> PRINT_FLAG, FINGER_INFO, FINGER_TOPO_COORD, QUALITY, MATCHING_FINGER
> The values within there can be quite detailed and I’ve no reason to think that this isn’t indeed legitimate print data uniquely and biologically identifying the owner. You don’t get to reset that stuff once it’s been released into the wild!
That's one of the biggest dangers in using biometrics as a factor in authentication. Once it leaks (and keeping data safe is one of the hardest task in today's world) there is no changing, no resetting, it is out there and rendered useless at best or a vector for identity theft at worst.
I've wrote about this practice the other day. It's interesting to observe that when Apple announced Touch ID for example it was presented as something with improved security.
The biggest advantage of Touch ID is that people who never had a passcode on their phone now use it.
You have to consider the limitations it has as well. An attacker could potentially lift your fingerprints and use it to unlock your phone. But they only get five chances to fool the sensor before Touch ID disables itself, and they have to do their work within 48 hours of when you last entered your password.
As with all things security, the important question is what sort of threats your defending against. For the scenario where I lose my phone or I get mugged, Touch ID is fine. If I'm defending against police seizing it as evidence, it's probably fine. I'd be surprised if the police could move quickly enough to make the deadline. For police encounters I know about ahead of time (like passing through customs), it's easy to shut the phone off to temporarily disable Touch ID. The only scenario where it likely fails is a targeted attack by someone with sophistication, like if the FBI thinks I'm a terrorist, and I'm not particularly worried about defending against that.
Note that your six-digit PIN doesn't necessarily save you here either, although it would buy time. Whatever the FBI did to the infamous San Bernardino iPhone would probably work on yours in a longer but practical amount of time.
People often say that fingerprints are usernames, not passwords. I don't think that's very useful. A fingerprint doesn't fit inside the old username/password ideas, it's something different from both, with its own unique properties.
No, it's a username that is physically tied to the user. If I can get that data (fingerprint) then I don't need to go through the usual rigmarole of password hacking.
Fingerprints are literally "one factor auth".
Consider an example. Imagine if HN authenticated based only on the username. Could you get into my account? Now imagine if HN used fingerprint authentication. Would that make it harder?
The problem I see is using fingerprints which are unique to your person, unchangeable, and spread around us in a very liberal fashion as passwords.
Imagine for a second that the San Bernardino iPhone had used Touch ID, don't you find it highly plausible that the US government would be able to find a good fingerprint that could be used to unlock the phone? I guess they even had his body at hand so it would have been dead simple.
That is a very good observation and puts Touch ID in perspective. If you died today would you be ok with your family and/or friends being able to unlock your phone and go through all your personal data? Sure, there may be genuine reasons for them to do so but still, all your data will be at their fingertips and even if you "trust" that they'll limit themselves to only look for the relevant information to get your things in order they still have to sift through a lot data you may not want them to.
In other words, citation needed.
I can't find it now but not long after that another group found an even simpler method of printing out a fake print, I did find a much more recent attack based on just using a special conductive ink cartridge in a regular inkjet to directly print something on paper that would work. Bottom line is that it doesn't take a lot of fancy equipment, supplies, or skills to print a fake fingerprint that will fool TouchID.
As for "a photo derived from someones hands", I'm not sure what they meant but if you had a photo that could make out the ridges of someone's fingerprint then yeah absolutely.
I do trust Apple more than many other entities and as you say they don't have a database with fingerprints. Further the secure enclave is definitely a secure piece of engineering.
As evident by the linked article though the problem isn't Apple the problem is all the other databases that will have your fingerprints. As Troy says in the article
Once your fingerprints leak somehow there's no way to reset or change them. To me at least is seems like a really poor idea to use something with those properties as passwords.
A username can identify (but not authenticate) an individual, biometric data can do both, whereas a password is nothing by itself. It’s only meaningful in conjunction with an identifier as a shared secret in order to authenticate.
* PIN to unlock the phone, no Touch ID. Phone set to self-erase after x attempts.
* TouchID to only unlock 1Password. 30 char master password
* TouchID used for nothing else.
I would welcome any feedback if there is something that I have missed.
Leaking? Why do you need a leak? Just follow somebody and wait until he touches something, preferably a glass in a pub or something similar.
I am very worried with Brazil's push to require biometric fingerprits to vote, AND voting being mandatory...
Here's a list of documents you need to provide fingerprints, off the top of my head:
– National identity card (RG), mandatory for all citizens over 18 years of age;
– Military conscription certificate (CAM), mandatory for all male citizens over 18 years of age;
– Voting card (Título de Eleitor), mandatory for all citizens between 18 and 65 years of age, encouraged for all citizens over 16;
– Employment record book (Carteira de Trabalho), mandatory for any formal employment;
Also, as of at least three years ago in the state of Rio de Janeiro, some of these were already computerized.
If they already have fingerprints, and now fingerprints are suddenly required for voting, that makes election fraud easier for the government.
You cannot "hack" a piece of paper easily...
But with mandatory vote + mandatory fingerprint to vote, you just turn that database in a giant juicy target, an attacker can be sure that all voters will have fingerprints there.
This is intuitively appealing, but do biometrics really boil down to an exact number that we could hash like this? (Genuine questions; I don't know.) It seems more likely to me that biometric measurements would be considered to "match" when they're within particular tolerances. This is an operation you can perform on the original measurements, but not on hashes of those.
I switched my phone fingerprint to another finger for my phone as soon as I signed-up for a passport.
Better, if you don't leave the EU, you can use an identity card that doesn't have the fingerprint.
I was lucky enough to have an old passport that just spanned the period in which the fingerprint was stored centrally. Now I have an ID card, but one time in the future I will leave the EU, and then I have to get a password...
So a piece of plastic the bank gives you with mostly arbitrary numbers on it is better protected than your own fingerprints, which you're stuck with for life?
Ultimately, you still only have 10 fingers (general assumption), and not a large space like 30 char passwords.
Like, the output range of a convnet, or something.