
Fingerprints are usernames, not passwords (2013) - l1n
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
======
paulannesley
Fingerprints are not passwords, but I don't think it's useful to think of them
as usernames either.

This is a much more pragmatic take on it by Troy Hunt, the person behind “Have
I been pwned?”: [https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-
pra...](https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-
security/)

> The first point I'll make here as I begin talking about the 3 main security
> constructs available is that they're all _differently_ secure.

~~~
ballenf
They are as much a password as the key to your house is a password.

And agree that Troy's description is best as it takes us away from unhelpful
metaphors.

~~~
foo101
If you believe your key has been compromised (say duplicated), you can change
the lock and your key.

If you believe your fingerprint data has been compromised, can you change your
fingerprint data?

~~~
zwily
What exactly does “fingerprint data has been compromised” mean? Someone lifted
my print off a glass?

~~~
bodz
Lifted it off a glass/phone/anything else you touched. Or it can be
"compromised" in the same way your SSN can be compromised through hacking. The
millions of people who were exposed in the OPM hack all have records of their
fingerprints now floating out on the darkweb somewhere.

------
abalone
Why is this getting reposted? I’d argue this is very shortsighted especially
coming from a security professional. TouchID has been a huge leap forward in
consumer device security.

Security design must take into account usability. Fingerprints (and now faces)
make it easy to use stronger passcodes. If you don’t use biometrics, people
use weak passcodes. That’s clearly a worse outcome.

Sure, it’s even stronger to not use biometrics and enter a strong high entropy
passcode every time you want to unlock your phone. But to actually advise
something like that as a better approach in a consumer device than TouchID is
simply to advocate a guaranteed worse security outcome. Maybe you “cover your
ass” as a security acolyte and blame the compromised user for not following
your stringent prescriptions, but that’s not owning the outcome. You have to
consider usability.

~~~
russdpale
Considering the law can compel you to use your fingerprint to unlock a device,
it cannot do the same for a passcode, which only lives in your head.

For this simple, pragmatic reason alone, a pass code will ALWAYS, 100% of the
time, beat out any supposed biometric security advantage.

Usability only goes so far, otherwise we wouldn't even have doors on our
houses.

~~~
abalone
First of all TouchID is layered on top of a passcode, so you still have good
protection from being compelled to provide a fingerprint.[1]

Second, you’re missing the point. Passcodes do not “always 100% of the time
beat out” biometrics if the passcodes are weak or nonexistent. Which was the
case prior to TouchID.

[1] [https://www.theverge.com/2017/8/17/16161758/ios-11-touch-
id-...](https://www.theverge.com/2017/8/17/16161758/ios-11-touch-id-disable-
emergency-services-lock)

------
ballenf
No, they're really not either. The whole username vs. password debate is like
asking whether the key to your house is a username or password.

Biometrics are used as the key that unlocks a device (or app or asset within
the device). And like the house they require physical proximity. And, yes,
just like the house key there's a decent chance that someone who lives near
you has the same key type (device type -- apple/samsung/lg/etc.) and keying
(fingerprint data points) on their front door (phone).

But those odds are basically irrelevant as an attack surface.

For a native app on a phone the "username" is proxied to the device id, once
linked to the user.

I think the article being 4 years old reflects a 4-year-old fear of the new
and misapprehension of where security problems would arise in the future on
biometrically locked phones.

~~~
SomeStupidPoint
I can rekey my house locks, I can change my password, I can.... what my
fingerprints?

The reason that fingerprints are a username is that they're a static value
associated with the identity of the person, which is later impossible to
change.

There's no reason you can't _also_ use a username as a password (though there
are lots of reasons you shouldn't), but it's clear that fingerprints are
closer to username than password.

By contrast, the key to your house is clearly a password -- it a changeable
value used to authenticate to a mechanism that you're authorize to operate it.

~~~
freehunter
>I can rekey my house locks, I can change my password, I can.... what my
fingerprints?

Years of poor security have taught us that we need our authentication to be
easily changeable in order to be secure. It's not true. Passwords need to be
changed because they can be guessed. They can be leaked. Any person sitting
down at any keyboard could type any random string of characters and, given
enough time, figure out someone's password. It doesn't work the same for
fingerprints. There is no number of times I can press my finger on your
scanner and trick your scanner into thinking I am you. Your fingerprint only
needs to be changed if someone steals your finger and keeps it in a state
where modern fingerprint scanners will still recognize it. That is exceedingly
difficult to do.

We need to get it out of our mind that "we change our passwords regularly, we
should change our fingerprints too". Bad security advice led to routine
password expiration, and that bad security advice lives on. It's still bad.

