You only get one set of fingerprints. If you use this as a master key, and someone else gets a hold of your fingerprints, you're vulnerable for the rest of your life.
No, that is just not how "secure" works, you need to take into account all the details of the system in question and the threat model. Usually biometrics is not being used alone, there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy. Someone "getting ahold of your [fingerprints|eyeballs|face|internal chip|whatever]" and the physical "token" (smartphone being the most common) amounts to a targeted physical attack, which is a very difficult class to deal with but also not scalable. Don't count on any naive or technical only method to defeat this: passwords may well be worse because in any non-physically secure setting it's far more trivial to shoulder surf a passcode entry then to grab biometrics and seize the token. Furthermore most people are simply unwilling (with good reason) to deal with an appropriately complex passcode in constant usage on the go, so it's a case of biometrics+complex password taking the place of say a 6 digit PIN.
It seems like every single HN thread on biometrics somebody comes in to proclaim for the nth time that "finger prints aren't passwords!!" or something of that nature, as if "something you know/something you have/something you are" haven't long been known and considered as basic building blocks of authentication with various tradeoffs vs different threat scenarios. Your kind of oversimplification is not helpful given that it can actively harm real world security, which requires amongst other things actually working with how actual humans really are and making the right economic tradeoffs.
>I would say biometrics is “usually” used in phones where it’s used completely on its own to unlock them.
So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.
>but that won’t keep someone from going through all of your photos and emails.
Neither will a PIN in a targeted physical attack. The long, good master password can defend against offline attacks (including most particularly backup data stores off of any specific device), serve as a line of defense against lower level modifications, etc. You keep "someone" from going through device data through physical defense of the device, difficulty of time-to-attack vs methods like remote wipes or physical limits, network reqs, perhaps coercion code/auto sensor limits down the road, and on and on. All within the framework of expected cost/benefit, like all security.
>So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.
I'd say that the fingerprint is the single factor to unlock your phone and access all of your data. Sp I'm not sure I understand your point about a physical token. That the phone is a physical token that you need in order to unlock the phone?
I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.
That feels like saying "My house has two factor authentication, one factor is they key and the other is the house." The house isn't a second factor, it's the thing you're getting access to.
>That the phone is a physical token that you need in order to unlock the phone? I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.
No, it's an important (and interesting I think) difference. Compare to many of the systems you deal with otherwise: with most of them the specific physical thing you're using to access the data isn't that (or at all) relevant. With your HN account for example, if the password were known then it doesn't need to be access from one of your devices. Nothing of yours needs to be physically possessed. You could say storage on one of your computer systems would require more physical access, and that might sort of be true (there are gradients in all these things), but from a pure technical perspective general practice has been, even with full disk encryption, that the password is still the root. For software FDE the password is generally going to go through a key stretching algorithm to turn it into something cryptographically usable and add some resistance to brute force of so-so keys as well as time/memory tradeoff attacks (rainbow tables), but it's a deterministic process. If you know the password, the key can be generated, including if the drive was pulled and put into another system or imaged onto some other piece of hardware entirely. Getting access to the data may present challenges depending on where is (local could be harder then an attached drive which might be harder then a LAN volume, or the reverse). But once that data is acquired, knowledge of the password is sufficient.
But with a good smartphone (and starting to be more in computers via HSMs or built-in like Apple's T-series of chips) it'll instead be that the authentication factors go to a blackbox dedicated security chip, and that then handles keys which are entangled with hard burned-in data specific to that device. You cannot pull the storage or image it then unlock it, knowing the user's password is insufficient. For any data using that phone's hardware security as its root, you must go through that specific, physical chip regardless of any knowledge of biometrics or passwords. It is an integral part of the data security in a way that is not yet typical for traditional systems (let alone online). As far as I know all of those systems still have a password as one way to authenticate to them, with biometrics being another, and in principle they could make use of further automatic sensors too as well as do interesting things like require different authentication factors for different operations, or enable powerful anti-coercion features.
