

German Defense Minister's Fingerprint Copied by Chaos Computer Club - sjreese
http://www.dw.de/german-defense-minister-von-der-leyens-fingerprint-copied-by-chaos-computer-club/a-18154832

======
SEJeff
A fingerprint is a good username and ridiculous as a password. This excellent
article captures my thoughts pretty well:

[http://blog.dustinkirkland.com/2013/10/fingerprints-are-
user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
not.html)

~~~
TheLoneWolfling
It's not even a good username.

You can change usernames as often as you wish. Kind of hard to do that with
your fingerprint.

~~~
SEJeff
What do you think about doing it sort of like how RSA does their 2fa bits?

Say it worked like this:

You typed in your username, scanned your fingerprint for the rest of the
username, and then typed a password / passcode?

That makes it virtually impossible to have username collisions (good) and
still uses a password. If you were ultra paranoid, you could use a key fob
such as a Yubikey and enter a OTP in addition to the above.

~~~
TheLoneWolfling
That would work, iff there was not a way to show that a particular person
owned a particular username. However, I cannot think of any way to prevent
that.

...But given the ease of getting someone's fingerprint I'm not sure if this is
actually much better than a standard username+password combination
(potentially with 2fa) without a fingerprint at this point, and it's less
convenient to boot.

------
georgespencer
Biometric security on your cell phone is still a great tradeoff between
security and convenience when compared to four-digit PINs.

~~~
yourad_io
Hmm... You're probably right, but this article proves that a four-digit PIN
(assuming 10 incorrect attempts would lock the phone) would actually be more
secure than a fingerprint.

A fingerprint can be cloned and verified (visually) without giving the device
a chance to do "defend itself", whereas even the best-case PIN attack*
wouldn't necessarily exhaust possibilities before 10 tries.

I personally like the swipe gesture, as it is even somewhat resistant to a
shoulder-surfing attack (assuming you're turned off horrendous default of
drawing the pattern as you drag over it) and is much faster than typing a PIN.

* Excluding shoulder-surfing attacks. You know the digits (smudges have built up over them), but not the order.

~~~
arrrg
Weigh the probability of someone producing a fingerprint replica vs. someone
shoulder-surfing. The first seems exceedingly unlikely to me, while the second
is at least plausible.

~~~
yourad_io
Fair enough. The only issue is that all (ok, most) your data is on your phone,
as are your fingerprints - so if you lose it[1], in all likelihood they'll be
happy they got a $1K device for free and wipe it, but if they were determined
to get in to get (say) your SSH keys, or something... yeah. They'd need a few
hours and some not-so-hard to get machinery.

[1] _Especially_ if it is stolen. "I wasn't targeted. Was I targeted? Nah, I
wasn't targeted. Just a crime of opportunity. Yes. For sure.".

~~~
arrrg
There is nothing valuable (expect potentially embarrassing private information
that is, however, completely worthless to some random thief) on my phone that
is protected by my fingerprint. The valuable stuff (especially passwords)
can’t be accessed with my fingerprint.

So for me personally that is irrelevant.

------
rfrey
When I was working in biometrics 10 years ago, nobody thought fingerprints
were a good userid OR a password. It was always presented as a part of multi-
factor authentication, to be used in conjunction with passcards and/or
passwords.

"Something you have, something you know, something you are".

~~~
HackinOut
_" Something you have, something you know, something you are"_

Fingerprints are neither. As several people mentioned in this thread, the only
thing I see a fingerprint suitable for is replacing a username.

~~~
gress
if your timeframe is eternity, this is valid, but for now, the cost of cloning
a fingerprint is high enough that they are an excellent protection for a huge
category of interactions.

~~~
HackinOut
Agreed, but I personally think it shouldn't be a general public feature, but
rather reserved to the initiated. The cost lessen quickly with time (a point
made by this article) and people have trouble understanding the limitations of
a particular protection.

~~~
gress
I think people have even more trouble applying other forms of protection. A
fingerprint that is actually used is better than a PIN that is disabled, or
worse, written on a card.

~~~
yourad_io
Unless you lose your device. The device that is literally covered with your
fingerprints. In this case, you don't know your data is safe or not.
"Probably". Hopefully you'll have remote wipe enabled.

~~~
gress
It may be covered with your fingerprints, but that makes it less likely that
any of those are usable.

------
HackinOut
Although I have no doubt it could work, I guess they didn't try the copy?
Couldn't find the video of the conference. He probably demo'ed using a copy of
his own fingerprint from a photo?

It's great work, I hope the fact that you can make a copy from a simple HD
photo will bury people's ideas about fingerprints security for good.

------
spacefight
In other words: biometric identification is still broken.

~~~
JoeAltmaier
Its never been a good idea. Fingerprint as user identification is the worst
kind of password you can come up with. You can't change it periodically; you
have to use the same one for every purpose; you leave it lying around in
public all the time. Forget biometrics, they're useless.

~~~
_asummers
It is better to think of it like a username than a password. None of my
devices support biometrics, but if they did, I would want to have both
fingerprint AND password, if that's possible. Does anyone know if any of
Apple, Samsung, et al allow that?

~~~
HackinOut
I think Samsung does it with facial recognition on the Galaxy S's lock screen.
Should work better and better and you don't need an additional sensor.

EDIT: So does Kinect for Xbox one.

~~~
spacefight
That sounds still like crap. Has anyone defeated that already with still
picture?

~~~
HackinOut
OP mentioned using biometrics as a username in combination with a password.
[1] seems to imply you can add a password or pass code on xbox and I think you
can do that too on a Galaxy S (?)

[1] [http://support.xbox.com/en-US/xbox-360/kinect/auto-sign-
in](http://support.xbox.com/en-US/xbox-360/kinect/auto-sign-in)

------
lelf
[http://www.ccc.de/en/updates/2014/ursel](http://www.ccc.de/en/updates/2014/ursel)

------
junto
It didn't mention it specifically, but I presume you could then 3d print a
replica?

~~~
sp332
Fingerprint scanners use a 2D scanner, right? So you just need a 2D copy of
the pattern, like they used last time.
[http://boingboing.net/2008/04/01/hackers-publish-
thou.html](http://boingboing.net/2008/04/01/hackers-publish-thou.html)

~~~
SEJeff
The answer to that is more of "it depends". Some higher end fingerprint
readers actually use small sound waves to verify the ridges on your fingers
are indeed ridges instead of a piece of photo paper with a HD fingerprint.
Others use your fingerprint in addition to the heat signature your finger
gives off, I'm sure there are others I'm not aware of, but both of the above
have been proven defeatable with a mold + gummybear like material and warming
it up slightly.

------
runn1ng
Zoom.

Enhance.

------
jacquesm
That's not the first time they've done this:

[http://www.wired.com/2008/03/hackers-
publish/](http://www.wired.com/2008/03/hackers-publish/)

~~~
HackinOut
This was done from an _" index finger [...] lifted from a water glass"_ while
we are discussing a copy made from a _" few photographs"_

