
Fingerprints are Usernames, not Passwords - jcastro
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
======
gfodor
All these academic arguments about the security of fingerprints are
interesting but completely are detached from the day-to-day use of TouchID.

I've been using it for about a week or so now. It's incredibly convenient. It
unlocks my phone almost instantly. It prevents random people near by phone
from being unable to unlock it. If a thief got their hands on it, they'd have
a few attempts to unlock it with a fake fingerprint, and then they'd have to
enter my code. And if they fail to enter my code 10 times, the phone is wiped.

All in all TouchID basically removes almost the entire burden from the
security of having a locked phone. It's actually faster to unlock my phone
with TouchID than codeless swipe to unlock, so it's a no-brainer to turn it
on. It doesn't matter that the NSA probably has my fingerprints, in practice
it prevents most people from getting into my phone in a way that is
transparent and easy to use. If the spooks want my data, they can already get
it.

~~~
ajross
s/TouchID/Face Unlock/g and back up about 2 years and you can find all the
same things said about Ice Cream Sandwich.

It's a cute feature. It's not going to change the world, sell another billion
phones, push other companies out of the market, or save anyone from serious
attacks. It's probably a good idea to enable it anyway.

~~~
mikestew
Except TouchID, from what I gather, actually works. Not "works" in the sense
of keeping bad people out, but "works" in the sense that when I use it my
phone unlocks. I tried face unlock briefly on the Google Nexus I've got and
disabled it shortly after when I found that it was unreliable. Poor lighting,
too much lighting, a bad hair day, it wasn't even at 80% for successful
unlocks.

~~~
diminish
does touchid have the disadvantage of keeping your friends and family unable
to use your phone in cases of emergency? 95% of the time, my phone isnt next
to adversaries, but trusted parties. a password or code is transferrable,
fingerprint isnt.

edit; not 911emergency, but casual situations of full or dirty hands..

~~~
dbags
You can add ten fingers, or you can give them your code, or they can dial 911
with a fully locked phone. So no, it's slightly easier for a relative to use
in an emergency than a typical locked phone.

~~~
hfsktr
Mine when locked has a small touch section labeled 'emergency call'. I assume
it goes through to 911 (or relevant number). I'm tempted to press it but it's
not an emergency. I assumed most phones had something similar.

Edit: I went to it. I leads to a special dialer. Instead of voicemail the
button leads to a special emergency contact (or list). It only shows 4 inputs
on top so I am guessing that is the limit so you can't dial anything but
emergency services (that are 4 numbers or shorter). Then it goes back to my
lock screen.

------
sillysaurus2
I'm not so sure. How many people are motivated to dupe your fingerprints to
get into your iPhone? How many of those people could conceivably get into your
iPhone through other ways?

Fingerprints are a nice way to keep almost everyone out of your device. And
for the rest, well, I really doubt some other locking mechanism would've kept
them out.

~~~
adventured
What are people going to do when, in the all-too-near future, criminals begin
sharing and selling databases of stolen high resolution finger prints?

One theft isn't practical? How about a million? Driven by a never-ending
pursuit of monetary gain via crime; with criminals always happy to conquer the
latest technology wave. There's absolutely no reason to think that criminals
won't amass substantial finger print records just like they do any other
intimate information they can get their hands on, from SS numbers to
passwords. It's not a question of if, but when this starts becoming common.

All it requires is linking finger prints to something valuable at a mass
market scale, and that will drive an unlimited criminal demand for finger
prints.

It's not about the iPhone. It's about a consumer shift to finger prints as a
primary security feature, and whether that is sane (with the iPhone
potentially setting the trend given its cultural status).

~~~
rimantas
OK, you are a criminal and got 1000 000 fingerprints. You can start collecting
them right now, on every surface you have access too. Then what? You will
print them all using whatever technology required to fool fingerprint scanner
and try one by one? Wouldn't it be just easier to try and lift one off the
device itself?

    
    
      > It's about a consumer shift to finger prints as a primary
      > security feature
    

No. It's about shift from zero security (no passcode lock) to some security
(fingerprint). Yes it can be fooled but it is effective enough to stop casual
attacks. Just like lock on the most doors — no problem for a determined robber
but good enough protection from the opportunistic thief.

