Slashdot Mirror
Can the iPhone Popularize Fingerprint Readers?
Nerval's Lobster writes "Apple's iPhone 5S features a fingerprint scanner embedded in the home button. Of course, fingerprint-scanning technology isn't new: Bloomberg Terminals feature a built-in fingerprint reader to authenticate users, for example, and various manufacturers have experimented with laptops and smartphones that require a thumb to login. But the technology has thus far failed to become ubiquitous in the consumer realm, and it remains to be seen whether the new iPhone — which is all but guaranteed to sell millions of units — can popularize something that consumers don't seem to want. Security experts seem to be adopting a wait-and-see attitude with regard to Apple's newest trick. 'I'd caution right away, let's see how it tests and what people come up with to break it,' Brent Kennedy, an analyst with the U.S. Computer Emergency and Readiness Team, told Forbes. 'I wouldn't rely on it solely, just as I wouldn't with any new technology right off the bat.' And over at Wired, technologist Bruce Schneier is suggesting that biometric authentication could be hacked like anything else. 'I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone,' he wrote. 'But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about.'"
I very much dislike fingerprint readers. I find them to be hokey and just "feel" as if they are insecure. I would prefer they be used for two-factor authentication but, even then, I would prefer an SMS text or similar to the fingerprint scan.
very easy to remote wipe iphones
but if you have some super secret corporate info on your iphone you should be relying on a lot more than a consumer level fingerprint scanner for security
If someone has your iPhone, they have your fingerprint.
"First they came for the slanderers and i said nothing."
I want to be the first to show how you can use the same old fingerprint reader defeating techniques on an iPhone. Internet fame, security researcher fortune, all will be mine! MUAHAHAHAHA!
"When information is power, privacy is freedom" - Jah-Wren Ryel
"But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about."
Surely if they have your iPhone, they already have lots of copies of you fingerprints smeared all over it?
plus 1 accuracy
Wasn't fingerprint readers a big fad with laptops a few years ago? Then there was the facial recognition fad?
It seems this would be a simple job for a 3D printer -- 1) get the person's fingerprint; 2) print it out as a 3D object; 3) ??? 4) profit!!
How long until we start hearing stories about stolen iPhones along with stolen severed fingers?
The fingerprint reader in the iPhone 5s uses a capacitive sensor, not an optical one, so Schneier's proposed hack wouldn't work.
Also, Apple requires you to create a PIN code when you enable the fingerprint sensor. If it's been 48 hours since you used the fingerprint sensor to authenticate, you have to use the PIN instead. Likewise, if you've just restarted the iPhone, you have to use the PIN for your first authentication, you can't use the fingerprint sensor.
HP Laptops with the fingerprint scanner, and kronos timeclocks with similar scanners can be defeated with two pieces of play-doh and 2 minutes careful molding. Make a finger impression in the first piece, fill it with the second, and allow it to dry a but before lifting the newly molded "finger". I am sure a better material for making the "finger" could easily be found, but this works well enough to defeat the biometrics on both of these devices so far.
It's not like any group has huge databases with large portions of the population's fingerprints anyway. Who would even want access to all the personal information kept on your phone?
Now, everyone calm down and go back to reading peaceful stories about how the NSA has hacked all internet cryptography.
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
We'll have to wait to find out exactly what they're referring to, but if implemented well this should be resistant to fingerprint lifting. Only the outer layers of your finger's skin touch objects. You'd have to have somebody else touch a sensor like this one and then try to recreate the capacitive map.
This was going to be the next big thing back when it came out on the Thinkpad. Never really took root.
This technology reads the living tissue under the skin. You can't just take an outer-skin fingerprint from the screen and authenticate with it. You also can't "chop off someone's hand", as this reads living tissue under the skin.
And they'll be cooler than your old ones.
#DeleteChrome
"But the technology has thus far failed to become ubiquitous in the consumer realm, and it remains to be seen whether the new iPhone — which is all but guaranteed to sell millions of units — can popularize something that consumers don't seem to want."
This is not how Apple thinks of design. Instead of asking people "Do you want a fingerprint scanner?" the question they ask themselves is "How do we make security easier if not completely transparent to the end user?" If you asked people if they wanted to be secure without having to do anything at all, your answer would be different. The fingerprint scanner just happens to be the right solution to the problem (in Apple's opinion).
I am not interested in articles about life extension advancements.
Did someone just imply that fingerprint scanners are a new technology? I was under the impression that it was not a secure technology and thus not used widely. Maybe new for Apple but I've got a couple old junk notebooks with fingerprint scanners here somewhere...
