Your kids screwing around with your phone? TouchID does the job.
Random people screwing around with your phone if they find it? Same thing.
Government gets ahold of it? Yeah.. notsomuch.
Considering that the primary adversaries of an average smartphone user are other mere mortals, not dedicated spy agencies, a fingerprint login strikes a very good balance between usability and security.
Consider the alternative - either requiring a standard alphanumeric password on unlock (just about zero usability), or a 4 digit pin code (less usable than the fingerprint while providing identical, maybe slightly less security than that option), or more likely than not, no password of any kind, the whole touch ID thing is a massive jump forward in the security posture of the average iOS user.
Most iOS users I know have it enabled simply because it means they don't have to keep re-keying their app store password.
The alternative you suggest is related to biometric key binding (http://www.cs.cmu.edu/~vboddeti/key-binding.html).
But if it were as easy to get access as the article suggests...
I agree you take the right approach by identifying adversaries. And I agree that it's relatively reliable against kids or random people randomly screwing around. And not against governments.
But there's a whole bunch in between that. Business competitors? Ex-partners or personal enemies, motivated enough to hire a private detective or similar that can easily do this?
I think the line of "reasonable defense against" for this technology is actually probably _just barely_ above random people screwing around with your phone because it was just lying there. And there's a whole lot above that but below national intelligence agency.
When you think about security, you should have in mind who you are protecting against, and the same applies to passwords.
Security purists love to advocate that password reuse is evil, but who in the first place is going to be your attacker and for which purpose?
For example, in the context of money (online banking, paypal, ebay, etc.) I completely agree that password reuse is evil.
But when it comes to random websites, or simply to access my devices does it really matter? The first time I saw the Chromebook my first impression was "do I really have to write my entire Gmail password EVERY TIME I want to access this thing???" With my Galaxy S5 I was like "Don't tell me how should I create a password to unlock you!!! If I want to use 0000 it's my problem!!!"
I personally like the approach of FastMail: Different Login methods (like using Google Authenticator to generate random one time use passwords, or the ability to create different plaintext passwords). You decide which login methods allows you to access your account, and which ones allows you to manage it.
You don't know, that's why password reuse is evil.
Years ago when I made my Facebook account it used the same password as all my other accounts. Now that I use Facebook as an OpenID provider for pretty much any news site I would be exposing myself and my friends to all sorts of attacks if someone found hacked a phpBB forum that I frequented years ago. You could make the argument that only important sites should have unique passwords, but you, your grandmother, and I all have a different definition of important sites.
OpenID isn't being attacked or at fault, it's non-unique passwords.
If you have secrets that are very valuable, you are outside the standard use case, and should probably use more advanced authentication.
Fingerprint readers, as Apple uses them per device backed by a strong high entropy password, are good enough for securing the average persons access to a device.
My physical security, something much more dear to me than my secrets, is protected not by keys and tumblers, but by a 1/4 inch of glass that can be cut through in seconds with $5 from the hardware store. Even the key and lock can be circumvented with a rubber mallet and a bump key, or a set of picks. So why use them? Because locks keep honest people honest, and those looking to cause you harm will cause you harm, regardless of what digital security you use.
But there are all sorts of cases you leave out.
Someone might very well have access to your device without having access to your physical person. Because your device was lost or stolen.
Someone may very well not be willing to threaten you with physical harm, but be willing to hack your device. (Not every adversary is from a Hollywood movie either!)
Law enforcement agencies may not be legally allowed to compel you to reveal your password, but legally allowed to hack your device.
If you're at odds with an American TLA, your 4 digit pin isn't going to slow them down at all.
Besides, the entropy on the average 4 digit pin is really low, it has a greater chance of using 5, 6, 8, and 9 for righties, and 4, 5, 7, 8 for lefties. Combine this with repeated finger grease blobs, and I don't feel anyone can logically argue that a pin is a sufficiently more secure option compared to a fingerprint.
Also, I think he misconstrues the purpose of Touch ID. It's not meant to completely replace passwords.
There are three categories of authentication methods:
1. Something you know (password, combination, challenge responses).
2. Something you have (crypto token, phone, key).
3. Something you are (fingerprint, face, DNA, etc).
Methods can be combined for added security. All three have advantages and disadvantages. Passwords are typically chosen by users, making them weak. Good crypto tokens are hard to copy, but loss or theft can mean getting locked-out. Biometrics are convenient, but can't be revoked. Also, some activities can make them hard to read.
Apple uses all three authentication methods in the iPhone. Touch ID is for basic access. The passcode is for admin-level functionality like erasing or restoring the device. Lastly, physical access to the phone is required to decrypt important data such as Apple Pay's Device Access Numbers. This gives typical, non-technical users a sane combination of security and convenience. If thieves and scammers start copying fingerprints, Apple will change their auth mechanisms.