~~~
marcosdumay
In the not so distant future, collecting fingerprints will be just a matter of
writting malware, and uploading it. No need for labor intensive procedures
such as collecting them from real stuff.

Now, in that world, what will criminals use the fake fingerprints for?

------
kijin
The author is a maintainer of eCryptFS. For those not familiar with it,
eCryptFS is an encrypted filesystem used by several Linux distributions
(including Ubuntu) to protect your home directory and/or the entire disk. It
serves a similar purpose to TrueCrypt, BitLocker, FileVault, etc.

For the purpose of a full-disk encryption software, fingerprints are many
times weaker than a good password. The purpose of such software is to prevent
a thief, the cops, the NSA, or anyone else who takes possession of your
computer, from viewing the contents of your hard drive. A fingerprint won't
protect you from the cops, since your prints are already all over the place
and they can probably force you to provide a fresh copy anyway. In that case,
fingerprint logins would only give the user an illusion of security. So it's
understandable that the author doesn't want to enable fingerprint logins to
his software.

For the purpose unlocking a phone, on the other hand, a fingerprint is
probably good enough. The contents of the phone usually aren't encrypted, so a
determined attacker will just turn the phone off, pull out the SD card and/or
the internal Flash memory, and read everything off of it. Or if you're NSA,
forget the phone and get the data straight from Apple. TouchID is not for NSA-
proofing your phone, it's for deterring common thieves and pranksters.

tl;dr: I agree with the author that fingerprints are not a good fit for full-
disk encryption software. But I don't agree that fingerprints are completely
useless. It all depends on the type of attack you're trying to defend against.

~~~
pflats
I'm pretty sure that iPhones have encrypted their data since the 3GS. That's
how they "remote wipe" it. They send a message to the phone to delete the
encryption key.

~~~
kijin
AFAIK the encryption key is stored in plaintext unless you also set a passcode
(many people don't), and even if you set a passcode, most of the time it's
just a short number that would be trivial to brute-force in an offline attack.

Of course it's also possible to use eCryptFS with a four-digit passcode, but
it's strongly recommended against. The main difference between FBI-proof
encryption and pickpocket-proof encryption is not in the algorithms used, but
in the typical use case of each.

~~~
pflats
Yeah, I was specifically addressing "The contents of the phone usually aren't
encrypted". If you have a passcode (which is required for TouchID) then your
iPhone is encrypted.

You can definitely brute force it. I saw an article somewhere (probably here
on HN) addressing the fact. I can't find it, but if I remember correctly, it
said something about Apple or an associated company quietly offering forensic
help to police on bypassing the password. I think it implied they were using a
ramdisk to brute force the encryption.

edit: Found an Ars article about Apple doing it, but it doesn't mention
anything about a ramdisk. [http://arstechnica.com/apple/2013/05/apple-will-
reportedly-u...](http://arstechnica.com/apple/2013/05/apple-will-reportedly-
unlock-your-iphone-for-police-but-theres-a-wait-list/)

------
praptak
Not essential to the main thesis of the article, but still: _" But let's just
say you're okay with Apple sharing your fingerprints with the NSA, as I've
already told you, they're not private at all."_

Ok, they are not private but I'd still not willingly put them on anything
controlled by an US corporation. Govt sending their agents to collect my
fingerprints from glasses? Not feasible, too costly. Agency asking Apple to
fetch the fingerprints willingly provided by the population "just in case"?
Maybe not today and not tomorrow but in a few years? I wouldn't bet on them
not doing it. And once there you're just one false positive away from some
serious shit happening to you.

~~~
twoodfin
As others have joked: Imagine how much people would freak out if Apple devices
had a microphone or a camera capable of recording you surreptitiously!

