
Fake fingerprints can imitate real ones in biometric systems - frozenice
https://www.theguardian.com/technology/2018/nov/15/fake-fingerprints-can-imitate-real-fingerprints-in-biometric-systems-research
======
baalimago
You only get one set of fingerprints. If you use this as a master key, and
someone else gets a hold of your fingerprints, you're vulnerable for the rest
of your life.

Not very secure.

~~~
xoa
No, that is just not how "secure" works, you need to take into account all the
details of the system in question and the threat model. Usually biometrics is
not being used alone, there is an actual master password and the biometric
authentication is being combined with a physical token as a shortcut/proxy.
Someone "getting ahold of your [fingerprints|eyeballs|face|internal
chip|whatever]" and the physical "token" (smartphone being the most common)
amounts to a targeted physical attack, which is a very difficult class to deal
with but also not scalable. Don't count on any naive or technical only method
to defeat this: passwords may well be _worse_ because in any non-physically
secure setting it's far more trivial to shoulder surf a passcode entry then to
grab biometrics and seize the token. Furthermore most people are simply
unwilling (with good reason) to deal with an appropriately complex passcode in
constant usage on the go, so it's a case of biometrics+complex password taking
the place of say a 6 digit PIN.

It seems like every single HN thread on biometrics somebody comes in to
proclaim for the nth time that "finger prints aren't passwords!!" or something
of that nature, as if "something you know/something you have/something you
are" haven't long been known and considered as basic building blocks of
authentication with various tradeoffs vs different threat scenarios. Your kind
of oversimplification is not helpful given that it can actively harm real
world security, which requires amongst other things actually working with how
actual humans really are and making the right economic tradeoffs.

~~~
wlesieutre
I would say biometrics is “usually” used in phones where it’s used completely
on its own to unlock them.

You might still need a PIN to install an OS update, but that won’t keep
someone from going through all of your photos and emails.

~~~
xoa
> _I would say biometrics is “usually” used in phones where it’s used
> completely on its own to unlock them._

So you'd say that "there is an actual master password and the biometric
authentication is being combined with a physical token as a shortcut/proxy"
then? Because that's what it is.

> _but that won’t keep someone from going through all of your photos and
> emails._

Neither will a PIN in a targeted physical attack. The long, good master
password can defend against offline attacks (including most particularly
backup data stores off of any specific device), serve as a line of defense
against lower level modifications, etc. You keep "someone" from going through
device data through physical defense of the device, difficulty of time-to-
attack vs methods like remote wipes or physical limits, network reqs, perhaps
coercion code/auto sensor limits down the road, and on and on. All within the
framework of expected cost/benefit, like all security.

~~~
wlesieutre
_> So you'd say that "there is an actual master password and the biometric
authentication is being combined with a physical token as a shortcut/proxy"
then? Because that's what it is._

I'd say that the fingerprint is the single factor to unlock your phone and
access all of your data. Sp I'm not sure I understand your point about a
physical token. That the phone is a physical token that you need in order to
unlock the phone?

I guess that's true, but it's a weird way of describing it versus just calling
the fingerprint a single factor used to unlock the physical device.

That feels like saying "My house has two factor authentication, one factor is
they key and the other is the house." The house isn't a second factor, it's
the thing you're getting access to.

~~~
xoa
> _That the phone is a physical token that you need in order to unlock the
> phone? I guess that 's true, but it's a weird way of describing it versus
> just calling the fingerprint a single factor used to unlock the physical
> device._

No, it's an important (and interesting I think) difference. Compare to many of
the systems you deal with otherwise: with most of them the specific physical
thing you're using to access the data isn't that (or at all) relevant. With
your HN account for example, if the password were known then it doesn't need
to be access from one of your devices. Nothing of yours needs to be physically
possessed. You could say storage on one of your computer systems would require
more physical access, and that might sort of be true (there are gradients in
all these things), but from a pure technical perspective general practice has
been, even with full disk encryption, that the password is still the root. For
software FDE the password is generally going to go through a key stretching
algorithm to turn it into something cryptographically usable and add some
resistance to brute force of so-so keys as well as time/memory tradeoff
attacks (rainbow tables), but it's a deterministic process. If you know the
password, the key can be generated, including if the drive was pulled and put
into another system or imaged onto some other piece of hardware entirely.
Getting access to the data may present challenges depending on where is (local
could be harder then an attached drive which might be harder then a LAN
volume, or the reverse). But once that data is acquired, knowledge of the
password is sufficient.

But with a good smartphone (and starting to be more in computers via HSMs or
built-in like Apple's T-series of chips) it'll instead be that the
authentication factors go to a blackbox dedicated security chip, and that then
handles keys which are entangled with hard burned-in data specific to that
device. You cannot pull the storage or image it then unlock it, knowing the
user's password is insufficient. For any data using that phone's hardware
security as its root, you _must_ go through that specific, physical chip
regardless of any knowledge of biometrics or passwords. It is an integral part
of the data security in a way that is not yet typical for traditional systems
(let alone online). As far as I know all of those systems still have a
password as one way to authenticate to them, with biometrics being another,
and in principle they could make use of further automatic sensors too as well
as do interesting things like require different authentication factors for
different operations, or enable powerful anti-coercion features.

Of course, it also means if that chip ever has any trouble or gets lost better
hope to have backups because otherwise you're hosed, no recovery is possible
even if the physical storage is completely fine and all the encrypted data is
right there.

So "what you're getting access to" is the data and operational capability of
the phone, but "how you do so" is going through a "separate physical token
authenticated by another a 2nd/3rd factor" (the hardware security chip), no
different then if you had a USB HSM you plugged into your PC and made it a
blackbox requirement for data decryption or certain operations like signing.
Just because the connection between the separate token and what you're
accessing happens to be direct solder and traces on a motherboard vs USB or
PCIe or whatever doesn't mean it's not a separate factor here. And as it's the
physical token intermediating even total compromise of the system to be
accessed doesn't by itself mean biometrics or passwords leak either.

