Hacker News new | comments | ask | show | jobs | submit login

> As serious as the info above is, it’s only scratching the surface. Per the reports linked to earlier, there’s also biometric data relating to fingerprints in the system. This contains columns names such as these:

> PRINT_FLAG, FINGER_INFO, FINGER_TOPO_COORD, QUALITY, MATCHING_FINGER

> The values within there can be quite detailed and I’ve no reason to think that this isn’t indeed legitimate print data uniquely and biologically identifying the owner. You don’t get to reset that stuff once it’s been released into the wild!

That's one of the biggest dangers in using biometrics as a factor in authentication. Once it leaks (and keeping data safe is one of the hardest task in today's world) there is no changing, no resetting, it is out there and rendered useless at best or a vector for identity theft at worst.




The whole notion of using fingerprints for authentication is weird. Essentially something that's akin to a username is being used as a password.

I've wrote about this practice the other day[0]. It's interesting to observe that when Apple announced Touch ID for example it was presented as something with improved security.

0: https://hugotunius.se/2016/04/11/why-i-disabled-touch-id-and...


Touch ID is like a bike lock. It won't stop a sophisticated attacker, but it's enough to stop your coworkers from reading your messages, and it makes the phone worthless for thieves.

The biggest advantage of Touch ID is that people who never had a passcode on their phone now use it.


Problem with passcodes on mobile phone is that you need enter them so often that shoulder surfing becomes a problem.


Thank you! Yes, absolutely. People need to learn the difference from "secure, in theory, in a perfect world" and "secure enough, in practice, in the real world". Just about every disagreement in this thread is from two people who are talking about two entirely different concepts of security.


That's a good point. For people who never had a passcode it's big step up in security. It definitely depends on what the threat model is. If you are protecting yourself from coworkers it might be enough(depending on who your coworkers are). If you are protecting yourself against state level actors such as the FBI it's probably pretty worthless.


It doesn't on its own, but the secure enclave (that was created, in part, to keep biometrics data secured) sure does.


I think Touch ID does improve security in practice for most people, because it makes it practical to use a proper password for your phone, rather than a four-digit passcode or no passcode at all, as most people did before.

You have to consider the limitations it has as well. An attacker could potentially lift your fingerprints and use it to unlock your phone. But they only get five chances to fool the sensor before Touch ID disables itself, and they have to do their work within 48 hours of when you last entered your password.

As with all things security, the important question is what sort of threats your defending against. For the scenario where I lose my phone or I get mugged, Touch ID is fine. If I'm defending against police seizing it as evidence, it's probably fine. I'd be surprised if the police could move quickly enough to make the deadline. For police encounters I know about ahead of time (like passing through customs), it's easy to shut the phone off to temporarily disable Touch ID. The only scenario where it likely fails is a targeted attack by someone with sophistication, like if the FBI thinks I'm a terrorist, and I'm not particularly worried about defending against that.

Note that your six-digit PIN doesn't necessarily save you here either, although it would buy time. Whatever the FBI did to the infamous San Bernardino iPhone would probably work on yours in a longer but practical amount of time.

People often say that fingerprints are usernames, not passwords. I don't think that's very useful. A fingerprint doesn't fit inside the old username/password ideas, it's something different from both, with its own unique properties.



That comic is irritating. Most people are far more concerned with lost devices and opportunistic theft than they are worried about targeted theft or malicious actors with wrenches. Encryption reduces the pain of the lost or casually stolen device, it doesn't have to resist a wrench to be useful.


eh, it's a comic, all the nuances of security problem are hard to fit in a two panel punchline - but highlights the same thing, that the threat model is not the same for everyone.


>it's something different from both, with its own unique properties.

No, it's a username that is physically tied to the user. If I can get that data (fingerprint) then I don't need to go through the usual rigmarole of password hacking.

Fingerprints are literally "one factor auth".


That doesn't mean that they're usernames. You can say this about passwords too: if you can get that data (password) then you don't need to go through password cracking, and they're literally "one factor auth."

Consider an example. Imagine if HN authenticated based only on the username. Could you get into my account? Now imagine if HN used fingerprint authentication. Would that make it harder?


Your analogy only works if usernames were stored in a secret database, not displayed publically.


Why?


Because this is the assumption behind using fingerprints as authentication.


That's my whole point. Usernames are public info, passwords are private, and fingerprints occupy a weird in-between world where they're sort of public but difficult to obtain and difficult to use if you're not the one whose fingers they're on.


Though nothings perfect. Has anyone in practice managed to steal anything at all by hacking Touch ID?


It's not really about hacking Touch ID. Apple has published a really thorough whitepaper[0] on the security of Touch ID and the secure enclave. I don't really think that hacking the Secure Enclave to extract fingerprints is even possible.

