Hacker News new | past | comments | ask | show | jobs | submit login

Actually, my gym (24 Hr Fitness) uses fingerprint scanners to sign people in. I hadn't really given it much thought before, but indeed, it would be possible for their system to be compromised and for my fingerprint data to be released into the wild...



Yes, hackers could compromise your gym's systems, steal your fingerprint data, and then use it to... mooch off your gym membership?


It's terrible security practice, but the average person reuses fingerprints. Sorry to be the bearer of bad news.


Or to generate an artificial fingerprint that can fool scanners, and then use that to access an other service or data you have/use that is "secured" with fingerprint as the single authentication factor.

Since fingerprints can't be changed, he more widely they are used for authentication, the more likely that they will be compromised and the less useful they are for authentication.


That's a good argument against using fingerprint scanners as the only choice for authentication. They're not very secure, because they can potentially be stolen and faked.

However, it's not at all an argument against using fingerprint scanners as an optional choice for authentication, just because the scanner could be used to steal your fingerprint.

Fingerprint theft is a problem regardless. You can't really target systems that enable that theft, because it's an ever-present risk. Instead, worry about systems which fail due to such theft.

Fingerprints are fine for a gym, because who cares if somebody fakes yours. They're fine for a smartphone for many people, because it's intended to stop casual theft, not be an impenetrable barrier. Fingerprints should definitely not be used (at least on their own) for, say, nuclear launch authorizations or other things of similar import, because they can be stolen and faked.


Cheap biometric scanners also yield only a few bits - your fingerprint becomes a small int. About the same security as your garage door opener.


Unless you have to also swipe a card in which case the fingerprint might be stored on the card. That how it's done where I live since you can't store peoples fingerprints without a good reason.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: