
Fingerprints Are Usernames, Not Passwords (2013) - sc90
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
======
Karunamon
Something I feel that's always missed in these discussions is context: Who is
the adversary you're attempting to protect against?

Your kids screwing around with your phone? TouchID does the job.

Random people screwing around with your phone if they find it? Same thing.

Government gets ahold of it? Yeah.. notsomuch.

Considering that the primary adversaries of an average smartphone user are
other mere mortals, not dedicated spy agencies, a fingerprint login strikes a
very good balance between usability and security.

Consider the alternative - either requiring a standard alphanumeric password
on unlock (just about zero usability), or a 4 digit pin code (less usable than
the fingerprint while providing identical, maybe slightly less security than
that option), or more likely than not, _no password of any kind_ , the whole
touch ID thing is a _massive_ jump forward in the security posture of the
average iOS user.

Most iOS users I know have it enabled simply because it means they don't have
to keep re-keying their app store password.

~~~
mcv
Still, I'd rather not give hardened criminals a reason to cut off my fingers.

~~~
skierscott
Touch ID only works for a minute or two after your finger is cut off. Touch ID
reads the blood vessels, not the fingerprint, meaning it only works for a
minute or two after the finger is cut off.

~~~
gknoy
I'm not really interested in being the one on whom someone learns that,
though.

~~~
seunosewa
Very few thieves would go that far, and they would almost certainly give you
an opportunity to unlock the phone for them instead. Most people would take
that opportunity.

~~~
TheSoftwareGuy
Exactly. It doesn't matter how strong your password is when there is a gun in
your face.

~~~
jenscow
Ideally, you will have one that is easy to remember.

------
baffledbysmall
I always get the sense of cognitive dissonance when I read security researches
and advocates write about passwords and fingerprints. If you have access to my
device, you have access to my physical person, and my physical person will
freely give up any password because no secret I have is worth my life. This
isn't Hollywood, I'll give up my password with even the hint of physical
violence that could maim or otherwise affect my quality of life.

Fingerprint readers, as Apple uses them per device backed by a strong high
entropy password, are good enough for securing the average persons access to a
device.

My physical security, something much more dear to me than my secrets, is
protected not by keys and tumblers, but by a 1/4 inch of glass that can be cut
through in seconds with $5 from the hardware store. Even the key and lock can
be circumvented with a rubber mallet and a bump key, or a set of picks. So why
use them? Because locks keep honest people honest, and those looking to cause
you harm will cause you harm, regardless of what digital security you use.

~~~
jrochkind1
I think you take the right approach to true security risk analysis.

But there are all sorts of cases you leave out.

Someone might very well have access to your device without having access to
your physical person. Because your device was lost or stolen.

Someone may very well not be willing to threaten you with physical harm, but
be willing to hack your device. (Not every adversary is from a Hollywood movie
either!)

Law enforcement agencies may not be legally allowed to compel you to reveal
your password, but legally allowed to hack your device.

Etc.

~~~
baffledbysmall
Perhaps, but I feel that anyone sophisticated enough to replicate my
fingerprint perfectly before it reverts to password only, and to do so before
I'm able to make a remote wipe, and able to even find my fingerprints (lost
phone) and to be lucky enough that the fingerprint is the one I used to secure
the device, makes this a sufficiently low risk to the average user in my
opinion.

If you're at odds with an American TLA, your 4 digit pin isn't going to slow
them down at all.

Besides, the entropy on the average 4 digit pin is really low, it has a
greater chance of using 5, 6, 8, and 9 for righties, and 4, 5, 7, 8 for
lefties. Combine this with repeated finger grease blobs, and I don't feel
anyone can logically argue that a pin is a sufficiently more secure option
compared to a fingerprint.

~~~
baffledbysmall
Sorry, I should amend that last statement to be using the model Apple is using
with it's touch ID where the fingerprint simply authenticates use of a high
entropy password stored on the device, and the datum of the fingerprint is in
not sent.

------
ggreer
His argument proves too much. If he thinks fingerprints are too insecure to be
allowed, then he must think the same of low-entropy passwords. Yet I don't see
him advocating that Ubuntu force users to choose high-entropy passwords and
rotate them regularly. If he's fine letting users choose a low level of
security by picking simple passwords, why not also let them choose to auth
with fingerprints?

Also, I think he misconstrues the purpose of Touch ID. It's not meant to
completely replace passwords.

There are three categories of authentication methods:

1\. Something you know (password, combination, challenge responses).

2\. Something you have (crypto token, phone, key).

3\. Something you are (fingerprint, face, DNA, etc).

Methods can be combined for added security. All three have advantages and
disadvantages. Passwords are typically chosen by users, making them weak. Good
crypto tokens are hard to copy, but loss or theft can mean getting locked-out.
Biometrics are convenient, but can't be revoked. Also, some activities can
make them hard to read.[1]

Apple uses all three authentication methods in the iPhone. Touch ID is for
basic access. The passcode is for admin-level functionality like erasing or
restoring the device. Lastly, physical access to the phone is required to
decrypt important data such as Apple Pay's Device Access Numbers. This gives
typical, non-technical users a sane combination of security and convenience.
If thieves and scammers start copying fingerprints, Apple will change their
auth mechanisms.

1\. I love Touch ID, but it takes a while to work again after I rock climb or
lift weights.

~~~
lostcolony
I'm sure he -does- think low entropy passwords are bad. However, once
compromised, those can be changed. That's the point. (Plus, passwords aren't
routinely collected and shared by governmental agencies. Just throwing that
out there).

As you say, with Apple's TouchID, you are actively choosing a less secure
method to access your device, for convenience. But...that's also pretty close
to what the author said. "Biometrics can be use used as a lightweight,
convenient mechanism to establish identity, but they cannot authenticate a
person or a thing alone."

His point is that for things like system access to a Linux box, or to
unencrypt data (eCryptfs, the software he helps maintain), biometrics is far
too insecure.

~~~
knorthfield
I think convenience is important in this comparison because that generates a
context in which TouchID is actually more secure, because it's more likely to
be used than remembering and typing a passcode/phrase. Apple have shown the
usage stats. There is also the inconvenience for attackers of reproducing a
fingerprint through an elaborate process, which again makes TouchID more
secure (in my opinion) in practice than a password/phrase.

While theoretically less secure, I would say TouchID in practice is more
secure for average users. But in the case where there is the motivation I
would agree with you.

~~~
lostcolony
Right, and I don't think the author necessarily disagrees with the idea of
including TouchID in Apple products as an alternative to 'completely
unlocked'.

As the author indicates, "This isn't a knock on Apple, as Thinkpad have
embedded fingerprint readers for nearly a decade. My intention is to help stop
and think about the place of biometrics in security."

The danger is viewing biometrics as a secure alternative to passwords; it's
not. But comparatively few people are technically inclined enough to realize
that; with Apple embracing it for convenience, we run the risk of people not
understanding the security implications; the author saw evidence of that when
asked to implement biometrics for file encryption, which is a terrible idea.

~~~
JoeAltmaier
I think I remember the issues: good passwords are arbitrary, hard to guess,
can be changed at any time, are used for one purpose only. Biometrics
(fingerprints) are none of these things.

------
CyberMonk
I don't think many (outside of perhaps Apple PR?) have argued that fingerprint
security is great, absolutely speaking. Relatively speaking, however, it _is_
great, as many phone owners would otherwise not have any sort of locking
security on their devices at all. Yes a fingerprint unlock is hackable, but
it's a lot less hackable than your phone being open from the get go.

~~~
Tyrannosaurs
I think Apple are pretty aware of the limitations - they don't accept TouchID
on first login after a restart, for the first purchase after a restart, if
it's been 48 hours since an unlock or for resets/major config changes. For
that you either need the PIN or, if you've opted for more security, the
password.

Overall it feels that Apple's take is for day to day login it's better than a
four digit PIN and it's better than no PIN.

~~~
redwall_hp
>they don't accept TouchID on first login after a restart

That's because the hash of the print is stored on an encrypted volume of some
kind, which requires your regular password to decrypt after a cold boot. Once
the hash is in memory, the fingerprint can be used instead.