1. I love Touch ID, but it takes a while to work again after I rock climb or lift weights.
As you say, with Apple's TouchID, you are actively choosing a less secure method to access your device, for convenience. But...that's also pretty close to what the author said. "Biometrics can be use used as a lightweight, convenient mechanism to establish identity, but they cannot authenticate a person or a thing alone."
His point is that for things like system access to a Linux box, or to unencrypt data (eCryptfs, the software he helps maintain), biometrics is far too insecure.
While theoretically less secure, I would say TouchID in practice is more secure for average users. But in the case where there is the motivation I would agree with you.
As the author indicates, "This isn't a knock on Apple, as Thinkpad have embedded fingerprint readers for nearly a decade. My intention is to help stop and think about the place of biometrics in security."
The danger is viewing biometrics as a secure alternative to passwords; it's not. But comparatively few people are technically inclined enough to realize that; with Apple embracing it for convenience, we run the risk of people not understanding the security implications; the author saw evidence of that when asked to implement biometrics for file encryption, which is a terrible idea.
Y U no read Greenwald? Not sure if trolling.
Plus, let's not forget the data sharing arrangements that were highlighted by Greenwald; the US collects fingerprints from anyone entering the country ( http://en.wikipedia.org/wiki/Office_of_Biometric_Identity_Ma... ), and I'm sure they're happy to share that information with other countries, who may be prevented legally from collecting that info from their own citizens. And vice versa. So traveled overseas? It's not unreasonable to assume your home country now has access to that piece of biometric data. Certainly, the country you traveled to does.
And of course, if you are arrested, your fingerprints are entered into a DB as well (though you can fight to have them removed if you are never found guilty of anything; good luck with that).
In general, our biometric data is collected routinely, and so makes a really bad choice for a password. I never see the equivalent of this for passwords - http://thefreethoughtproject.com/st-louis-police-fingerprint...
Add there your mom's maiden name, your parent's names and you get the point; in an authentication system "something you are" must be better used more as user names rather than passwords because users can't change them. Once they're public irrecoverable attacks may happen.
There are 3 categories of authentication inputs.
(1) Something users can not change
(2) Something users can change
(3) Something the service owners or system admins can change including time synchronized codes.
You better use 1 as usernames, 2 & 3 as passwords.
He doesn't have to for his point to be valid.
Having the fingerprints hashes stored in a secure enclave on everyone's devices seems like a much more secure way to deal with fingerprints. The first method is completely unacceptable. The latter is more reasonable.
Governments collect fingerprints on several occasions, as do several buildings' security, some mass transit administration, banks, workplaces, and lots of other entities. Also, you live them everywhere anyway.
Because people are just people, not superhuman remembering machines.
Overall it feels that Apple's take is for day to day login it's better than a four digit PIN and it's better than no PIN.
That's because the hash of the print is stored on an encrypted volume of some kind, which requires your regular password to decrypt after a cold boot. Once the hash is in memory, the fingerprint can be used instead.
Of course, this doesn't help against a sophisticated attacker who is interested in the data on a device; in that case, a secure passphrase would be preferable.
Unfortunately, it seems like iOS doesn't allow using different authentication methods for payments and for device unlocking; it would be really nice to be able to use Touch ID for the former, and a passphrase (or even a passphrase AND a fingerprint!) for the latter.
"much as a your email address or username identifies you, perhaps from a list."
Your email address or username may identify you, but it also may not. Your fingerprint absolutely identifies you and only you.
"For authentication, you need a password or passphrase. Something that can be independently chosen"
A password is a secret phrase. We're used to thinking about passwords in terms of strings, but anything secret that I know about would serve the definition. In fact, like a character-based string password, I can even make a copy of my fingerprint password and store it somewhere if I wanted a backup.
A fingerprint is both a username and a password. Trying to hold some analogy between Touch ID and traditional username/password combinations doesn't hold and it completely misses the point of the innovation.
That's why it's convenient, and skepticism of civil liberties aside, convenience means better security because people will use it.
The whole point of the article is that this isn't true. Fingerprints are trivial to obtain and copy with sufficient fidelity to beat modern fingerprint readers.
And fingerprints will leak, as we are using them more and more.
Simplifying his post, there are 3 reasons biometrics are terrible for authentication:
1. Every piece of biometric data is inherently public. (Fingerprints, facial geometry, hand geometry, even DNA)
2. Biometrics require an error threshold as our bodies are always changing (that's like typing a 20char password and having only 15 of them be correct. That's fine! Let them in anyways with 5 incorrect characters)
3. Key revocation. I can change my passwords and locks if you get a copy of my passwords or keys... but once you have a copy of a biometric identifier I cannot use that again for the rest of my life.
Well done, Dustin.
My keys are plenty strong, but when I mistype a strong key (which is plausible seeing as I can't see what I'm typing) then I'm fine with sacrificing some strength to just accept it. My key is already well beyond practical attack anyway.
That said, if you WERE to use something like 2, you'd have to be much more diligent about enforcing good passwords, also you'd have to come up with some kinda scheme that could work with "close enough" and not reveal information about the password.
echo -n "password" | md5sum
echo -n "assword" | md5sum
echo -n "pssword" | md5sum
echo -n "pasword" | md5sum
echo -n "pasword" | md5sum
Just as an early idea.
I think it's a good idea, what if you could encourage users to use stronger passwords by telling them that "the system will forgive near misses, so don't be afraid"?
Also, I don't think even Apple advertises its fingerprint scanner as a replacement of passwords. It is a replacement of 4-digit PINs, and for that it is far more secure. While members of CCC have the knowledge of lifting a print, most people do not have this knowledge or tools. And if you notice your phone is stolen, you can always log in to icloud.com (with your password, you cannot use TouchID there) and lock down/reset your phone immediately.
The NFC would essentially function as an OTP 2nd factor (or FIDO U2F if that's better) to the fingerprint being the "password".
No amount of information entered into a computer fully proves it's you and not someone else. A fingerprint provides some information, as does a password.
This sounds like a fairly useless distinction, but hopefully this will make sense:
If all we're doing is trying to prove we're us and not someone else, why do we need a username at all? What added bonus is gained from having a completely public bit of information?
Well that's because:
1. People are bad at picking passwords, if everyone picked a 2000 character random password and kept it secret we'd not really need anything extra
2. You can't inform people if they've picked the same authentication as someone else, so you prefix it with a per-user unique value which you let people know will be public
I don't really see fingerprints as a username or a password. They're just another hint to the system that it's probably you, and you can use any combination of those three depending on what you actually care about.
I don't have a username on my phone to unlock it, just a password.
I have a username and password for HN.
I have a username, password and physical auth device for work-related logins.
The latter two are fairly obvious as differences in how important it is that I'm verified to be me, the former is because I mostly want my phone to distinguish between me and my pocket.
> But biometrics cannot, and absolutely must not, be used to authenticate an identity.
This is incredibly context dependent.
My pithy one liner:
All absolute statements are flawed.
Or any previous device you might have had with Touch ID. Unless you change your fingerprints when you get a new phone.
And it's a lot easier to tell if your device has been compromised because it means that you no longer possess it, in which case you can simply remote wipe it.
Which can easily be subverted by simply disallowing the phone from connecting to the Internet. A "faraday bag" costs a few bucks. Assuming TouchID doesn't prevent you from logging in without Internet access, of course.
Or... You could wipe your old phone when you get a new one.
Which can easily be subverted by simply disallowing the phone from connecting to the Internet.
Perhaps, but you know what they say: If a (determined) attacker gains physical access to your device, all bets are off. But at least you would know if you lost your device. A password OTOH could be compromised without you knowing.
Also, I am only saying that Touch ID is at least as secure as a username/password authentication scheme. If you want more security (perhaps because your adversary is someone who would go to the lengths of manifacturing a fake finger to fool a Touch ID sensor and also get a Faraday Bag to prevent you from wiping your device), the you should perhaps consider using 2-factor authentication.
Any previous unwired device that has not been power cycled and that was unlocked in the past 48 hours.
Many types of "100%" security fail because of this disconnect. Forced rotating passwords or long ones with required symbols and number? Most people choose to have easy to remember ones (e.g. pass1, pass2, pass3,) Or it's so difficult to memorize that they'll write it down somewhere nearby.
The points are important, but they're directed at consumer products. I wonder how the same person would look at bike-locks...which even with the most expensive locks are only a deterrent given the right tools.
Rather than try to shoehorn fingerprints into our existing terminology, let's look at what fingerprints can do and what implications they provide, and then use them accordingly. The article sadly fails to do this.
Unique id could be something as silly as
Again, a fingerprint or an image of a retina is a signature or password not an id or username.
* Something you have (like an access card or badge)
* Something you know (like a password)
* Something you are (like a fingerprint, iris scan, or a simply a photo)
Fingerprints are bit weird as you do in fact leave them around everywhere. Like iris scans I would qualify them as better photographs.
Something you know: Username/password
Something you have: security key/phone
Something you are: fingerprint/facial recognition
Those are three factors of authentication. Can anyone think of others?
First, a fingerprint is unique, also serves as _identification_.
Secondly, a fingerprint is secure to a very high degree - cannot be easily stolen and duplicated, always is with you and so on. Thus, it serves as _authentication_ too.
EDIT: to the downvoters and critics: what you describe is using an _excess_ of effort to get my fingerprint ( technically, using force, etc ) . If I see a password, I can use it immediatelly, if you see my finger, there is a long way ( in terms of steps) until you can use the fingerprint attached to it. And btw, I am not defending Apple here.
Once of the major issues with biometrics is revocation. If compromised it can be difficult to change!
This feature gives them some great marketing, and it works.