The problem I see is using fingerprints which are unique to your person, unchangeable, and spread around us in a very liberal fashion as passwords.

Imagine for a second that the San Bernardino iPhone had used Touch ID, don't you find it highly plausible that the US government would be able to find a good fingerprint that could be used to unlock the phone? I guess they even had his body at hand so it would have been dead simple.

0: https://www.apple.com/business/docs/iOS_Security_Guide.pdf


> Imagine for a second that the San Bernardino iPhone had used Touch ID, don't you find it highly plausible that the US government would be able to find a good fingerprint that could be used to unlock the phone? I guess they even had his body at hand so it would have been dead simple.

That is a very good observation and puts Touch ID in perspective. If you died today would you be ok with your family and/or friends being able to unlock your phone and go through all your personal data? Sure, there may be genuine reasons for them to do so but still, all your data will be at their fingertips and even if you "trust" that they'll limit themselves to only look for the relevant information to get your things in order they still have to sift through a lot data you may not want them to.


Touch ID has been hacked in various ways - I think you can use a photo derived from someones hands and it's probably possible from fingerprints on the phone. Then again passwords can be grabbed, locks can be picked and so on. It would seem to me that what is effective in practice is what counts. I mean yeah for San Bernadino they probably would have got a fingerprint but they got the data anyway so does it matter?


Pretty sure the only time TouchID was hacked involved a lot of equipment and painstaking work to create a fake finger. A photo of someone's hands is almost certainly insufficient.

In other words, citation needed.


TouchID isn't that great at identifying a real finger vs a fake. Someone was able to bypass it using only items that you could buy at a local radioshack and a laser printer within 48 hours after it was released.

http://www.heise.de/video/artikel/iPhone-5s-Touch-ID-hack-in...

I can't find it now but not long after that another group found an even simpler method of printing out a fake print, I did find a much more recent attack based on just using a special conductive ink cartridge in a regular inkjet to directly print something on paper that would work. Bottom line is that it doesn't take a lot of fancy equipment, supplies, or skills to print a fake fingerprint that will fool TouchID.

https://www.youtube.com/watch?v=fZJI_BrMZXU

As for "a photo derived from someones hands", I'm not sure what they meant but if you had a photo that could make out the ridges of someone's fingerprint then yeah absolutely.


Do you think they would have figured all of that out before the phone disabled Touch ID at the 48-hour mark? I'm rather doubtful myself.


You are right, that's an oversight of mine. Didn't keep the 48 hour thing in mind when writing that comment. My bad


As other responders pointed out, Touch ID is definitely an improvement over the status quo, and strikes a reasonable balance between security and convenience. But more relevant to the GP's point in re Touch ID is that Apple doesn't have a database anywhere of fingerprints, and the Secure Enclave is very difficult if not impossible to retrieve data from. In other words, this is biometric ID done as rightly as possible with today's technology.


I'm inclined to agree that it's an improvement over the status quo for people that didn't use passcodes from before.

I do trust Apple more than many other entities and as you say they don't have a database with fingerprints. Further the secure enclave is definitely a secure piece of engineering.

As evident by the linked article though the problem isn't Apple the problem is all the other databases that will have your fingerprints. As Troy says in the article

> The values within there can be quite detailed and I’ve no reason to think that this isn’t indeed legitimate print data uniquely and biologically identifying the owner. You don’t get to reset that stuff once it’s been released into the wild!

Once your fingerprints leak somehow there's no way to reset or change them. To me at least is seems like a really poor idea to use something with those properties as passwords.


Yeah, wow. That's an aspect I've never considered before. I suppose because I figured they would need my actual fingerprint to crack the system, but if you have the values for all the "basis vectors" of the fingerprint that are stored, one could theoretically bypass the sensor and feed the proper sensor output to the authenticating machine. The issue grows larger as this method of authentication grows in popularity.


Definitions can blur since biometric data can play more than one role.

A username can identify (but not authenticate) an individual, biometric data can do both, whereas a password is nothing by itself. It’s only meaningful in conjunction with an identifier as a shared secret in order to authenticate.


Given today's legal climate, this is what I have come up with as a compromise.

* PIN to unlock the phone, no Touch ID. Phone set to self-erase after x attempts.

* TouchID to only unlock 1Password. 30 char master password

* TouchID used for nothing else.

I would welcome any feedback if there is something that I have missed.


> Once it leaks

Leaking? Why do you need a leak? Just follow somebody and wait until he touches something, preferably a glass in a pub or something similar.


One requires targeting a specific individual, but you have a specific goal in mind for those prints. The other involves obtaining several people's fingerprint data. From there, you can figure out what you can actually do with said data


You are right, thanks for the answer!