~~~
kosmopolska
I'm not sure I'm following what you're saying a 100%, but based on this [1] i
don't think the fingerprint hash is ever in memory. The TouchID camera sends
the fingerprint hash directly to the secure enclave, where it is compared to
the one saved there, and then the secure enclave sends a yes or no to memory,
at least that's my interpretation

1\.
[http://support.apple.com/kb/HT5949?viewlocale=en_US&locale=e...](http://support.apple.com/kb/HT5949?viewlocale=en_US&locale=en_US)

~~~
whafro
I believe he meant "once the [password] hash is in memory"

------
mrcwinn
Everything about this article is well-intentioned — and wrong.

"much as a your email address or username identifies you, perhaps from a
list."

Your email address or username _may_ identify you, but it also may not. Your
fingerprint absolutely identifies you and only you.

"For authentication, you need a password or passphrase. Something that can be
independently chosen"

A password is a secret phrase. We're used to thinking about passwords in terms
of strings, but anything secret that I know about would serve the definition.
In fact, like a character-based string password, I can even make a copy of my
fingerprint password and store it somewhere if I wanted a backup.

A fingerprint is both a username and a password. Trying to hold some analogy
between Touch ID and traditional username/password combinations doesn't hold
and it completely misses the point of the innovation.

That's why it's convenient, and skepticism of civil liberties aside,
convenience means better security because people will use it.

~~~
matt_kantor
> Your fingerprint absolutely identifies you and only you.

The whole point of the article is that this isn't true. Fingerprints are
trivial to obtain and copy with sufficient fidelity to beat modern fingerprint
readers.

\- [http://www.ccc.de/en/updates/2013/ccc-breaks-apple-
touchid](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)

\- [http://www.heise.de/video/artikel/iPhone-5s-Touch-ID-hack-
in...](http://www.heise.de/video/artikel/iPhone-5s-Touch-ID-hack-in-
detail-1966044.html)

\- [http://www.discovery.com/tv-shows/mythbusters/mythbusters-
da...](http://www.discovery.com/tv-shows/mythbusters/mythbusters-
database/fingerprint-scanners-unbeatable.htm)

\- [http://www.instructables.com/id/How-To-Fool-a-Fingerprint-
Se...](http://www.instructables.com/id/How-To-Fool-a-Fingerprint-Security-
System-As-Easy-/)

------
tigereyeTO
Dustin Kirkland gets it.

Simplifying his post, there are 3 reasons biometrics are terrible for
authentication:

1\. Every piece of biometric data is inherently public. (Fingerprints, facial
geometry, hand geometry, even DNA)

2\. Biometrics require an error threshold as our bodies are always changing
(that's like typing a 20char password and having only 15 of them be correct.
That's fine! Let them in anyways with 5 incorrect characters)

3\. Key revocation. I can change my passwords and locks if you get a copy of
my passwords or keys... but once you have a copy of a biometric identifier I
cannot use that again for the rest of my life.

Well done, Dustin.

~~~
GhotiFish
I actually like 2. I wish more things used 2.

My keys are plenty strong, but when I mistype a strong key (which is plausible
seeing as I can't see what I'm typing) then I'm fine with sacrificing some
strength to just accept it. My key is already well beyond practical attack
anyway.

That said, if you WERE to use something like 2, you'd have to be much more
diligent about enforcing good passwords, also you'd have to come up with some
kinda scheme that could work with "close enough" and not reveal information
about the password.

~~~
dysfunction
Even assuming 2 is a good idea, I have no idea how that could be implemented.
A major desirable property of a good password hashing algorithm is that
slightly differing inputs should produce wildly differing hashes, and the
login authenticator should only ever know the password hash and not the
password itself.

~~~
GhotiFish
I know. I've being thinking about how to do it, currently it involves having N
hashs where you generate them like:

    
    
      echo -n "password" | md5sum
      5f4dcc3b5aa765d61d8327deb882cf99  -
      echo -n "assword" | md5sum
      297dbe7699dcfa60609bf9e667e2e4dc  -
      echo -n "pssword" | md5sum
      537319a7934aea9825d1af85df588fde  -
      echo -n "pasword" | md5sum
      22e5ab5743ea52caf34abcc02c0f161d  -
      echo -n "pasword" | md5sum
      22e5ab5743ea52caf34abcc02c0f161d  -
    

ect, then check the submitted password by testing it against these hashes by
removing characters in the same fashion.

Just as an early idea.

I think it's a good idea, what if you could encourage users to use stronger
passwords by telling them that "the system will forgive near misses, so don't
be afraid"?

------
M4v3R
This article is from 2013. While things didn't change a lot (this years
TouchID was broken as well IIRC, though I've heard it got a little better),
it's hardly news.

Also, I don't think even Apple advertises its fingerprint scanner as a
replacement of passwords. It is a replacement of 4-digit PINs, and for that it
is far more secure. While members of CCC have the knowledge of lifting a
print, most people do not have this knowledge or tools. And if you notice your
phone is stolen, you can always log in to icloud.com (with your password, you
cannot use TouchID there) and lock down/reset your phone immediately.

------
higherpurpose
How about the user gets the option to add NFC pairing so strengthen the
security of the fingerprint. Once the user sets both up, then he won't be able
to login until both are recognized for authentication. It should be hassle
free if that NFC pairing comes from a smartwatch or smart-band and he just
picks up the phone with that hand. The NFC authentication should happen
automatically without thinking about it.

The NFC would essentially function as an OTP 2nd factor (or FIDO U2F if that's
better) to the fingerprint being the "password".

------
adamlett
In the case of Touch ID, please consider that in order to circumvent it, you
not only have to be able to fool the Touch ID sensor, _you also have to have
physical access to the device_.