Of course, it also means if that chip ever has any trouble or gets lost better hope to have backups because otherwise you're hosed, no recovery is possible even if the physical storage is completely fine and all the encrypted data is right there.
So "what you're getting access to" is the data and operational capability of the phone, but "how you do so" is going through a "separate physical token authenticated by another a 2nd/3rd factor" (the hardware security chip), no different then if you had a USB HSM you plugged into your PC and made it a blackbox requirement for data decryption or certain operations like signing. Just because the connection between the separate token and what you're accessing happens to be direct solder and traces on a motherboard vs USB or PCIe or whatever doesn't mean it's not a separate factor here. And as it's the physical token intermediating even total compromise of the system to be accessed doesn't by itself mean biometrics or passwords leak either.
I would describe the difference in a much more simple way:
For the security of my Gmail account you need 1) password, 2) TOTP code, 3) an internet connection to Google
For the security of a physical place like my house, you need 1) key, and 2) physically be at my house. The being at my house part is more analogous to having an internet connection than another authentication factor.
The phone as a material object follows a threat model like my house. If someone has a copy of my fingerprint and is physically at my phone that's like having a copy of my house key and being at my house.
It's true that someone in China can't remotely break into my phone with the fingerprint, just like someone in China can't take a copy of my house key and steal my television.
So yes, there's security value in needing physical proximity, but I think it's a stretch to describe it a second authentication factor.
How the secure enclave and encryption works is immaterial to the fact that if I leave my phone sitting on my desk, you only need one thing to get to my data, and it's a fingerprint that for all I know someone pulled off of a Starbucks cup 10 years ago after I tossed it into a rest stop trash can, and my only option to avoid that is "disable the fingerprint scanner" because it's a single authentication factor that I physically cannot change, unlike a leaked password.
Anyway, I think we agree on how it works, we're just arguing over the semantics of how to describe it.
A fingerprint cannot be used as a hash to encrypt keys. All you can do is store some data and compare the fingerprint to see if there are enough matches. That is why secure fingerprint systems always involve some ‘secure’ hardware that stores and compares the fingerprint to the stored data and then releases some key.
Systems that try to do this in software are always trivially circumvented because you can just change the software to allow ‘not enough matches’ instead of ‘enough matches’. The key is necessarily in the device and software can’t protect it.
Are you seriously arguing a fingerprint is an aesthetic symbolic pointer in the way a name is? That you are going to just refer to other people (whether IRL or online) by "fingerprint"? That people choose their fingerprints based on what they think will be a good one? That there can just be a simple process to arbitrarily change their fingerprint if they later decide they'd prefer another one?
TLDR yes, biometrics are the closest thing to a user ID
> Are you seriously arguing a fingerprint is an aesthetic symbolic pointer in the way a name is?
Absolutely. A given name is non-unique, and not chosen by you. Yet everyone refers you by it, if only by convention.
> That you are going to just refer to other people (whether IRL or online) by "fingerprint"?
No but computers might as well do, much as you identify someone by their face.
You might refer to someone by their public key fingerprint too (also similarly non-collision resistant)
> That people choose their fingerprints based on what they think will be a good one?
People rarely choose their names, nicknames, or usernames. Why is choice an issue here?
> That there can just be a simple process to arbitrarily change their fingerprint if they later decide they'd prefer another one?
People find it difficult to arbitrarily change their face, most are reluctant to change their given names - and indeed there's significant pressure from 'the system' to make it difficult for you, and also what about the many who find it annoying when their preferred username is unavailable, etc. I can't see what your point is here?
> Because all of those apply to user IDs.
A user id, isn't a primary key in the real world - only when it comes to a particular computer system.
Finally your fingerprints do change over time, though not necessarily in a manner which will confuse current matching techniques
>> Are you seriously arguing a fingerprint is an aesthetic symbolic pointer in the way a name is?
> Absolutely
My point is a user name is something everyone knows i.e. not a secret.
