'm more concerned about petty theft than about being targeted by super smart criminals.
As a matter of fact, my wallet was literally stolen 2 months ago, including bank cards. Interestingly, the thief didn't even try to use the bank cards at all (I blocked them right away, but always get a notification on my smartphone when a transaction is made or attempted to be made). The thief just cared about the cash...
the main problem is identity theft. someone impersonating you to hide their activities. we found your fingerprints on the weapon used for last nights robbery.
Has anyone ever replicated this? CCC presenters have a tendency to, exaggerate, a little.
The only presentation given on this topic, at CCC, demonstrated an attack against fingerprint readers where a fingerprint was reconstructed from imagery, cast into a physical fake finger, and then authenticated against itself. Not that a fingerprint was reconstructed from imagery and authenticated against a scan of the actual finger.
I can totally botch a reconstruction of a fingerprint based on some blurry imagery such that it looks like the number six side of a die, load the reconstruction into a fingerprint reader, and then authenticate against a gelatin finger with an imprint of six pips on it but I cannot say that I have reconstructed THE fingerprint.