Two big differences. 1) This reads living tissue under the skin, which is more secure than a simple fingerprint that can be found anywhere. 2) This is integrated into something you touch already, the home button. It doesn't add any additional steps for the user.
Another example of Apple taking an old idea and applying it in a very elegant fashion.
And the NSA doesn't spy on Americans. "No Sir, we do not" - James Clapper
I don't believe our government is capable of telling the truth any longer. I don't believe the population, as a whole, is able to distinguish between truth and propaganda. And the surprising thing is, there is a large group of people who think government is the solution to the problems created by government.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Best Animaniacs adult humour: www.youtube.com/watch?v=1xmAC9Qu908
Now people can access you iPhone when you are unconscious or dead.
"Love heals scars love left." -- Henry Rollins
The NSA had my fingerprints for years... nothing bad happened yet.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
{Answer = No;}
Korma: Good
I think the benefit of this is that it would prevent small children from buying stuff.... if the parent is smart enough to set up the finger print authentication before giving the phone to the kid.
Yes, iTunes purchases can be configured to use the fingerprint.
And now the NSA will have a finger print database for all iphone users with minimum effort.
Stop this. Stop it this very instant. The NSA (or any other nefarious creature / corporation / government entity / evil deity) is not interested in a user's fingerprint.
First, as has been mentioned ad nauseaum, you don't get a fingerprint - you get a hash of an output off a sensor that relates to a fingerprint.
Second, even if you could reconstruct the loops and whorls of the fingerprint then so what? You leave a veritable trail of fingerprints (and DNA and a host of other things we don't want to talk about here) everywhere you haul your ugly bit of meatspace around to. Nobody cares about a single fingerprint. The only valid concern is whether or not someone can take an existing copy of your fingerprint and gain access to the device. We shall see.
IF it works (big if) then it's a fine bit of biometrics to allow you to play Angry Birds. If you are carrying more sensitive information on your iPhone and you don't have it encrypted separately from phone access, sucks to be you.
Not every bit of security has to be able to foil three letter government agencies.
Faster! Faster! Faster would be better!
They can figure out who you without your fingerprint.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
Maybe worse, what if for some accident (i.e. a small cut in the finger, a burn, etc) you change your own fingerprint? You are tying to be able to use your phone to unlock it with a specific finger of a specific hand.
Regarding others, you are leaving copies of what authentifies you on everything you touch. Probably won't be so hard to 3d print gloves with your fingerprint, or even 2d print the fingerprint and glue that print into your fingers/gloves if you want to go low tech.
Yes, Is just your phone, but, as it surely will be sold as a way to authentify that the person using it must be you, probably access with no password to apps, bank accounts, payments and so on will be enabled with no extra requirements.
I don't believe our government is capable of telling the truth any longer.
Oh, they're capable. They're just not *incentivized* in any way. When there's every reward for pulling off a lie, and no punishment for getting caught in one--are you going to tell the truth?
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
Really good point, "well my fingerprint is compromised, time to have this one burned off"
Good leaders run toward problems, bad leaders hide from them.
No authentication system is perfect. On non-iThingies you have three choices: swipe to unlock, 4 digit PIN, or full encryption with a long password. Most people use option 1 or 2. Option 1 provides no security whatsoever. Option 2 provides a little security but it's very easy to crack a 4 digit password. Option 3 is much better but inconvenient. I tried it for a while and got tired of entering a long password every time I wanted to use the phone. So I got rid of it.
Basically any OS is hackable, given enough time and resources. The trick is to secure your system enough so that it becomes inconvenient for an intruder and they move on to an easier target. Sure, a fingerprint scan is not foolproof. I have no doubt that someone in the near future will post a hack on YouTube on how to bypass it. But it's still a heck of a lot safer than option 1 or 2 above, which is what the vast majority of people are using now. So I think that a fingerprint scan is a good compromise between good security and convenience.
For me the best security on my cellphone is to simply not put anything on it that could hurt me if it got lost or stolen. That means no mobile banking, no investment accounts, no passwords, no links to websites that have the username and password stored. If someone steals my phone and they get a copy of my music library and family vacation photos I can live with that. Remote wipe...poof, it's gone.
Cause I know some guys who used to own a mercedez benz with one of those who got "hacked" a few years ago.....I don't think thats the kind of hacked I would like to be when somebody steals my phone AND my fingers....
This is why you use a print from your non-dominent hand, non-active finger (say, your non dominant hand pinky or ring finger) Those are the least likely to be damaged in day to day activities, and also the least likely to be expected for use, should someone be lifting your prints and making fake fingers to scan in. (most people would expect dominant hand index or thumb, just out of ease of use) Security through obscurity always helps.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
A lighter should do it.
Might take a while for permanent change though.