Your username is even appropriate...

I am very worried with Brazil's push to require biometric fingerprits to vote, AND voting being mandatory...


Considering you need to provide fingerprints to request all sorts of documents, what would the government be able to do that they aren't already able now?

Here's a list of documents you need to provide fingerprints, off the top of my head:

– National identity card (RG), mandatory for all citizens over 18 years of age;

– Military conscription certificate (CAM), mandatory for all male citizens over 18 years of age;

– Voting card (Título de Eleitor), mandatory for all citizens between 18 and 65 years of age, encouraged for all citizens over 16;

– Employment record book (Carteira de Trabalho), mandatory for any formal employment;

– Passports

Also, as of at least three years ago in the state of Rio de Janeiro, some of these were already computerized.


> Considering you need to provide fingerprints to request all sorts of documents, what would the government be able to do that they aren't already able now?

If they already have fingerprints, and now fingerprints are suddenly required for voting, that makes election fraud easier for the government.


How does it make it easier than doing everything the same except not requiring fingerprints?


If you've convinced people that fingerprints prove a person was there and voted, then you have additional weight for your fraud.


In my state these were all just printed on the document (at least last time I had to make documents).

You cannot "hack" a piece of paper easily...

But with mandatory vote + mandatory fingerprint to vote, you just turn that database in a giant juicy target, an attacker can be sure that all voters will have fingerprints there.


Do you have any assurances your paper documents were not immediately scanned? Do you know what kind of access controls are enforced on the file cabinet they're stored in? Are they susceptible to a janitor who gets approached by a shady dude with a briefcase of money? The larger point I'm trying to make is that this is no longer something you have control over and have no guarantees about who else has a copy of it, and therefore should not be relying on it being kept secret, and moreover should assume it has been compromised.


You can require biometrics and still not record them. Just use them as a hash lookup into a keystore. The biometric itself would only exist on the server for a few cycles while the key was being looked up. (Very similar to the way credit cards are done)


Just use them as a hash lookup into a keystore.

This is intuitively appealing, but do biometrics really boil down to an exact number that we could hash like this? (Genuine questions; I don't know.) It seems more likely to me that biometric measurements would be considered to "match" when they're within particular tolerances. This is an operation you can perform on the original measurements, but not on hashes of those.


There is a cryptographic tool called a "fuzzy extractor" that solves this problem (c.f. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data, by Dodis, Reyzen and Smith [0]). At enrollment time, you compute some (non-sensitive) data P = Enroll(biometric). Then every time you compute Recover(P, biometric') you will get the same (high-entropy) output, as long as biometric' is close enough to biometric.

[0] https://www.iacr.org/archive/eurocrypt2004/30270518/DRS-ec20...


It is, effectively, what Touch ID does. (It's an over simplification but as an analogy it works)


Unfortunately, that's not how governments around the world require it right now. Estonia for its e-citizenship program, as well as pretty much all countries requiring a fingerprint for passports store the fingerprints in their own centralized database (that also get shared with other nations).

I switched my phone fingerprint to another finger for my phone as soon as I signed-up for a passport.


In the Netherlands we had a passport with fingerprint, and all data stored by the state. Luckily, this was reversed, and now the fingerprint is only stored in the passport itself. Well, that's what I hope, as the fingerprint needs to be stored temporarily for the time to create the passport.

Better, if you don't leave the EU, you can use an identity card that doesn't have the fingerprint.

I was lucky enough to have an old passport that just spanned the period in which the fingerprint was stored centrally. Now I have an ID card, but one time in the future I will leave the EU, and then I have to get a password...


Wow.

So a piece of plastic the bank gives you with mostly arbitrary numbers on it is better protected than your own fingerprints, which you're stuck with for life?

Good grief.


This sounds like a good idea on the surface but this just shifts the problem.

Ultimately, you still only have 10 fingers (general assumption), and not a large space like 30 char passwords.


However, Fingerprints cannot be practically hashed.


Images can be hashed(and hashed in such a way that minor changes can still lead to the same hash), so images of fingerprints should be hashable.


I found this article from Microsoft a while ago that I thought was particularly interesting.

https://technet.microsoft.com/en-us/library/cc512578.aspx


If someone's going to use biometrics, please just use a face picture. People understand that their face is mechanically recognizable, and don't have the same false confidence in pictures that they have in fingerprints.


They should keep a hash of the finger print info, not the info itself. I don't know how it would work, but keeping biometric data for authentification is indeed potentially worse than keeping plain text passwords.

Like, the output range of a convnet, or something.


Most people have 10 to choose from, 20 if you want, and potentially more if you consider other regions of your skin.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: