
Fingerprints are Usernames not Passwords - tosh
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
======
therobot24
>> But biometrics cannot, and absolutely must not, be used to authenticate an
identity.

I understand where the author is coming from, but as someone who did their phd
in biometrics it also comes across as a fundamental misunderstanding of what a
biometric does. A biometric 100% authenticates identity - even if only used as
a username. This is because a biometric is both a username and a password.

~~~
richmarr
> ...a biometric is both a username and a password

Appreciate you probably know a ton about this area, but I think you may be too
close to it.

A passwords work by being (a) secret and (b) changable. Your biometrics are
categorically _not_ secret and categorically _not_ changable.

> A biometric 100% authenticates identity....

I'm just going to leave this here

[http://www.heise.de/video/artikel/iPhone-5s-Touch-ID-hack-
in...](http://www.heise.de/video/artikel/iPhone-5s-Touch-ID-hack-in-
detail-1966044.html)

~~~
therobot24
> A passwords work by being (a) secret and (b) changable. Your biometrics are
> categorically not secret and categorically not changable.

Very true, the biometric itself (face, fingerprint, iris, etc) really
shouldn't change for it to be reliable. But this doesn't always mean that a
picture of your face will automatically allow someone else to gain access in a
real world system. Further, even a stolen raw template from a data breach
doesn't necessarily guarantee anything.

Currently, I disagree that a biometric should be used in the same role as a
password for most applications. Most research is geared toward recognition
performance, but comparatively little is focused on system security (such as
spoofing). However, i still get uneasy when i see such declarative statements
claiming that a biometric can never be a password. Microsoft Windows "Hello"
[1] is really the best implementation of what i mean. The user sits down at
the computer and the system recognizes them. For consumer applications this is
really the goal of any biometric system.

[1] [http://windows.microsoft.com/en-us/windows-10/getstarted-
wha...](http://windows.microsoft.com/en-us/windows-10/getstarted-what-is-
hello)

> A biometric 100% authenticates identity....

the author assertively states that a biometric does not authenticate identity,
so my comment is related to the fact that the purpose is to authenticate
identity (not that it will be right 100% of the time - easy to see how that
would be confused - probably should have used different terminology)

------
mchahn
It never occurred to me how easy it is for a police officer to scan your phone
sensor across your finger while physically holding you down. In many places
they can't force you to give them your password but this bypasses that.