If you're worried that Apple will roll over for the NSA, and that the NSA
will, at some point, be out to get you, the quantity of information they could
gather through backdoors on your phone is so astounding that it's hard to
understand why hashed fingerprint feature analysis would be the last straw.

~~~
praptak
To be clear - it's not about the scenario where NSA is already out to get me.
Obviously in this case the cost of getting my fingerprints the traditional way
doesn't matter anymore. It's the scenario in which NSA gets interested in me
because a) I made it easy for them to mass-harvest my fingerprints and b) they
happen to get a false match on a terrorists' ashtray or whatever. I'm not
convinced that the (hypothetically mass-harvested) material from the camera
and microphone has comparable potential for such a false match.

------
stephengillie
#66 on the Evil Overlord list:

 _My security keypad will actually be a fingerprint scanner. Anyone who
watches someone press a sequence of buttons or dusts the pad for fingerprints
then subsequently tries to enter by repeating that sequence will trigger the
alarm system._

Why not have the sequence remain the password, but also scan fingerprints? If
you have the wrong fingerprints (username), the right password still won't
work.

[http://www.eviloverlord.com/lists/overlord.html](http://www.eviloverlord.com/lists/overlord.html)

~~~
unfamiliar
"fingerprint or pin" means that when the fingerprint scanner doesn't work, you
can use the pin to unlock your phone. "fingerprint and pin" means that when
the scanner stops working, you are locked out. Apple has obviously decided
this is more of a risk/inconvenience than the extra security justifies.

~~~
stephengillie
I keep forgetting that this discussion is iPhone-focused. At this point, I'm
thinking about other systems too, such as ATM number pads or entry pads for
security gate/secure door systems. What if each button on the ATM was also a
very fast fingerprint sensor? (What if the ATM had a cleaning device built
in?)

------
emhart
"Once your fingerprint is compromised how do you change it?"

This is the central question for all biometrics for me and I believe one of
the hardest problems to solve. There are many people who believe they are
solving this by using ever more intricate biometric identifiers, thus
increasing the bar to reproduce them beyond what they believe currently
feasible. But I'm yet to see that central question addressed.

What happens when you lose control of a biometric key?

~~~
Zren
[https://news.ycombinator.com/item?id=6478343](https://news.ycombinator.com/item?id=6478343)

> they'd have a few attempts to unlock it with a fake fingerprint, and then
> they'd have to enter my code. And if they fail to enter my code 10 times,
> the phone is wiped.

I don't use it, but it seems there's a fallback password after __ failed
attemps.

~~~
emhart
I don't mean to say "what happens if you lose a finger" rather, what happens
when your biometric key has been compromised. You can only move on to so many
unique body parts before you're out of key changes.

------
santosha
A very good point. One of the most important things about strong
authentication schemes is the revocation protocol. When things go bad, how
easy and secure is the process of changing the auth mechanism? The trouble
with fingerprints is that you're stuck with them for life, even if somebody
else <pun> gets their hands on them </pun>.

~~~
x0054
Wouldn't the revocation process be very simple? If some one has acquired your
prints, just stop using touch ID? I mean, there are still 2 other
authentication options on the iPhone.

~~~
sk5t
That's a bit like saying "if someone has compromised your SSL certificate,
stop using SSL; how about Kerberos?"

------
roin
I'll be interested when someone breaks Touch ID in a real life theft. This is
not a simple process, it's not clear that a determined thief is even likely to
find a good enough print in a real life case, and you can't mess around
because after 5 failed attempts it will prompt for a password.

Touch ID will likely cover the vast majority of security use cases for iPhone
owners.

~~~
BrianEatWorld
I saw the CCC video and I think you are right, a suitable print being found on
the phone is a bit slim, although not impossible.