>it's clear that fingerprints are closer to username than password

That is not clear in any way, either in theory or in practice. The entire
argument works on "fingerprints are publicly visible and cannot be changed"
which would suck for a password, but fingerprints are not a password. That's
why there's an entirely different name for it. Yes, I can see your
fingerprint. But TouchID isn't going to be fooled by a piece of scotch tape
lifted from your desk, so it doesn't matter.

Fingerprints are neither a username nor a password. They are a uniquely
identifying attribute. Usernames and passwords are not. There is no comparison
between the two authentication systems.

~~~
SomeStupidPoint
> There is no number of times I can press my finger on your scanner and trick
> your scanner into thinking I am you.

Or I could print random patterns on gel circles I put on my finger and try
until one works, which is the equivalent of your password example. (There are
digital equivalents of spamming fingerprint reader values to the security
chips, which in practice are faster.)

It's exceedingly easy to try a fake fingerprint, and even if it weren't, it
would still be possible to generate fake signals between the sensor and
verification chip or fake signals to the sensor. There's no difference here
between finger prints and passwords.

> Passwords need to be changed because they can be guessed.

lol, no.

Passwords need to be changed when they're compromised -- a good password is
exceedingly hard to guess, to the point we should never expect it to happen,
but they can be leaked through other means.

Similarly, you leave you fingerprints _everywhere_. So you actually leak your
fingerprint values constantly while leaking password values only occasionally.
This makes passwords substantially more resistant to capturing the value out-
of-band than fingerprints.

> we change our passwords regularly,

This isn't best practice and isn't what most of us do; we change our passwords
when they become compromised, which happens through a variety of mechanisms.
(Or when we suspect that they may be compromised.)

> Bad security advice led to routine password expiration, and that bad
> security advice lives on. It's still bad.

Everyone knew this was bad, and NIST recently updated their recommendations
against routine password expiration. However, that has nothing to do with what
we're talking about in terms of username-versus-password status for
fingerprints.

> it's clear that fingerprints are closer to username than password

> fingerprints are not a password

Well, I'm glad we agree.

> But TouchID isn't going to be fooled by a piece of scotch tape lifted from
> your desk, so it doesn't matter.

But it is fooled by easy-to-produce prints placed over my finger based on the
Scotch tape lifted from your desk. This has routinely been demonstrated with
fingerprint scanners, including on iPhones.

> They are a uniquely identifying attribute.

That's what a username _is_ , lol.

I'm going to recommend you learn more about most of these things before you
make security recommendations, because you were factually wrong a few times,
and made erroneous conclusions based on that.

~~~
freehunter
Your opinions are based on exceedingly bad and outdated security practices,
and you seem proud of this for some reason.

I'm wondering what you might say if you were living in the time when cars
began to replace horses. Would you have said cars were a terrible mode of
transportation because they won't defend themselves against a thief and don't
consume hay?

~~~
SomeStupidPoint
I would appreciate you pointing out specific practices you think I have wrong,
and what the right ones are for those issues.

~~~
freehunter
[https://news.ycombinator.com/item?id=15254291](https://news.ycombinator.com/item?id=15254291)

~~~
SomeStupidPoint
Yes, your argument is based on the idea that fingerprints can't be leaked in
practice, which is false.

It's worked for years against a variety of scanners, and is likely always
going to be viable because of how scanners work -- a thin overlay can be made
of things that are indistinguishable from a finger surface to the scanner, but
which triggers the critical points.

If you think that's changed in the past few years (which you seem to), I would
appreciate something a little more substantive than your random comment on HN.

------
dustinkirkland
Original author here. This article is more pertinent today than ever before!

Your face is your username, not your password.

Use it like you use your username. But never as something secret, personal,
unknown like your password.

The same goes for any biometric. Fingerprints, voice, iris, gait, DNA, etc. No
matter how much they try to sell you authentication through biometrics, it's
total b.s.

@DustinKirkland

~~~
curun1r
I said this in a previous thread [1], but I'll restate here:

Your face or fingerprint is neither your username nor your password. It's a
form of identity. The combination of username and password is another form of
identity. A certificate chain is another form of identity. Not all forms of
identity are separated into two components like username and password. And
different forms of identity have different properties and applicability.

Trying to shoehorn a form of identity like a face or a fingerprint into the
username/password template is counterproductive and will only add unnecessary
confusion. Please stop. Dumbing down security and removing the nuance is how
people get it horribly wrong.

Security is very dependent on context. Authenticating with a phone is very
different from authenticating over the internet which is very different from
authenticating in a situation where you're physically present with another
human being (credit card, bank teller, etc). Authentication schemes need to be
designed for the specific use case in which they're used and no rule is
universal.

[1]
[https://news.ycombinator.com/item?id=15233454](https://news.ycombinator.com/item?id=15233454)

------
bandrami
Fingerprints are tokens, just like usernames and passwords.

Oddly enough, from a trust calculus standpoint usernames are not particularly
valuable; we could do away with them entirely and the logic of authentication
wouldn't change (though usernames add some very nice logistics that from a
practical standpoint we don't want to give up).

At a very basic level, a single token suffices to authenticate: something you
have, know, or are does prove you are who you claim to be (usernames just give
a convenient handle to that). So, a 1TP from a fob, a password, or a
fingerprint at a very basic level is enough.

~~~
Spooky23
Huh? Usernames are essential as they scope the credential.

If you just uttered the magic word to a service logon page, anyone uttering
the word gets in.

You see the weakness in this type of scenario with Touch ID. If my wife's
fingerprint is on my phone, she can access my Touch ID enrolled banking app.

~~~
bandrami
> anyone uttering the word gets in.

Right. That's how a speakeasy works. It's the most basic form of authorization

------
kibwen
This overly simplifies things. Passwords are primary authentication,
biometrics are secondary authentication. Biometrics should only be used when a
password has already been established, and then only as a shortcut to entering
that password; furthermore, authenticating via biometrics should put one into
a limited-access state that disallows tampering with primary authentication
mechanisms. The result is that anyone spoofing a fingerprint would be unable
to completely own another device.

The tradeoffs inherent to this are well-described elsewhere: a lower degree of
absolute security in exchange for a higher proportion of users with _any
security at all_ ; in lieu of the convenience offered by biometric
authentication, enormous swaths of users leave themselves wide open. And since
biometrics are just a convenience, anyone who does require absolute security
can easily choose to forgo them entirely.

------
ruytlm
Thoroughly agree, though more from a philosophical standpoint. I would argue
using biometrics as passwords removes an element of intent.

A fingerprint can be used against your will; it is significantly harder to be
forced to use a password that exists only in your mind.

~~~
tpeo
That's a very interesting perspective! But you must recognize that it's a very
abstract approach, no?

I mean, when someone identifies themselves through biometry, there's clearly
an element of intent. And if they write down passwords on sticky notes, or
anywhere else really, it's about as available as a fingerprint is, if not
more.

~~~
ruytlm
When someone identifies themselves, yes; what about when we identify others
through biometry?

The scene I'm reminded of is the on in Minority Report(?) where the main
character is walking through a bank of bio-sensing ad displays, and has to not
look at them to make sure they can't identify him from his iris/retinas.

As an analogy, imagine you take a picture of someone at an antifa vs. alt-
right protest that turns violent.

All the picture tells you is they were there; it doesn't tell you whether they
supported antifa, or supported the alt-right; it doesn't tell you if they were
there as a police officer trying to keep the peace, or if they were simply
trying to get in the front door of their apartment building when a clash broke
out outside.

The biometry reveals their presence - it doesn't reveal their intent.

~~~
tpeo
I was really thinking in biometry as used in a more ordinary situation, like a
laptop fingerprint reader. With the most likely form of malicious behavior
here being that of identity theft by a small-time attacker. Having to dodge
biometric sensors or trying to avoid having your photograph taken at protest
are more an issue of surveillance, either by government or by private
citizens.

Sorry for not making myself clear at first, but what I mean is that passwords
aren't a sufficient guarantee of intent either. If anyone has access to them,
they can spoof someone's identity. I reckon that this doesn't really fit a
civil rights discussion, because we haven't (I think) reached such a point
yet, but government-backed attacker might spoof someone's identity in order to
either infiltrate or hijack a civil organization. Essentially, a virtual mole.

------
ModernMech
I see this argument a lot, but I don't really see it accompanied by an
argument about what the passwords should be. Companies are gravitating toward
biometric authentication methods because consumers have "password fatigue".
They can't memorize a long secure password for every site, app, and device, so
they resort to using a single password everywhere (which may or may not be
displayed on a postit note stuck to their monitor).

All this article offers is:

> For authentication, you need a password or passphrase. Something that can be
> independently chosen, changed, and rotated.

Okay, so fingerprints aren't passwords, but what we need instead are
passwords, which we know don't work either. Best practices for password
security are ignored by consumers because they're onerous, and biometric
authentication seems to be insecure by default. What's the solution then?