Biometrics are not a secret as they are, in the case of fingerprints - easily picked from your Starbucks coffee cup, the door you just opened etc.
Your face is permanently on display.
Etc.
Your assertion that biometrics are not user-name equivalent is embarrassingly ignorant and you've already shown your inability to read or show much comprehension.
I shall therefore assume that you're unused to rational discussion and leave it there.
> Yet again, there are three basic classes of common authentication factors: something you know, something you have, and something you are. Biometrics belong to the "something you are" class.
It's so odd to me that we consider fingerprints "something you are". Fingerprints surely are "something I have" in that I can lose them by disfigurement or maiming. "Something I am" is more like my DNA which can't be taken from me to the point of loss, unlike someone cutting off my fingers which would deny me access to whatever system it's used for.
wow dude i duno if the comments have been edited, but that's wrong. biometrics are much more like usernames than passwords. its a common sentiment among those educated in security
It's a common sentiment amongst those who think they're educated about security. Just like "rotate passwords at rapid intervals and you must satisfy this baroque complex set of requirements for them too" is common sentiment. Unfortunately.
i think we agree more than it might seem, but i can't tell. sure those types of requirements are often absurd and result of ignorance. but back to the point, i don't understand what your argument is about user IDs. remember the context of the comment you criticized is that there are vulnerabilities in biometric security. those vulnerabilities apply when the biometric data is used as a password; it does not apply when the biometric is a username.
so if you're merely saying (as i think you are) that biometrics make poor usernames, much as they make poor passwords, your argument is quite trivial/tangential to this thread and really doesn't address the point op is making and doesn't contribute to the thread in any meaningful way (unless you wanted to expound specifically on why its so important for usernames to be, mutable?)
and if, instead, you're saying, as you implied to me, that biometrics make better passwords than usernames, i'll reiterate: that's wrong.
>i don't understand what your argument is about user IDs
Names/User IDs are not equivalent to biometrics. Nor passwords. Nor tokens. They are symbols that exist to enhance human UX. That's it.
>remember the context of the comment you criticized is that there are vulnerabilities in biometric security
Yes, just like in every single form of authentication. Which is utterly irrelevant.
>so if you're merely saying (as i think you are) that biometrics make poor usernames, much as they make poor passwords
>that biometrics make better passwords than usernames, i'll reiterate: that's wrong.
These are utterly non-sensical statements. Biometrics are not user names (a public symbol) nor are they passwords ("something you know"), "poor" has nothing to do with it, they are one of the other two classes of unique authentication factors. They have their own strengths and weaknesses, and yield different practical results when combined with one (or both) of the other two in a multi-factor authentication system. And a biometric/token MF system can absolutely be superior in security for many common threat scenarios and use cases compared to passwords. Achieving good security requires intelligent deployment of all 3.
defined as such! good grief. anyone can code up a system that uses a fingerprint as a username -- you can't reply "thats not a username!" yes it is, because its defined as such! similarly, lots of applications use the fingerprint as both username and password, again defying your platonic ideal. you can go ahead and define the proper "taxonomy of authentication factors" but the whole irony is you think everyone has this biometric username/password false dichotomy when you fail to recognize that this dichotomy exists in the wild and often in really bad ways ;P
>anyone can code up a system that uses a fingerprint as a username
Really? Please describe such a system. Will it use a photograph of the fingerprint? A hash value? What hash? How do you deterministically arrive at the exact same one each time, or do you plan to "change the user name every single time" and in that case what is the actual persistent pointer to the account/person? Do you expect people to then use that name in conversation or when they think about it?
See, this makes no sense. That's not what "user names" are, it doesn't have any of the properties humans ascribe to them.
>similarly, lots of applications use the fingerprint as both username and password
Name them. Name one, for that matter.
You seem very, very confused about all this but at this point I really don't know how to make it any clearer for you.
Re the hash value. Are you aware of fuzzy commitment[1]? It is a crypto scheme for protecting and/or deriving encryption keys from data that is subject to noise (such as in biometrics). If you can derive encryption keys, you can also derive hashes.
im sorry it doesnt make sense to you. when you said, "thats's not what usernames are" it became clear it's a linguistic issue.
you are defining terms one way and i have defined them another way (that's fine) so that is why we cannot come to agreement on any corollary.
the distinction is that you are sticking to the "formal" definitions, while i am using "functional" definitions.
we agree (troll test #1) that auth factors can come in 3 flavors (for the 100th time): something you know, something you have, and something you are. according to this definition, a fingerprint goes into one bucket ("are") and a password goes into another bucket ("know"). peachy. BUT, fingerprints are also something else: GREASE. grease left on a handrail doesnt fit into any of these buckets. that doesnt mean its not a fingerprint!
do you see the point? if you can appreciate that, and look at my comments through this lens, they might make sense. functionally, programmers are free to use "usernames" QUA "passwords" if they want to -- we can't just define that out of existence.
to be clear i think we can basically agree on the fundamentals: the FFIEC guidelines where two or more of the three basic auth factors are used in combination (biometrics, usernames, and passwords are independent) and our argument is really about the best way to help everyone else who can only see 2 categories. this was fun.
having read some of your other comments maybe you're making a point about UX -- where the tradeoff between a biometric password or some long and obtuse string of characters (which is thus more likely to be saved in the browser or written on a sticky note) is not as obvious as it seems: which is worse? that's a valid point.
and then about usernames: maybe you're just saying, hey i can't just swipe my finger at gmail.com because which gmail account am i logging into? do i need 1 finger for each account (business, personal, etc)? lol that's kind of valid point too but nobody is proposing that the biometric identifier is the only part of the username anymore than your browser fingerprint is (which google does indeed utilize; sign in from somewhere else and you'll get 2FA vs on your own device, etc etc). think of your biometric data more like your phone number in 2fa. its yours and can help to verify your identify but its not secret and your authenticator should be secret
I used to have stacks of these yellow sticky notes with my password printed on it. I ensured, that whereever I went, I would stick one of them to anything I touched, so I'd have it ready just in case.
Thanks to fingerprint biometrics I can do this now just as well without even having to buy sticky notes.
Your grandmother does not leave her password all over random places. At the coffee shop, the neighbors kitchen or the airport restroom as she does with her fingerprints, or does she ?
Your grandmother, doctor, etc are not aware they can use a password manager with a master password such as "dandy-pencil-colonist-precise-populate-stardom" which would be more difficult to crack than finding and copying a fingerprint on your device. Its only a matter of time until one of these is cracked, and with touchID and faceID they're going to get cracked before said password is cracked.
PS: Just a piece of advice, your tone throughout this thread isn't going to convince anyone. On the contrary.
>Your grandmother, doctor, etc are not aware they can use a password manager with a master password such as "dandy-pencil-colonist-precise-populate-stardom"
They are. My grandmother in particular cannot handle such a thing. At all. This exactly the sort of dismissive tech myopia that comes from people who get too deep into the tech trenches and lose sight of huge swaths of the general population. It's very easy to take for granted the huge amounts of meta knowledge and mental models of abstract systems people like us possess. With those as frameworks lots of things make total sense that are utterly confusing to those without them, even ignoring sensory trouble.
>which would be more difficult to crack than finding and copying a fingerprint on your device.
Really? Seems a lot easier: there that person is hunting and pecking (you don't think touch typing even is universal do you?) in public, hard of hearing and totally focused on that, while someone else stands behind them and just watches. Even assuming there are no cameras looking down of any kind around of course. Using words like you suggest makes it even easier, if you know each section is a real word then even missing parts will make it easy to fill in the blanks, heck just hearing it would be plenty to narrow the search space. Or how about using WiFi transmissions directly to recognize keystrokes ("Keystroke Recognition Using WiFi Signals": https://www.sigmobile.org/mobicom/2015/papers/p90-aliA.pdf )?