~~~
wlesieutre
I would describe the difference in a much more simple way:

For the security of my Gmail account you need 1) password, 2) TOTP code, 3) an
internet connection to Google

For the security of a physical place like my house, you need 1) key, and 2)
physically be at my house. The being at my house part is more analogous to
having an internet connection than another authentication factor.

The phone as a material object follows a threat model like my house. If
someone has a copy of my fingerprint and is physically at my phone that's like
having a copy of my house key and being at my house.

It's true that someone in China can't remotely break into my phone with the
fingerprint, just like someone in China can't take a copy of my house key and
steal my television.

So yes, there's security value in needing physical proximity, but I think it's
a stretch to describe it a second authentication factor.

How the secure enclave and encryption works is immaterial to the fact that if
I leave my phone sitting on my desk, you only need one thing to get to my
data, and it's a fingerprint that for all I know someone pulled off of a
Starbucks cup 10 years ago after I tossed it into a rest stop trash can, and
my only option to avoid that is "disable the fingerprint scanner" because it's
a single authentication factor that I physically cannot change, unlike a
leaked password.

Anyway, I think we agree on how it works, we're just arguing over the
semantics of how to describe it.

------
mulle_nat
I used to have stacks of these yellow sticky notes with my password printed on
it. I ensured, that whereever I went, I would stick one of them to anything I
touched, so I'd have it ready just in case.

Thanks to fingerprint biometrics I can do this now just as well without even
having to buy sticky notes.

------
loourr
This seems pretty obvious. Anything static is forageable and hence vulnerable.
Bio can add complications (is this fingerprint warm and pulsing?) but
ultimately all will be overcome.

------
AstralStorm
What I don't like about the abstract is that it does not say what this is good
for.

This thing is designed to fool ANN and adaptive systems as used in certain
kinds of biometrics e.g. pictures.

~~~
Phemist
The usual approach to spoofing fingerprints is by somehow acquiring a latent
fingerprint from a "genuine" user, creating a mold from this latent
fingerprint through e.g. [1], and then applying the mold to the fingerprint
sensor.

What these authors previously showed is that you can create a "masterprint" on
a representation (feature vector) level that "averages" a lot of fingerprints
together, creating something that is usually quite close to any individual's
fingerprint, and thus is able to fool recognition software quite often.

In practice, this would require an attacker to by-pass the sensor and feature
extractor parts of a biometric system, and inject their masterprint feature
vectors directly into the biometric comparator (one that compares the current
sample, to a template derived from previously enrolled samples). Considering
these systems are usually tightly integrated, this is quite a hard attack to
do.

What the authors now present is a way to generate "DeepMasterprints". These
are actual images that can be used to create molds such as [1], and can be
applied to any fingerprint sensor that doesn't have a sufficient Presentation
Attack Detection(PAD) mechanism (Hint: supposedly most PADs on smart phones
are easy to by-pass, same thing for older fingerprint sensors). For these
spoofs attacks, the difficult part was actually getting a high quality print
off the genuine user.. but now it turns out this isn't really necessary and
you can use a "deepmasterprint" to get a high enough chance of being mistaken
for _any_ genuine user.

[1]
[http://www2.washjeff.edu/users/ahollandminkley/Biometric/ind...](http://www2.washjeff.edu/users/ahollandminkley/Biometric/index.html)

------
pvaldes
Hum, about fingerprints as keys to store valuable and personal things. What
happens if tomorrow I would suffer a car accident and 'lost' my key? or have a
new scar hiding a part of my key? Would be locked out forever?

Or how to explain a machine that will keep asking for my 'real key', the
concept of a wasp's sting for example?