However, I think the point of the article is that you can change a compromised
password, you can't change a compromised fingerprint. As is mentioned, there
are plenty of databases with fingerprint information. Also, for the crowd that
is paranoid about government accessing their data, an authority might have an
easier time getting into a device when they already have your fingerprint as
opposed to figuring out your passwords.

~~~
mikeash
But you can change a compromised fingerprint, to a password.

------
rlpb
A phone screen unlock is not like passwords as used elsewhere. It has to be
short; otherwise it is impractical. We know that short passwords don't have
much entropy. We also know that we can examine the grease on the screen and
make a good guess as to what the password is.

If we consider phone unlocking mechanisms to be in a different "not fully
secure, but at least practical" category, then I think it's perfectly
acceptable to use a fingerprint as an unlock.

Mitigation is possible too. For example, the phone could lock out and require
a proper password if it detects tampering (which, AIUI from other comments,
the iPhone does).

------
rdl
I've been using TouchID for the past few days, although I'm going to disable
it before international travel. It works _amazingly_ well. It caused me to set
my unlock timeout to 1min vs. 5min.

The biggest annoyance is I keep holding my thumb on the home button on my
iPad, then get disappointed when I realize it won't work. I've probably done
that 20 times so far.

I really wish I could do "per context security" \-- requiring multiple
discrete factors based on action and threat. _That_ would be a huge innovation
for the iPhone, which would sell the next billion phones, if integrated with
Internet services and apps. In my house, maybe not require anything, or just a
thumbprint. In my car, same. In a coffeeshop, normal passcode after a few
minutes, unless the phone has just accelerated highly, in which case a much
higher passcode. At Customs in China, a passphrase held out of country. etc.

A bigger deal than Siri, if slightly less of a deal than Retina, and something
a team of 2-5 people could implement before iOS 8. I'd even be willing to work
at Apple to do it.

------
Evolved
I have my password set to wipe my iphone after only 3 incorrect tries but I
disagree about touchID being more convenient. You can be compelled to give
LEOs access to your device if it only requires your fingerprint. I can
conveniently forget my PIN if necessary.

Any good thief is going to swipe a phone and worry more about getting away and
less about unlocking it which they will do later. Furthermore, unless you're
jailbroken and have changed your default sudo credentials then your data isn't
all that secure anyway against someone with a computer and rudimentary
software. All of which can be done while the phone is off or in an area with
no service. That would also serve to defeat find my iphone as well.

------
Nzen
Above is by a "maintainer of eCryptfs" noting that we would otherwise leave
our passwords on everything we touch and without option when that password is
compromised.

I wonder though, is there a biometric facet that can surmount the bar of
unreplicable uniqueness? Contact lenses can fool iris scanners. Perhaps we
should make a dental impression sensor?

~~~
zwegner
Unique? Maybe. Unreplicable? I can't imagine so, we're all just a bunch of
molecules.

At some point in the perhaps-not-too-distant future, we will likely have very
sophisticated brain-scanning technologies, and combined with advances against
biometric methods, basically any form of authentication will be useless.

I have absolutely no idea how to get around this, and can only hope that our
society has advanced enough by that point that we don't need to keep any
secrets at all. Not much chance of that really, IMHO...

~~~
generj
That's an rather interesting idea. If you could get Cory Doctorow to write
"The Day the Password Died" from your prompt, I'd be very happy.

Synopsis: an evil government steals the private thoughts and passwords of its
citizens, most of whom are unaware of the threat. A few paranoid individuals
come up with increasingly bizarre biometric passwords, but the government has
secretly approved unauthorized (and speedy) cloning to bypass these
protections.

Finally, the freedom fighters use the government's own technology against it,
replicating the president's bio-metrics in order to shutdown and disclose the
program.

No meaningful political change occurs.

~~~
zwegner
That would be pretty cool. I can't imagine that nobody else has thought of
this idea before, though...

What _really_ scares me, though, is when we get to the point of not just being
able to read thoughts, but being able to write them. How would you ever know
that your memories and emotions have not been tampered with? As far as you
know, you've always loved your corporate overlords, and would never do
anything to work against them...

~~~
generj
Isn't that the point of 1984?

The protagonist is unable to make a physical record, and so must trust his
brain retain any proof of the government's wrongdoing.

However, the brain is a poor vessel for this - it can be manipulated and
tortured to discount information. And so, Winston ends up loving Big Brother.

Paper and bits are what we rely upon; there is a reason eye-witness reports
are trusted so little in comparison to physical evidence.

------
quarterto
Alternatively, fingerprints should be used as 2FA. They're something you have.
Supplement it with something you know (or that your encrypted password store
knows) and you're golden.

~~~
aleyan
Not quite right. Finger prints are considered "something you are". Always with
you, can be impersonated, but can't be changed. Something you have have would
be a key or a token, that can be changed if compromised.

Agree with the rest of your comment. Cocktail "something you are" with
"something you know" and "something you have" for potent results.

------
deckiedan
One issue here is that there is _no_ _way_ to give out unique
username/password pairs to each service.

If apple uses this, and google follows, and facebook, twitter, linkedin, my
paypal and CoolAppForYorFone(TM) and everything else, then _if_
CoolAppForYourFone(TM) scans my fingerprints, then they have access to
everything on all other accounts which use this info.