>Its only a matter of time until one of these is cracked, and with touchID and faceID they're going to get cracked before said password is cracked.
Uh-huh, sure thing. That's why we read all the time about the vast gangs using harvested finger prints and 3D face scans to unlock iPhones, but have never read about shitty PINs getting brute forced or people reusing passwords or password reset mechanisms getting abused because people forget them all the time or password databases getting leaked or...? Yeah, passwords are certainly the best!
>PS: Just a piece of advice, your tone throughout this thread isn't going to convince anyone. On the contrary.
Right back at you. Your comment comes across as a typically dismissive, smug put down of the needs and requirements of large portions of the our fellow humans who do amazing things but just not in our specialty. And it's an attitude that has actively harmed security.
> They are. My grandmother in particular cannot handle such a thing. At all. This exactly the sort of dismissive tech myopia that comes from people who get too deep into the tech trenches and lose sight of huge swaths of the general population. It's very easy to take for granted the huge amounts of meta knowledge and mental models of abstract systems people like us possess. With those as frameworks lots of things make total sense that are utterly confusing to those without them, even ignoring sensory trouble.
The advantage of using a sentence as password is that it is easy to remember. The advantage of using a password manager is that you only need to remember one strong password. The strong password can be remembered as a picture (like correct horse battery staple) which is a very strong way to remember anything. Tricks like paintings and books can be used instead of sticky notes.
With touchID and faceID an adversary can force you to cooperate, and they also have false positives. IIRC with FaceID it was 1 in 1.000.000. TouchID weaker. Non-Apple implementations likely even weaker. It takes longer to break said password with full knowledge (53 bit entropy). It didn't even have fancy things such as capitals or different separators.
Plus, I never said I only use a password; I use 2FA. A YubiKey with TOTP or whatever can be revoked. The government doesn't have a copy of it, it isn't stored in my ID card either. It is mine, and mine only.
> Really? Seems a lot easier: there that person is hunting and pecking (you don't think touch typing even is universal do you?) in public, hard of hearing and totally focused on that, while someone else stands behind them and just watches. Even assuming there are no cameras looking down of any kind around of course. Using words like you suggest makes it even easier, if you know each section is a real word then even missing parts will make it easy to fill in the blanks, heck just hearing it would be plenty to narrow the search space. Or how about using WiFi transmissions directly to recognize keystrokes ("Keystroke Recognition Using WiFi Signals": https://www.sigmobile.org/mobicom/2015/papers/p90-aliA.pdf )?
TEMPEST and such is a different problem. I don't recommend WLAN in secure environments. Cameras are a reason why I recommend 2FA.
> That's why we read all the time about the vast gangs using harvested finger prints and 3D face scans to unlock iPhones, but have never read about shitty PINs getting brute forced or people reusing passwords or password reset mechanisms getting abused because people forget them all the time or password databases getting leaked or...? Yeah, passwords are certainly the best!
We've read about fingerprint identification and facial recognition being cracked. It isn't a matter when touchID and faceID are cracked; the question is when. The password I mentioned, if inputted securely, has high enough entropy to remain secure longer than touchID and faceID are.
PIN has very weak entropy, and using your password in public is a bad idea.
> Right back at you. Your comment comes across as a typically dismissive, smug put down of the needs and requirements of large portions of the our fellow humans who do amazing things but just not in our specialty. And it's an attitude that has actively harmed security.
>The advantage of using a sentence as password is that it is easy to remember
No, a long random sentence is not necessarily easy to remember, nor necessarily enter correctly or quickly. It might be easier for many people to remember sure, but there are also plenty of people who just plain have memory problems period.
>The advantage of using a password manager is that you only need to remember one strong password.