~~~
Raphmedia
Depends. If you use Touch ID on an app, you could use your own iphone and fool
its scanner.

~~~
adamlett
No, you couldn't. That's not how Touch ID works. Apps never get access to the
fingerprint or have any way to interact with the Touch ID sensor except to ask
it to authenticate the owner of the phone, ie. yourself.

------
IanCal
As with many things, it depends heavily on _what you 're using it for_. Not as
pithy for a title though, I suppose.

 _No_ amount of information entered into a computer fully proves it's you and
not someone else. A fingerprint provides some information, as does a password.

This sounds like a fairly useless distinction, but hopefully this will make
sense:

If all we're doing is trying to prove we're us and not someone else, why do we
need a username at all? What added bonus is gained from having a completely
public bit of information?

Well that's because:

1\. People are bad at picking passwords, if everyone picked a 2000 character
random password and kept it secret we'd not really need anything extra 2\. You
can't inform people if they've picked the same authentication as someone else,
so you prefix it with a per-user unique value which you let people know will
be public

I don't really see fingerprints as a username or a password. They're just
another hint to the system that it's probably you, and you can use any
combination of those three depending on what you actually care about.

For example:

I don't have a username on my phone to unlock it, just a password.

I have a username and password for HN.

I have a username, password _and_ physical auth device for work-related
logins.

The latter two are fairly obvious as differences in how important it is that
I'm verified to be _me_ , the former is because I mostly want my phone to
distinguish between _me_ and _my pocket_.

> But biometrics cannot, and absolutely must not, be used to authenticate an
> identity.

This is incredibly context dependent.

My pithy one liner:

All absolute statements are flawed.

~~~
icebraining
I think that's all irrelevant. Passwords can be compromised and must be
changeable - that alone makes fingerprints a bad choice.

~~~
adamlett
A bad choice for what? Your fingerprint can only be used to access a
particular device in the case of Touch ID. It is worthless if you don't also
have physical access to the device. And it's a lot easier to tell if your
device has been compromised because it means that you no longer possess it, in
which case you can simply remote wipe it. To reiterate: Possession of your
fingerprint alone does not allow someone to access your bank account or log
into your webmail.

~~~
icebraining
_Your fingerprint can only be used to access a particular device in the case
of Touch ID. It is worthless if you don 't also have physical access to the
device._

Or any previous device you might have had with Touch ID. Unless you change
your fingerprints when you get a new phone.

 _And it 's a lot easier to tell if your device has been compromised because
it means that you no longer possess it, in which case you can simply remote
wipe it._

Which can easily be subverted by simply disallowing the phone from connecting
to the Internet. A "faraday bag" costs a few bucks. Assuming TouchID doesn't
prevent you from logging in without Internet access, of course.

~~~
adamlett
_Or any previous device you might have had with Touch ID. Unless you change
your fingerprints when you get a new phone._

Or... You could wipe your old phone when you get a new one.

 _Which can easily be subverted by simply disallowing the phone from
connecting to the Internet._

Perhaps, but you know what they say: If a (determined) attacker gains physical
access to your device, all bets are off. But at least you would know if you
lost your device. A password OTOH could be compromised without you knowing.

Also, I am only saying that Touch ID is at least _as secure_ as a
username/password authentication scheme. If you want more security (perhaps
because your adversary is someone who would go to the lengths of manifacturing
a fake finger to fool a Touch ID sensor and also get a Faraday Bag to prevent
you from wiping your device), the you should perhaps consider using 2-factor
authentication.

------
dlwj
I agree with the below comments. These types of papers are always emphasizing
rigor over actual experience.

Many types of "100%" security fail because of this disconnect. Forced rotating
passwords or long ones with required symbols and number? Most people choose to
have easy to remember ones (e.g. pass1, pass2, pass3,) Or it's so difficult to
memorize that they'll write it down somewhere nearby.

The points are important, but they're directed at consumer products. I wonder
how the same person would look at bike-locks...which even with the most
expensive locks are only a deterrent given the right tools.

------
specialp
Fingerprints are not bad for _local_ authentication. For instance if phones
become more used for payment I would expect my phone to contain a secret key
for payment that is unlocked easily which a fingerprint could do. So in order
to compromise this they would need to get both my private key and my
fingerprint. If my private key were compromised, I could then get another key.
The article is right though that fingerprints should not be used as the sole
means of auth though for the sheer reason that it cannot be changed.

------
mikeash
Fingerprints aren't passwords. They also aren't usernames. They're
fingerprints, and they have different characteristics from both usernames and
passwords.

Rather than try to shoehorn fingerprints into our existing terminology, let's
look at what fingerprints can do and what implications they provide, and then
use them accordingly. The article sadly fails to do this.

------
dschiptsov
Just no. Since old times fingerprints were used as a unique _signature_ , not
an unique _id_.

Unique id could be something as silly as

    
    
      sha256(concatenate(full-name,date-of-birth,place-of-birth))
    

or just any unique number, like cell phone number.

Again, a fingerprint or an image of a retina is a _signature_ or password not
an _id_ or username.

------
phantom784
Can a fingerprint even be used as an encryption key? I'd imagine that the
reader doesn't generate the exact same data on every scan, and to get a
"yes/no" requires seeing if the scanned print is within a certain margin-of-
error of a stored print.

------
linuxhansl
Typically security involves three things:

* Something you have (like an access card or badge)

* Something you know (like a password)

* Something you are (like a fingerprint, iris scan, or a simply a photo)

Fingerprints are bit weird as you do in fact leave them around everywhere.
Like iris scans I would qualify them as better photographs.

------
4684499
Passwords are not passwords, they are usernames. It's a part from the
combination to identify you, while unlike usernames, it's hidden by design.
Fingerprints are like passwords, they can't be easily copied and be reused
somewhere else, for now.

~~~
noko
I came to say essentially the same thing, but not quite. Fingerprints are not
like passwords. You can't reset them or change them.

Something you know: Username/password Something you have: security key/phone
Something you are: fingerprint/facial recognition

Those are three factors of authentication. Can anyone think of others?

------
clubhi
I think fingerprint should still require a password after a duration. I'd be
fine with using my fingerprint to login if I have recently logged in in the
last few hours.

------
unknownBits
Good post, this is so true. Fingerprints should only be used as id, if at all.
Like 'icebraining' said: Passwords can be compromised and must be changeable.

------
ccozan
Why not both?

First, a fingerprint is unique, also serves as _identification_.

Secondly, a fingerprint is secure to a very high degree - cannot be easily
stolen and duplicated, always is with you and so on. Thus, it serves as
_authentication_ too.

EDIT: to the downvoters and critics: what you describe is using an _excess_ of
effort to get my fingerprint ( technically, using force, etc ) . If I see a
password, I can use it immediatelly, if you see my finger, there is a long way
( in terms of steps) until you can use the fingerprint attached to it. And
btw, I am not defending Apple here.

~~~
wnkrshm
Fingerprints can easily be acquired, if that weren't the case they wouldn't be
extensively used in crime scene investigation. When fingerprints were supposed
to be used as authentication, together with an ID card, in Germany, the German
Chaos Computer Club acquired the fingerprint of the minister of the interior
from a used glass and spoofed a reader with it by transfering the print to
some adhesive tape.

~~~
gambiting
I think what op means is that if you find someone's password, you can type it
into their device and you are in. Total breaking in time < 30s. If you find
someone's fingerprint, you need to make a copy of it, scan it at high
resolution, prepare a good printout and only then you can use it. Total
breaking in time >1h.

~~~
wnkrshm
While that's true, you can change a broken password, you can't change a
fingerprint that easily.

------
shittyanalogy
We know, apple knows, everybody knows. Marketing.

This feature gives them some great marketing, and it works.

