Fingerprints are usernames, not passwords. Here is an excellent (and timeless) post on this fact:
https://blog.dustinkirkland.com/2013/10/fingerprints-are-use...
Getting an ID card checked by security at the door of a secure establishment allows the people inside that building to know that the holder truly is who they say they are. Inside that space the person has access to confidential information and they do not need security to constantly verify their credentials. ..and yet ID cards can be copied and faked - so why do we do this?
This model is how a fingerprint can be used as a shortcut to deliver certain privileges. The user must first pass security by entering their password, and then later numerous safety triggers are in place to require that password again. Meaning that once a person is validated a stand-in can be suitable rather than fully evaluating each and every time.
Back to fingerprints: copying a fingerprint has numerous barriers that these exploits frequently ignore. First it needs to be the correct finger, it must be clear and complete enough to copy and finally it must be used at a time when the device will accept it. While such barriers may be insufficient for a secure environment, this approach provides more security than, for example, a person repeatedly entering a pincode into their phone through the day - something that is both easily observed and remembered (and worse too if it's a gestural passcode.)
To relegate fingerprints as only this or that throws the baby out with the bathwater - appropriate rules and context can make it a useful security improvement over the status quo. That doesn't mean it's perfect or that it has to be.
There are two threat models:
- Virtual
- Physical
In the virtual threat model, difficulty needs to be insane, since any of 7 billion people can launch automated attacks on my server.
In the physical threat model, difficulty can be moderate, since the only people who can attack are ones physically here. My front door has a pickable lock, and my windows are breakable. My key threat is my crazy stalker ex.
Fingerprints are usually in the latter category, and provide pretty good security.
I always thought that since the beginning, but unfortunately the world went into another direction. People always said "something you have and something you know", but now for most cases it's just "something you have - your body". Obviously if in the future remote mind-readers are invented, the "something you know" part will also get obsolete, but for now we should stick to it.
I believe it's - Something you have (key, device,...) - Something you know - Something you are (biometry)
In Europe there is a regulation (PSD2) that defines a strong authentication as 2 of the 3 listed above.
I've always disliked this breakdown. My body is something I have -- it's just potentially (not always practically -- see the article) more difficult to clone or otherwise use without my consent than a key fob or something.
Edit: To be clear, I don't think this is an argument for biometrics, but rather an argument against them. They can't complement something I have in a two factor scheme, because my biometrics are something I have.
Fingerprints are not usernames. I wish that idea would die but people just love putting things in existing categories so much they keep thinking "fingerprints aren't the same as passwords... so they must be the same as usernames!".
It seems you are stating that fingerprints do not identify an account holder. You should justify the statement.
No, I'm stating that fingerprints to not have the same security and privacy properties as usernames. Therefore they are not equivalent to usernames.
* Usernames can be changed. Fingerprints can't.
* Usernames can be denied. Fingerprints can't.
* Usernames are zero effort to copy. Fingerprints require some skill and effort (if you have a decent fingerprint reader).
* People are happy to share usernames online. Fingerprints are considered much more private.
Think this is still overestimating the threat. It's kinda like saying you can hack someone's password by watching video of them typing. True, but also non-trivial.
If you're already being personally targeted by an organization professional enough to follow you around, take a photo of your fingerprint on something you touched, then painstakingly reproduce said fingerprint through highly technical means and then gain physical access to your personal device that uses a fingerprint reader to use said fingerprint, you should be aware of your position and have multi-factor authentication set up for everything anyway.
For your average everyday person fingerprint security is fine. The thief who snatches your phone when you step away from your table in the mall food court isn't going to be able to crack it via this method.
>If you're already being personally targeted by an organization professional enough to follow you around, take a photo of your fingerprint on something you touched, then painstakingly reproduce said fingerprint through highly technical means and then gain physical access to your personal device that uses a fingerprint reader to use said fingerprint, you should be aware of your position and have multi-factor authentication set up for everything anyway.
But the whole point is that it's easier than you describe as people make photos with fingerprints themself accidentally, and technical means to reproduce fingerprints are not highly technical.
You'd be surprised how low the bar is for "highly technical" among the general populace, particularly those inclined to steal used technology from targets of opportunity. How many people do you know who even own a laser printer, a subscription to photoshop and the skill to use it, and know what an "acetate sheet" is? The vast majority of people, if they have a printer at all, use cheap inkjets, they don't know how to use photoshop and don't care to learn, and they've never heard of acetate sheets.
Could an enterprising criminal master this technique? Sure, but I'm not convinced it's reliable or lucrative enough to make the time/risk investment worth it for someone with that skill-set.
Yep, physical proximity is a huge barrier to any attack, and requiring persistent physical access even more so. If you have a plug in USB keyboard, this sort of quick attack through MitM passthrough is even easier.
However, having some experience with biometric sensors the False Accept/Reject ratio both for matching the fingerprint and detecting "liveness/spoof" is a BIG DEAL. Matching many prints or to many people is also MUCH HARDER (combinatorically). At high SNR (more expensive, higher resolution, larger sensor, higher power, longer latency) these problems can be largely mitigated with accurate recognition and very difficult to spoof systems. Those aren't the ones people attack for online fame.
However, when display integrated ultra-thin low cost very convenient matching is required... it will trade off for False Accept/Reject ratios and make the system significantly (orders of magnitude) less accurate. Unfortunately, it appears that the old MacBook touchbar integrated sensor has sacrificed significantly in this area.
Time of Flight 3D sensors make spoofing Face ID with easily carried biometrics significantly more challenging (they tend to be head sized).
Agree with your overall post entirely, the thing about physical attacks is they don't scale well. If you're subject to an actual individual threat, it's a whole different and enormously scarier/more challenging threat scenario.
>Think this is still overestimating the threat. It's kinda like saying you can hack someone's password by watching video of them typing. True, but also non-trivial.
Isn't that genuinely getting pretty trivial in public though? And in turn I think that is a real argument for biometrics too. The amount of over-the-shoulder camera surveillance in business and urban areas is pretty scary at this point, as are the concealability and cheapness of even very tiny spy cams. There have been plenty of scandals around it even in things like AirBNBs or hotels, historically from the context of sex, but not a stretch to imagine that passwords could be a much bigger and more lucrative target. And ML/AI is getting ever more sophisticated, and humans entering PINs/passwords is pretty repetitive behavior with a high degree of uniformity in how it's done, at least the device-unlock level. Seems very amenable to highly reliable automated analysis, to the extent I'd be genuinely surprised if that's not secretly deployed already in surveillance states.
I don't enter PINs/passwords in public anymore if I can possibly help it. It just seems scalable in a way that physical attacks aren't.
I'm no guru but the only widespread use of spy cameras for password theft I've heard of is false covers on ATMs to catch PIN codes, which makes sense as an ATM eliminates a lot of variables. (angle camera needs to be at, number/size/position of keys on keyboard, required resolution/range, increased number of victims, etc).
In the wild I imagine it's one of those things that's simple in concept but difficult in execution due to all the edge cases. Even if you get 80% of a password, if you're not at the perfect angle to catch those last few key-strokes you haven't accomplished much.
There is a reasonable chance that the print is available on the very device it is needed to unlock (the phone screen, for example), perhaps enough for a thief who snatches your phone to have a decent chance.
Assuming they have a laser printer, photoshop skills/subscription and know about acetate sheets. I'm willing to bet most phone snatchers don't even have one of those ingredients.
Most phone snatchers aren't after the information on the phone. The point is not that this would not be a targeted attack (it would be), but that it might not require a particular combination of circumstances or set-up to follow one around and snap just-the-right-angle photo.
The huge advantage of biometrics (fingerprints, FaceID, etc.) is the ease with which a user can unlock their phone. A passcode may be better than a fingerprint, but a fingerprint+longer passcode is better than a shorter passcode (or no passcode at all).
Having a 12 character alphanumeric passphrase you enter each time you want to unlock is not something most users want to do.
See e.g.: https://www.businesstoday.in/technology/news/story/what-kick...
Only about 49 per cent of the users were setting a passcode, which meant that the remaining 51 per cent were not benefiting from the data protection mechanism. When Apple dug in to understand the reason, the findings revealed that users unlock their devices a lot - on an average about 80 times a day. And about half of its users simply didn't want the inconvenience of having to enter their passcode into their device, at times. At that time, in 2012-2013, the default passcode length for iPhone was four digits, which happens to be six today.
Apple realised that it needed to come up with a mechanism that's fast and secure, and doesn't involve typing in the passcode. That's when Apple introduced Touch ID, which was easy, fast and secure. The way that biometric authentication worked on Apple platforms was that the user must set a passcode to be able to use the biometrics. And just as Apple thought, there was a much higher adoption of biometric-based TouchID. Apple says over 92 per cent chose to use Touch ID and had therefore set the passcode, which in turn meant users were able to use Apple's data protection encryption system.
> The huge advantage of biometrics ... is the ease with which a user can unlock their phone
This does not prevent involuntary unlocking - it actually can allow for eased against-will unlocking.
«Ease» and security may sometimes not be friends.
At least on iPhones though they have a way to activate a mode that prevents the use of TouchID and FaceID. If I press the power button on my phone 5 times in a row that turns that off.
Yes I still run the risk of my device being unlocked against my will if I'm caught by surprise. But I'm able to disable this functionality in places where I think the risk of that may be higher, e.g. while traveling.
I'll still take the trade off of longer password (not just a few numbers) on my phone while using a biometric test for normal access.
Of course not everyone may have the same threats to consider and others may make different choices. Doesn't make either of our choices wrong.
On modern FaceID phones you need to hold the power and down volume key to bring up the Reset/PowerOff and cancel. Just clicking multiple times will bring up wallet, siri, or do nothing.
A TPM can harden a pin such that it is stronger than a biometric. As a simple example, suppose the TPM has an exponential back off algorithm such that you need to wait 1s after one wrong guess, 2s after two wrong guesses, 4s after 3, etc. No one is getting anywhere close to 64 guesses in that case much less the hundreds you might need for a 4 digit pin (assuming it isn't someone's birthday).
However, you are correct that a fingerprint is faster than even a 4 digit pin. And even a TPM does not solve the problem of pin/password reuse and being easy to guess, it just makes it harder by giving you much fewer guesses.
The biggest problem imho is that we only have two states on our phones - locked and unlocked.
Ideally, I should be able to unlock the phone and take photos using just my fingerprint. In my case I would also like to be able to call, message, play games and similar. But to access the 2fa app, cryptoasset app or similar, I must further authenticate in a way that I only reveal parts of my secret ("Enter 3rd, 8th and 11th character of your password:"). The assumption here is that I will mostly authenticate in a private setting, but sometimes I might not have that luxury.
On Android (don't know about iOS) you can take photos without even unlocking - double press on the power button opens the camera. You can't access anything else (including existing photos in the camera roll).
It works the same way on iPhones. The lock screen includes a camera button. When tapped, the phone enter a camera-only mode in which only photos taken during that session are accessible.
You can also swipe the right on the screen to open the camera instead of pressing the camera button on the screen.
True, and it is a step in right direction. However I still don't want to expose my bank app credentials every time I show someone my vacation photos.
Why would your banks account access not require additional credentials beyond what gives access to your photos? I have an iPhone. TouchID/FaceID can give access to the photos, but to get to my bank account, I use a separate login.
You're looking for "screen pinning" on Android or "guided access" on iOS. It's been around for quite a while.
you definitely don't need to unlock to take photos on iOS.
You can already configure apps you are allowed to use on iPhone & Android without unlocking the device. And individual apps are anyways free to implement their own security mechanisms.
Nice concept!
It made me realize this is the purpose of PINs for some apps (eg Signal)
"now place your left index, then your right pinky" etc.
Biometrics are great for authentication but terrible for authorization. Anything sensitive should require both. There's nothing wrong with a fingerprint and a password or a fingerprint and an RFID card as an authorization/authentication pair; you just have to keep these things in mind.
I've fallen to the laziness of using fingerprints on my devices as well, but they still require a password to decrypt the contents of the storage device on boot. For many, if not most, threat models, this is perfectly fine.
I lock my phone to prevent people with messing with my contacts and scrolling through my messages. It's an inconvenience to bypass that requires preparation. A motivated attacker would just as easily spy over my shoulder if I were to use a password, either on my phone or on my laptop.
I look at these mechanisms like the lock on a teenager's bedroom door. Those things aren't impenetrable and anyone with just a little lockpicking experience or access to some automated tools can open them in a minute. Unlike the locks on our front doors, built to keep intruders that don't want to risk physical damage to our windows out, they're a message: please don't violate my privacy. Violating that privacy is made moderately difficult by the mechanism itself, but it's hardly impossible.
Unless you carry a password-protected authentication and key management token with you at all times, you're at risk of having your system broken into. Most of us don't need to worry about those kinds of things.
"Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity." (https://en.wikipedia.org/wiki/Authentication)
So it's not useful for authentication but could be used for identification.
> Biometrics are great for authentication but terrible for authorization
What does that mean? Unlocking your MacBook gives access to your RSA keys and all is lost.
As the other commenter pointed out, he probably meant "great for identification but terrible for authentication".
How do you protect your private keys? I already have an yubikey but it still feels not great.
This doesn't make sense to me. In what use-cases do we use our personal computers authenticated but also unauthorized?
The broader argument here is less about fingerprints, and more about using anything immutable as authentication. You cannot change your fingerprints. You cannot change your social security number (at least not easily). These should therefore, NEVER be a primary method to authorize access to anything. Once stolen, the proverbial horse is out of the barn.
It would be funny to use this technique to make fake fingerprints that are used as the keys. “Hardware key on MBP!”
You can in fact change your fingerprints; glassblowing and metalwork, for example, offer numerous opportunities to do so.
Don't they regenerate? I vaguely recall reading that criminals have tried lots of surgical ideas but none would last longer than a couple of months.
if they do you're not burning deep enough
I dunno, I have psoriasis on my hands bad enough that sometimes i dont properly speaking have skin on some fingertips, so my experiences aren't normal.
I recall hitting someones' demo of the "first PAM integrated fingerprint ID system" in '98 and crashing their machine repeatedly with my thumb. It couldn't even scan me.
Biometrics have both a high False Acceptance Rate - they will accept invalid input - and a high False Rejection Rate - they will deny valid input. Scanners can be tuned one way or the other, preferring FAR or FRR, but either way, they are kind of unreliable.
This is why multi-factor authentication is a thing. Generally, pick two: something you have, something you know, or something you are.
If the scanner doesn't like your fingerprint this morning, just use your proximity badge instead, and if someone takes a photo of your fingerprint, it's still useless unless they also know your PIN.
The issue is that a lot of our hardware, particularly phones and laptops, is single-factor authentication. And on top of that, this hardware knows the login to a bunch of other very sensitive material, like your bank accounts.
This should not be news to anyone. Chaos Computer Club demonstrated almost the same technique in this 2006 video https://www.youtube.com/watch?v=OPtzRQNHzl0
Exactly, just wanted to link this as well.
There's of course nothing wrong with pointing out already known security flaws, but it's good practice to mention when this is a well known thing and reference prior work - which the post by kraken does not do.
MacGyver did it in the 80s
Yeah, this isn't new. It's just cheaper.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.