Once it becomes common, then on street corners, salespeople will ask your
opinion on things, "Hi! We're doing a survey this week for Vodaphone - just a
quick question - do you think people with android phones or iPhones have sex
more often?" and ask you to give a fingerprint to sign it. And most people
will.

Or "Hi! We're giving away 20 euros free credit today at PhonesForYou! Just
place your finger on the scanner here, and tell us your phone number and we'll
send it through!"

We're already trackable enough, why make it easier for scammers with scanners?

------
bowlofpetunias
4 digits pin codes aren't passwords either. Sometimes good enough is good
enough.

~~~
dragonwriter
> 4 digits pin codes aren't passwords either.

They have all the essential features of passwords, they are just weak
passwords.

Fingerprints can't be changed if compromised, and so they don't have the
essential features of passwords.

There is a difference between a weak password and not-a-password.

~~~
glitch003
>Fingerprints can't be changed if compromised

Sure they can, it's just really, really painful ;)

------
joshuahedlund
Fundamentally, a username and password are parts of the same thing - a
collection of information (often a string of text) that you need to get access
to something. The 'username' is usually just the part of that isn't
necessarily hidden.

Part of the problem is that Apple's iOS has no username, just a password.
Thus, one of the differences with a fingerprint 'password' that I haven't seen
much discussed is that it would make him harder to share that tablet with his
wife, since they can share one four-digit passcode, but not (as far as I know)
two different fingerprints. The fingerprint makes it much harder for the
popular family use cases between letting _one_ person in and letting everyone
in.

Edit: OK, cool, my comment is invalid.

~~~
gfunk911
You can setup multiple fingerprints (from multiple people) that can be used to
open the phone.

------
brianjlandau
This might be true for things that truly need to be secure (bank vaults, super
secret government facilities, etc.). Clearly in those cases just relying on a
fingerprint that could be compromised by motivated attackers is not enough.
But personally (and I imagine this is true for many users) I'm not trying to
secure my iPhone from highly motivated and skilled attackers. Those
individuals will probably be able to access the data on my iPhone fingerprint
or not. Given that, it just is a convenience feature, allowing me to secure my
phone from the everyday person trying to pry into my phone and give me access
much easier and quicker.

------
jneal
I don't lock my phone to keep out the NSA or the government. I suppose those
organizations would be able to easily crack in regardless. I lock my phone so
my child can't pick it up and mess things up. Or to hopefully deter potential
robbery. Thus, I think TouchID is great even though I do agree with the OP. If
I had something like my primary computer that I needed to keep very secure,
I'd shy away from using my fingerprint.

------
robomartin
I can't help but think that there's a whole segment of HN readers who are
thinking as single men. In the context of a family with kids this is a very
different thing. My kids have access to my phone and my wife's --which are not
locked in any way. I have access to my kid's iphones, ipods and ipads. Having
devices locked to fingerprints in any way would be a nightmare. If you have
really young kids, its a logistical mess.

I can see it working just fine from the context of a single and otherwise
unattached individual. That'd be OK.

...until you have an accident and someone needs to figure out who to
contact...but they can't get into your phone.

...or, until you lose your phone and whoever finds it actually wants to figure
out who you are in order to return it.

...or any number of other scenarios where you actually want other people to
access the device.

There's also the angle of trust. What's your significant other going to think
when he/she can't get into your phone without your fingerprint?

Again, I can see it being a really convenient tool for some people. Not sure
it is a universally useful thing.

~~~
lucozade
Funny, I have teen/pre-teen children and my reaction is the exact opposite.

I, mostly unsuccessfully, ban the children from having passcodes on their
devices so that I can do backups, act as communal spy for various parents etc.
They, on the other hand, mostly add passcodes (then change them regularly) so
that their siblings don't go onto their phones and change the wallpaper to
amusing photos, delete Minecraft etc.

Having Touch ID whereby only they, me and their mother can access their
devices is manna. And it makes confiscation substantially more meaningful,
assuming you can switch individual prints on and off.

I can't wait, although, as I'm too cheap to ever buy them the latest gear,
it'll be a couple of years before this particular paradise occurs.

~~~
robomartin
Perhaps I am missing something. Are you saying TouchID aalows you to register
multiple fingerprints for access to a device?

With regards to the kids ignoring your requirement to not have passcodes.
Well, what can I say, my kids do as i say, perhaps a different approach is in
order? For example, my kids know they should not play any computer games
during the week. On Saturdays they can play as much as they want. During the
week it's academics, mindstorms and good old-fashion go outside and get dirty
play. I've never had to enforce the rule. In general terms i think kids
respond well to rules and schedules so long as these things are fairly and
consistently applied.

------
baddox
> _I could see some value, perhaps, in a tablet that I share with my wife,
> where each of us have our own accounts, with independent configurations,
> apps, and settings. We could each conveniently identify ourselves by our
> fingerprint. But biometrics cannot, and absolutely must not, be used to
> authenticate an identity._

I am not seeing the distinction. What exactly is the difference between an
"identification" and an "authenticated identification"? With the family
tablet, the fingerprint is still acting exactly like a password, and the
reason the author is okay with it is because it's a password that's not
protecting anything terribly important. Why not just have profiles that are
selectable without any authentication? That would probably also work for a
family tablet, but the fingerprint might be preferable to protect some info
from your family members (even completely innocent things like shopping for
gifts). Of course your family members could easily lift your fingerprint and
bypass the biometrics, but it doesn't matter.

------
mathattack
I was thinking that fingerprints would be phone numbers. Imagine getting calls
routed to any phone that has been validated by your thumb print.

------
mixmastamyk
Uhhh, what?

    
    
        Of course, there are civil liberties at issue as well, since Apple could
        potentially share the information collected with governments.
        http://truthseekerdaily.com/2013/09/exclusive-apple-admits-iphone-5s-fingerprint-database-to-be-shared-with-nsa/
    

This link has many of the hallmarks of bullshit, but it still spooks me.

~~~
emhart
Link references a satire site. Disappointed to see it's still got legs.

------
kojoru
But wait, the alternative is 4-digit PIN. How exactly is 4-digit password with
only digits secure? How easy is it to see it over the shoulder?

The answer is: pretty easy.

Both phone locking technologies are not about securely protecting data, they
are about preventing the phone from casual looks when you are away for 5
minutes and left your phone. And TouchID does a better job for this case.

------
jryle70
Most of the comments seem to assume TouchID as implemented today will remain
the same in future. Here are a few scenarios that I imagine it may evolve to:

1) Unlock using multiple fingers; 2) Unlock using the same finger repeatedly,
but with different pauses between taps, e.g. two short taps, followed by one
long tap; 3) Unlock using finger gesture, for example press your thumb, then
move clockwise 45 degree; 4) Unlock using a single finger, the iPhone sends a
passcode to your iWatch with which you can use to enter.

Such uses of fingerprint would be much more secured, yet still relatively
convenient. Losing your fingerprints wouldn't really be a big problem. You
only need to change the sequence.

To further the idea, iOS may offer multiple accounts. Family members may have
access to a "guest" section, whereas the phone owner has full access.
Fingerprints can be used to unlock the appropriate accounts.

------
duncanwilcox
Realistically 1) most people don't use a PIN code, 2) those that do use their
birthday MMDD or DDMM.

If you think someone where you work/live might have to tools to lift your
fingerprint from a beer bottle or spacebar, you probably have more serious
problems than the contents of your iPhone.

I'm sure security nuts will put their iPhone in a shielded box with a coded
lock on it, in addition to using (and painfully entering on each unlock) a
high entropy passphrase that's as long as possible.

More power to them.

TouchID is a good enough to prevent my daughters from seeing the naughty texts
I send to my wife (none of your business either), and that's more or less the
level of security TouchID is designed for.

------
jk211e
then don't use it. For me, it far outweighs having to type my password in
everytime.

~~~
lightbritefight
I don't think anyone cares what level of security you are personally
comfortable with. If you are fine with its weaknesses, go for it.

However, those of us that set security on company devices are very interested
in the quality of different methods, and are glad to as many learned opinions
on the matter as possible.

------
transfire
A fingerprint is a perfectly acceptable means of authentication for low
security needs (read: most needs). For higher security it serves well as one
of multiple authentication layers, e.g. a fingerprint AND a pin code.

------
wooster
Flagging due to him pointing to an obviously fake story to support his
position.

