See, this is exactly the problem. It’s not at all useless. It’s a pretty great password that defends excellently against a few common problem points (random strangers just picking up your phone and playing with it, random thieves easily getting access in a way that would be convenient and worth it for them) while being completely invisible to me when using it (and actually making unlocking the device easier).
It’s rubbish against any kind of targeted attack, sure. Thing is, I personally don’t care about that at all. I couldn’t care less, really. So fingerprints are awesome for me and solve all the problems I want them to solve. I don’t care about perfect security. I don’t care about targeted attacks contingent on physical access to the device.
What do you think about doing it sort of like how RSA does their 2fa bits?
Say it worked like this:
You typed in your username, scanned your fingerprint for the rest of the username, and then typed a password / passcode?
That makes it virtually impossible to have username collisions (good) and still uses a password. If you were ultra paranoid, you could use a key fob such as a Yubikey and enter a OTP in addition to the above.
That would work, iff there was not a way to show that a particular person owned a particular username. However, I cannot think of any way to prevent that.
...But given the ease of getting someone's fingerprint I'm not sure if this is actually much better than a standard username+password combination (potentially with 2fa) without a fingerprint at this point, and it's less convenient to boot.
Hmm... You're probably right, but this article proves that a four-digit PIN (assuming 10 incorrect attempts would lock the phone) would actually be more secure than a fingerprint.
A fingerprint can be cloned and verified (visually) without giving the device a chance to do "defend itself", whereas even the best-case PIN attack* wouldn't necessarily exhaust possibilities before 10 tries.
I personally like the swipe gesture, as it is even somewhat resistant to a shoulder-surfing attack (assuming you're turned off horrendous default of drawing the pattern as you drag over it) and is much faster than typing a PIN.
* Excluding shoulder-surfing attacks. You know the digits (smudges have built up over them), but not the order.
Weigh the probability of someone producing a fingerprint replica vs. someone shoulder-surfing. The first seems exceedingly unlikely to me, while the second is at least plausible.
Fair enough. The only issue is that all (ok, most) your data is on your phone, as are your fingerprints - so if you lose it[1], in all likelihood they'll be happy they got a $1K device for free and wipe it, but if they were determined to get in to get (say) your SSH keys, or something... yeah. They'd need a few hours and some not-so-hard to get machinery.
[1] Especially if it is stolen. "I wasn't targeted. Was I targeted? Nah, I wasn't targeted. Just a crime of opportunity. Yes. For sure.".
There is nothing valuable (expect potentially embarrassing private information that is, however, completely worthless to some random thief) on my phone that is protected by my fingerprint. The valuable stuff (especially passwords) can’t be accessed with my fingerprint.
My point was that for almost all users, it's conceivable that a PIN could be guessed or obtained by someone wanted access to the phone casually. A good friend of mine amazed me by casually reverse engineering my PIN over the course of a week in the pre-TouchID days of iPhone. He wasn't especially interested, he just watched me for a few days to crack it.
However a finger print is significantly harder for a casual interloper to simulate.
Unless you've lost your phone, in which case your fingerprints are all over the device, and if they want to log in, they have to reconstruct it using "information" already on it.
Granted re:casual interloper.
And your friend just shoulder-surfed you, he didn't reverse engineer anything ;)
When I was working in biometrics 10 years ago, nobody thought fingerprints were a good userid OR a password. It was always presented as a part of multi-factor authentication, to be used in conjunction with passcards and/or passwords.
"Something you have, something you know, something you are".
if your timeframe is eternity, this is valid, but for now, the cost of cloning a fingerprint is high enough that they are an excellent protection for a huge category of interactions.
Agreed, but I personally think it shouldn't be a general public feature, but rather reserved to the initiated. The cost lessen quickly with time (a point made by this article) and people have trouble understanding the limitations of a particular protection.
I think people have even more trouble applying other forms of protection. A fingerprint that is actually used is better than a PIN that is disabled, or worse, written on a card.
Unless you lose your device. The device that is literally covered with your fingerprints. In this case, you don't know your data is safe or not. "Probably". Hopefully you'll have remote wipe enabled.
Although I have no doubt it could work, I guess they didn't try the copy? Couldn't find the video of the conference. He probably demo'ed using a copy of his own fingerprint from a photo?
It's great work, I hope the fact that you can make a copy from a simple HD photo will bury people's ideas about fingerprints security for good.
Its never been a good idea. Fingerprint as user identification is the worst kind of password you can come up with. You can't change it periodically; you have to use the same one for every purpose; you leave it lying around in public all the time. Forget biometrics, they're useless.
IMHO, the only biometric authentication that has any potential of ever being secure, is a retinal scan.
The barrier to break would be the "liveness check" - ensuring that you aren't presented with a molded prop, but an actual eye. I'm not sure what the state of the art is with respect to this.
The difference I see between fingerprint and retinal scan is that a fingerprint is readily visible - as this hack proves. I don't think you can capture a reliable retinal scan unless you get within centimeters of someone's eyeball with a scanner.
Additionally, since we're essentially talking about a specialized camera, the system could combine gait recognition (distance), face recognition (mid-distance) and finally retinal recognition (face on scanner). Beat that.
As always, authentication is just about authentication - you are who you "say you are". It has nothing to do with duress, etc.
actor plus doesn't allow for injury to the authentic person.
> face recognition (mid-distance)
photograph or prosthetics + makeup
> retinal recognition
photograph or prosthetic model iris built to beat "aliveness" check
None of these are hypothetical, all have been demonstrated (though perhaps not simultaneously)
To my knowledge the only biometric that hasn't yet been fooled or broken would be a scan of your brain whilst you invoke muscle memory of an action which itself is unknown to anyone but you. I wouldn't wager even that couldn't be scanned and copied in some manner.
My assumption is unbeatable "liveness check" at the retinal scanner[1]. Looking for iris contractions, etc. Can you present a functioning iris with a custom retinal image behind it?
[1] Which kind of makes the rest of the system moot. Also, good point about gait recognition.
> Can you present a functioning iris with a custom retinal image behind it?
It wouldn't need to be a real iris. Extant aliveness checks typically look for: reflections, pupil dynamics (contractions etc), frequency/resolution - these are all designed to look for digital forgeries (image on screen or paper); this leaves them open to a prosthetic model of an eye mimicking those effects (think a very sophisticated mannequin or doll's eye) backed by a generated retinal image.
Ultimately (if you want to talk absolutes) as long as the scanner can't differentiate between the original and a cloned + transplanted eye, it can never be considered unbeatable :)
As convoluted as all these sound, they're conceivably within the grasp of technology. It's worth remembering that many commercial scanners currently deployed don't implement any aliveness checks.
> It wouldn't need to be a real iris. Extant aliveness checks typically look for: reflections, pupil dynamics (contractions etc), frequency/resolution - these are all designed to look for digital forgeries (image on screen or paper); this leaves them open to a prosthetic model of an eye mimicking those effects (think a very sophisticated mannequin or doll's eye) backed by a generated retinal image.
I was asking if you are aware of such a thing existing.
Retinal scans are out, iris scans are in. If I remember correctly, beyond the age of 5 the iris banding pattern remains the same. Retinal scans get tripped up by things like pregnancy and other health issues. I'd never use it for a password though, as there are commercial products that perform iris scans at a distance of several meters on non cooperative subjects. The first thing I thought of when I saw the product, sort of a virtual turnstile, was Snowcrash and the surreptitious collection of biometric information for eventual sale on the black market.
It is better to think of it like a username than a password. None of my devices support biometrics, but if they did, I would want to have both fingerprint AND password, if that's possible. Does anyone know if any of Apple, Samsung, et al allow that?
"It is better to think of it like a username than a password"
Biometric passports with fingerprint data are common in many EU countries. The fingerprint is used to verify a person's identity, so in a way it's used as both a username and password.
Allowing the state to capture and store something very private to every individual is not without controversy. A few years ago, a German man called Michael Schwarz had his application for a passport rejected when he refused to have his fingerprints taken. He took the matter to the European Court of Justice (ECJ). In October 2013, the ECJ ruled in favour of fingerprinting for passports. The ECJ agreed that fingerprinting was a privacy intrusion but that this was outweighed by the need for security and protection against fraud. Strictly speaking, the fingerprint data should only be held in the passport, not in a central database.
Whether you agree or not with fingerprint capture will probably be influenced by how much you trust the authorities in your country. And of course, many countries collect fingerprints from visitors entering their country.
It's really unfortunate that is the case. I don't mind fingerprints, but they have to be used in combination with something else to be valid. You should be able to challenge another thing to build a valid profile. I don't trust ALL authorities in ALL countries I happen to visit or live in to be both competent with security and malevolent for ALL time. To put all your eggs in the fingerprint basket seems shortsighted.
I trust that if I had enemies that needed my fingerprint for something, that could get it easily. I touch enough objects on a daily basis that the likelihood is extremely high. I mean, someone could simply lift them from my front door, or follow me waiting for me to drop a coffee cup in the trash.
As far as facial recognition on Kinect, I don't mind it as the keeper to my gaming system, but simply having my face unlock my bank account suffers the same problem as a finger print. Your face is on so many cameras every single day. A password should be kept private. Additionally, I'm a bald man with glasses, how many others with this description would be able to open my Xbox with their face? It is useful in combination with a password, but should not (and I would argue cannot) replace a password system of some kind.
OP mentioned using biometrics as a username in combination with a password. [1] seems to imply you can add a password or pass code on xbox and I think you can do that too on a Galaxy S (?)
True. And in my opinion username is useless and should be abandoned. A good password is all you need - say 128-bit high-entropy. Its not going to be duplicated; its enough to identify you. What's the username hanging around for?
Probability says that it won't be duplicated, but what if it is? You can't say "no, sorry, you can't choose this password" because that leaks information. This is even ignoring adversarial attacks to try and get this or any birthday attacks.
In my thinking about this problem from the IoT space lately, I've been thinking about servers assigning credentials to devices, rather than devices telling you their creds. Assign a UUID and let the device generate their password/key, and the pair gives you a multiplicatively large space.
That's an obsolete notion. You are not going to duplicate a 128-bit high-entropy number. Not in several lifetimes of our sun.
Your notion is interesting. Anything that automates the client-side is good. People are terrible at managing a security contract 'by hand'
{edit} really, this superstitious notion that random numbers are 'not good enough' is embedded in our programmer culture. Folks continue to use lame solutions instead of just buying into the uuid-as-foolproof-identifier. It totally eliminates whole classes of problems and bugs. And you should be more concerned your computer will be hit by lightening, become self-ware and win the lottery 7 times, and molecularly reorganize into a teacup, before that uuid will be duplicated anywhere/anywhen.
For the record, I'm not the one downvoting you (I don't even have that ability yet!).
Security is always done in layers, though, and while you're correct that it is extremely unlikely, the chance is nonzero. As such you have to prepare for that and design your system to be resilient to these types of things. In castle terms, you trust that no one will ever breach your wall, but that doesn't mean you don't have guards and an armory inside for the unlikely event it does.
This is absolutely false. There is a high cost for copying a fingerprint and it is time consuming to perform, conspicuous and difficult to deploy the copy.
Therefore fingerprints are not a good tool when there is a lot of time for the attack, and the value is very high. However when the attack value is low, and the time available is short, they are currently a useful check.
One day, we will probably have a portable fingerprint cloner that changes the economics of this, but until we do, fingerprints are useful.
Since you dismiss biometrics as 'useless', what alternative would you suggest?
The answer to that is more of "it depends". Some higher end fingerprint readers actually use small sound waves to verify the ridges on your fingers are indeed ridges instead of a piece of photo paper with a HD fingerprint. Others use your fingerprint in addition to the heat signature your finger gives off, I'm sure there are others I'm not aware of, but both of the above have been proven defeatable with a mold + gummybear like material and warming it up slightly.
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...