Preaching the choir here. I switched over to religiously using Keychain Access, requiring careful manual entry and reentry of everything, back around Mac OS X 10.3 IIRC. Looking at my primary keychain right now the earliest entry I still have saved is from June 2004. I have pushed them ever since, though with I'll note that with some irony there has long been pushback against it of the exact same type you're doing by those arguing that keeping it all in one's head is "more secure". But even though they've gotten far more convenient and automated I tell you right now from significant teaching experience that they still encompass a mental model that does not come naturally to many people. Hopefully they'll be rendered obsolete along with public passwords in general sooner rather then later.
>With touchID and faceID an adversary can force you to cooperate
They can with a password too, there is no difference here at all. It is also equally a non-issue for most people's threat models. Active in person physical threats are outside of nearly any widely deployed system right now, though Apple has the foundations in place to do more if they ever decide to.
>false positives
Too low an issue to be relevant given hardware restricted retries and comparative advantage vs PINs.
>53 bit entropy
Are you trying to make a joke here? You seriously think most people will be using high entropy passwords every single time they want to access their phones? Their watches? Or even computers for that matter, what makes that work in general is that it's a relatively rare operation amortized over long sessions, not constant. Lots of people didn't even like the friction of using a 4-digit PIN.
Biometric shortcuts for general usage is precisely what has made longer master passwords more feasible for more people.
>TEMPEST and such is a different problem.
What I described isn't TEMPEST, and at any rate it's not a different problem at all, it's part of the same threat scenario. That's the point. Biometrics can be at least as resistant, or more so, to passive compromise.
>I don't recommend WLAN in secure environments.
Secure environments are not where most people are using devices. A "security" system that doesn't deal with the realities of usage is a shitty system.
>Cameras are a reason why I recommend 2FA.
Biometrics + physical token is 2FA.
>We've read about fingerprint identification and facial recognition being cracked.
No, we've read about them being "cracked" as in somebody in a lab managed with some level of resources and directed effort to manage to trick a system some percentage of the time (make sure to read the fine print on number of tries it took for example). But security is always an economic equation, so this is only useful in context of threat scenarios and protection & usage value ratios.
>and using your password in public is a bad idea
Haha what, then what the heck have you even been going on about this whole time? Are you saying that people just shouldn't use their powerful packed full of private information and payment access and all sorts of other stuff computing devices in public at all? Because they will (and should be able to!). A real security system needs to handle that.
This seems pretty obvious. Anything static is forageable and hence vulnerable. Bio can add complications (is this fingerprint warm and pulsing?) but ultimately all will be overcome.
The usual approach to spoofing fingerprints is by somehow acquiring a latent fingerprint from a "genuine" user, creating a mold from this latent fingerprint through e.g. [1], and then applying the mold to the fingerprint sensor.
What these authors previously showed is that you can create a "masterprint" on a representation (feature vector) level that "averages" a lot of fingerprints together, creating something that is usually quite close to any individual's fingerprint, and thus is able to fool recognition software quite often.
In practice, this would require an attacker to by-pass the sensor and feature extractor parts of a biometric system, and inject their masterprint feature vectors directly into the biometric comparator (one that compares the current sample, to a template derived from previously enrolled samples). Considering these systems are usually tightly integrated, this is quite a hard attack to do.
What the authors now present is a way to generate "DeepMasterprints". These are actual images that can be used to create molds such as [1], and can be applied to any fingerprint sensor that doesn't have a sufficient Presentation Attack Detection(PAD) mechanism (Hint: supposedly most PADs on smart phones are easy to by-pass, same thing for older fingerprint sensors). For these spoofs attacks, the difficult part was actually getting a high quality print off the genuine user.. but now it turns out this isn't really necessary and you can use a "deepmasterprint" to get a high enough chance of being mistaken for _any_ genuine user.
Hum, about fingerprints as keys to store valuable and personal things. What happens if tomorrow I would suffer a car accident and 'lost' my key? or have a new scar hiding a part of my key? Would be locked out forever?
Or how to explain a machine that will keep asking for my 'real key', the concept of a wasp's sting for example?
Not very secure.