~~~
alphaalpha101
Just use a password manager with a single long secure pass phrase you can
remember.

~~~
ModernMech
That falls under the "too onerous" category I think. I'm not speaking for
myself, but for the fact that password managers exist, and yet we still have
issues with password security. So that doesn't seem to be a fix for the
problem.

We're really fighting human nature here, so maybe the solution is
psychological, rather than technological.

------
oliwarner
Something you have. Something you know. Something you are.

The problem with the third factor has always been a balance between cost,
inconvenience and how easy it is to turn it into just another something an
attacker has.

Retinographic analysis is gold standard but it's hellishly expensive.
Fingerprints can be copied. Easily. Facial and behavioural analysis sit
somewhere in the middle, with too much scope for false negatives.

So fingerprints aren't a username or password because they're not that
factor... But used alone, they can be as weak as a username, in many senses.

------
jakelazaroff
This argument seems especially dated in retrospect. Since Apple introduced
Touch ID in 2013, I can't recall even _one single case_ of criminals or law
enforcement using biometrics to access someone's iPhone. Same for any other
phone manufacturer.

~~~
jlgaddis
One such case: [http://www.businessinsider.com/police-3d-printed-a-dead-
mans...](http://www.businessinsider.com/police-3d-printed-a-dead-mans-finger-
to-unlock-his-iphone-2016-8)

~~~
nomel
This sound like an Apple Watch feature! Watch removed, or your pulse stops for
more than a few minutes, or your pulse goes too high without physical activity
(adrenaline), a passcode is required for all devices on next use.

------
nodesocket
Agree about fingerprints, as they are left around everywhere and thus easy to
capture. However, FaceID should be significantly better. As Apple talked
about, FaceID only works when your eyes are open and also tested/hardened
against modeling.

------
therobot24
this is a common argument by those who do not understand biometrics

a biometric is a username _and_ a password

\- yes, i know the purpose is to say that the biometric should be used as a
password, but that changes the declarative statement quite a bit in my opinion

~~~
alexhornbake
I think it's a common argument for people who think biometrics are a bad idea
for security.

IE. You can change your password, you can't change your thumb/face/biometric
(easily).

At best, a fingerprint establishes identity, therefore it has more in common
with a username, drivers license, social security number, etc. than it has in
common with a password.

~~~
freehunter
>At best, a fingerprint establishes identity

Nope. At best a fingerprint establishes identity in a unique and authoritative
manner. My name is an identity, and anyone can say or write my name. My SSN is
an identity, and anyone can say or write my SSN. No one else can speak, type,
write, or otherwise express my fingerprint. That is far beyond simple
"identity".

~~~
TeMPOraL
> _No one else can speak, type, write, or otherwise express my fingerprint._

Neither can you. You can only show your fingerprint for inspection - and _so
can anyone else_.

And, unlike SSN or even your name, you leak fingerprints (and facial info)
everywhere, all the time.

~~~
freehunter
>Neither can you.

That's the point. It's not something I know, it's something I _am_ and only
_I_ am that thing.

And unlike a password, if you want my fingerprint you have to be physically
near me, and if you want to authenticate as me you need my authentication
hardware. A Brazilian hacker isn't going to unlock my iPhone without first
flying to the US and then locating me in both space and time to gain access to
my fingerprint and my phone simultaneously. But with a password, they could
easily go to www.gmail.com and type whatever they want from the comfort of
their own home.

------
Fej
Yes, but the author preaching to the choir. The real problem here is educating
the public at large as to why it's insecure and in what situations biometrics
are unacceptable.

~~~
IshKebab
Is it? If say the public has a pretty good intuitive idea of the security
properties of fingerprints. Better than the author here anyway who seems to
think fingerprints are as easy to copy as usernames.

------
grzm
Discussion at the time (257 comments):

[https://news.ycombinator.com/item?id=6477505](https://news.ycombinator.com/item?id=6477505)

------
TwoBit
I'd rather use my fingerprint on my phone than have a hacker look at the
finger oil smudge patterns on the glass to decipher my password. And with my
fingerprint I don't need to worry about hiding my password entry.

------
fujiters
I'm don't even like the idea of biometrics for user names. I don't want
malicious actors to easily correlate distinct accounts (this guy's fingerprint
has an account at Facebook, Reddit, Chase Bank, ...).

------
wavefunction
I am more than the checksum of my whorls and curves, sir/madame!

~~~
TeMPOraL
Not to the Machine, f45875e0b18fa3bb81e0739952acbea9ed458113. Get in line.

------
devdoomari
+1 on this

though I use fingerprints on my laptop, I'm quite aware that it's really easy
to leave any fingerprint anywhere

(I use it because I type slow)

------
13of40
My mother's maiden name and the color of my first car are also usernames.

------
jrimclean
Biometrics are for identification. Passwords are for authentication.

------
jkaljundi
In the same way SSN's in the US are usernames, not passwords.