~~~
evan_
Maybe you should say what story he's pointing to that's obviously fake?

I'm sure you mean the "Apple is sharing fingerprints with the NSA" link...

~~~
wooster
Clearly.

[http://www.theguardian.com/technology/2013/sep/27/no-nsa-
iph...](http://www.theguardian.com/technology/2013/sep/27/no-nsa-
iphone-5s-fingerprint-apple)

~~~
marcosdumay
Well, I've never heard anywhere that Apple was sharing the fingerprints with
the NSA. As far as I know, nobody said that... It's just the obvious* default
assumption.

And the matter of default assumptions is that you need evidence that they are
false. Apple denying it is no evidence. But yeah, the point about the
microphone and camera stands.

* And it is obvious, no point is arguing against that. When everybody makes the same assumptin the first time they have a new piece of data, the assumption is obvious.

~~~
wooster
"As far as I know, nobody said that"

The OP linked to an article which said that, which sourced from the article
referenced by the link to the rebuttal I posted.

"And it is obvious, no point is arguing against that."

No, it's really not obvious. Apple made very specific claims about the
functionality of their product. Unless you can prove those claims wrong,
you're just spreading a conspiracy theory.

------
adnam
All security is based on either something you know, something you have,
something you are, or a combination of the three.

\- A username is something you know.

\- A password is something you know.

\- A pinpad is something you have.

\- A finger print is something you have.

~~~
greiskul
\- A finger print is something you are. _

~~~
adnam
You can copy finger prints rather easily, they are something you have.

------
wesleyac
This is a great point, but I'd love to see a passcode system that isn't
vulnarable.

The "swipe puzzle" things (I'm not sure what to call them.)? I've been able to
see people enter them once and unlock their phone. Passcodes? Even if people
used secure ones, with a combo of looking while they're entering it and the
smudges it leaves, it's not that hard to get.

Those are the 2 most frequent models of password input I've seen, both flawed.
Any ideas for a better one?

------
ijk
Something you have. Something you know. Something you are. The point is to
have more than one, not switch one for the other.

~~~
pekk
You are just repeating a dogma, not explaining why it is not good to think of
a fingerprint as a username.

~~~
jerf
It's not a username. It's a fingerprint.

Usernames are how we indicate an identity to a computer. (Note "an" identity;
identities do not one-to-one map to humans.) Identity is what we are trying to
establish in the first place; if we simply _knew_ you were authorized to use
an identity we wouldn't need auth in the first place. Having a matching
fingerprint is _evidence_ that an authorized user is authorized to use that
identity. Knowing a username is not. They are not the same thing. Fingerprints
are not perfect auth, but they are auth of a sort; usernames aren't auth at
all.

~~~
slantyyz
>> Having a matching fingerprint is evidence that an authorized user is
authorized to use that identity.

Considering that you leave your fingerprint everywhere you touch with your
bare hands, is that really true?

~~~
jerf
There is a reason I chose the word "evidence" and not the word "proof". Yes,
it is evidence. No, it is not proof.

Further note that possession of a password ("something you know") is also
merely evidence, not proof. Also, "something you have" is not proof either;
having a token is merely evidence, not proof. We have no method of proof. If
that is the standard you are looking for, then I have some bad news: It is
impossible to meet that standard. If we did have a direct method of proof-of-
identity, we would not have to talk about evidence. We would simply use the
proof.

Yes, it is possible to fool even a three-factor authentication system, with
enough work. That's why its important to understand that security is _not_
about absolutes; it's about raising the cost of penetrating the security above
the value of the thing being protected. Which is also why fingerprint
protection is just fine for rather a lot of iPhone users; what's the payback
for cracking a fingerprint scanner, just to get access to a metaphorical
Grandma's phone? If you are concerned that the value of what is on your phone
exceeds the costs of penetrating the fingerprint scanner, then use more
authentication. It's about costs & benefits, not absolutes.

Would someone care to explain how the observation that fingerprints are indeed
a form of auth, but usernames are not (often they are fully, intentionally
public information!) is false, and therefore the entire premise of the post's
title is incorrect, with something other than the downvote button? I'd really
like to hear the explanation of how that's not true.

~~~
slantyyz
>> what's the payback for cracking a fingerprint scanner, just to get access
to a metaphorical Grandma's phone?

Well, if said Grandma is _rich_ and is sharing dirty selfies with someone she
doesn't want Grandpa to know about... being able to steal and use that
information will probably be worth much more than the value of the phone
itself.

~~~
jerf
By definition, if Grandma's phone contains high-value information, then it
contains high value information. In that case, Grandma should take more steps
to protect her high value information. Yes, if you just rewrite the premise to
the question, the answer changes.

This is some really sloppy thinking you're engaging in here. Rewriting
questions to obtain the desired answer is a very dangerous cognitive habit to
get into.

------
stevewillows
In this argument we are trying to find a balance between convenience and
security - - but it's not possible. Anything that is easy for me to do to
unlock a phone can be faked and/or hacked.

I'd rather just have an NFC chip hidden on my body that I had to tap the phone
on before entering a numeric value on a randomized keypad.

------
lnanek2
About the only person I use even a pin lock around on my phone is my
girlfriend, and that's just because she gets upset if I communicate with any
girl. Fingerprint is fine for that purpose. Anything else I wouldn't bother
locking it at all, I'd just disconnect the phone from my accounts if it is
ever lost.

------
Evolved
Wiping a phone in dfu mode removes the password as well. I learned the hard
way when I forgot my pin and had to wipe and restore.

It also bypasses activation lock because phones sold overseas are usually sold
to countries that do not subscribe to the national blacklisted imei database
and this won't block the device on their network.

------
nilkn
> Fingerprints are Usernames, not Passwords

No they're not. A username is something you intentionally give out to other
members of some community so they can identify you. A username is by
definition not secret at all, and it must necessarily be easy for others to
replicate. It is not easy to replicate a fingerprint.

------
speedyapoc
> But let's just say you're okay with Apple sharing your fingerprints with the
> NSA

Can we stop with this BS already?

------
devx
Makes sense. Just like in a PGP web of trust, where that key is your _unique_
identity, so will these fingerprints be. But it's a lot riskier to use them as
your passwords (either against the NSA or other dedicated hackers).

------
pbreit
Have there been any attempts to ascertain PINs by analyzing the finger residue
left on touch screens? That strikes me as something that would be pretty easy
(for an expert with the right gear), especially if patterns were used.

------
joeblau
Fingerprints are passwords, they just aren't good ones. Just like "password"
is a password and not a good one. Your phone number is your username.

------
woah
Here's the thing folks- this is not an alternative to having a 16 digit
passcode. this is an alternative to not having a passcode at all.

------
SloughFeg
Only the mind is secure. I think this is all fairly obvious: we need to build
thought reading technology to have entry-less authentication.

------
therandomguy
How about, "fingerprints are pass codes that I don't have to enter 200 times a
day, which I currently do"?

------
ihenriksen
The only thing different between a your fingerprints and a password is that
you can change your password...

------
ionwake
Sorry for the possibly stupid question.

Why do we not just use passwords to log into things? Why do we need a Username
too?

~~~
curiousdannii
Because otherwise everyone using "password" as their password would have to
share an account!

------
cynoclast
That's a great way to tl;dr my tirade against biometric security. Is the link
worth reading?

------
Mordor
Wife (not a techie) says she wants Android now, so there's no one stealing her
fingerprints.

------
liquidise
This article is missing its own point. Username+password combinations are
nothing but an identification means. Fingerprints solve the same purpose.

The issue this article _should_ be trying to shed light on is one of
inadequate fingerprint scanners, not that fingerprints themselves are
compromised. Make a scanner that requires epidermal prints, and go from there.

------
obilgic
I agree! Imagine yourself being drunk or having a deep sleep. Anyone can
unlock your phone.

------
curiousdannii
The best thing in this article is the list of things-that-turned-out-to-be-
bad-ideas!

------
hosh
"Fingerprints are usernames" <\-- that is an excellent insight.

------
pbreit
OP too hung up on theory to see that TouchID works well in practice.

------
imtu80
Agreed 100%

------
gesman
Well said!