There are two types of people in the world: Those who crave closure
The problem with my laptop fingerprint scanner is I have to swipe like 16 times before it recognizes anything, so its just faster and easier to typing in my password.
However for phones and tablets, the Achilles heal of all touch devices is the on screen keyboard, so if your password involves characters, numbers and symbols is it freaking annoying. A fingerprint scanner would be welcome.
But, if Apple's fingerprint scanner is not 100% flawless and quick every time, then it will fail just like every other fingerprint scanner. The moment it takes longer to unlock something by a fingerprint then by entering a 4 character passcode, its going to fail.
The "privacy" arguments here are baseless FUD, once again, because Apple has specifically said the fingerprint is not sent or stored on the cloud, its used to generate a key that is compared against encrypted data stored directly on the CPU. Its no more less private than entering a 4 digit passcode or password that everybody does now.
I haven't thought of anything clever to put here, but then again most of you haven't either.
Harder to get?
How about I beat your finger with a hammer until you give me your password?
Not that much harder.
There are two types of people in the world: Those who crave closure
Why do you think so? Having a quick and easy way of remotely obtaining the unique hash of the fingerprint of any iPhone user could become very useful for the NSA and other agencies - law enforcement in particular. Say you lift off a fingerprint from some object and want to know whom it belongs to. You compute a hash by the same method as in the iPhone and obtain cell phone data of people who were in the vicinity of the crime scene (that's probably standard procedure by now anyway). Now wouldn't it be nice if you could quickly match your hash with those of the phone owners? The more phones have fingerprint readers, the more obviously useful would it be to have a database of fingerprint hashes or access them remotely on the phones.
You leave a veritable trail of fingerprints (and DNA and a host of other things we don't want to talk about here) everywhere
Yes but it's very expensive and time consuming to get DNA/Fingerprints/etc that you can reliably tie to an individual unless they can be persuaded to volunteer.
Nobody cares about a single fingerprint
The UK police have been testing a roadside fingerprint scanner which works of a single print (it's not as accurate as a full all finger scan) so a single print is certainly of interest to them.
B) there's nothing all that elegant about utilizing the latest technology in your gadget.
Look at how fingerprint readers were incorporated into laptops, and compare that to the iPhone 5S. That is elegance at its very definition.
Apple used a saphire cover for the lens cover. Why? One possibility was they needed a material that is transparent in the IR to do the sub dermal imaging. But there's other choices. Another possibility is that it's just cool. But what I'm thinking is that perhaps this cannot tolerate too much scratching so they had to use something super hard. I suppose there's also the requirement for mechanical stresses. I don't know. But if it's scratching I wonder if this will be robust.
In any case getting back to the post I'm replying to. there's no reason to store the finger print, just a hash of it, as is done for passwords. You would not want to hash the image of it either. You would want to distill it down to a set of rotationally and translationally invariant feature vectors. Of course that's still an ID of you from your fingerprint, but given the features they could not recreate your fingerprint itself.
Personally I'm very excited about this because I'm very concerned about my phone being the worlds worst 2 -factor identification. Since passwords resets from nearly all websites are sent to the address that you get all your other correspondence from them you have to use the same e-mail address for both. Your phone knows this address since you have to be able to get your e-mail. And if you also use your phone for a 2nd factor, then that doesn't really help. Anyone with your phone can just request a password reset and then they have your password and the 2nd factor. By by pay pal and google pay and your bank accounts.
So if the phone is to be that important having a biometric filter running transparently, regardless of whether it is 100%, is really welcome.
Some drink at the fountain of knowledge. Others just gargle.
One more headscratcher from Cupertino
Apple was the first company to incorporate BLE into their devices, a competing standard that is now incorporated into Android 4.3. Don't ever plan on seeing NFC in an iDevice. BLE takes less power, connects faster, has a higher bandwidth, and a longer range.
The sensor on the new iPhone is Capacitive. It is NOT sub dermal.
There ARE sub dermal sensors, however one would not fit in a phone at this stage as they are rather large.
Capacitive > Optical, but still not foolproof. A simple mold of the finger in something that is conductive like skin would fool it easily.
http://computer.howstuffworks.com/fingerprint-scanner3.htm
I also doubt that it looks for a pulse, as that is a hack optical scanners use to try to thwart pictures, something capacitive doesn't have an issue with.
Sensing pulse without an optical sensor would be difficult. And I see no mention of it in any Apple marketing or materials.
That would give a rough indication as to how many might use the fingerprint reader. My guess is not very many - I use one because the company I work for requires it to secure access to their Exchange server. But consumers? I understand they're going to tie the fingerprint to the iTunes store login as well. Not sure if people use the store frequently enough to make that integration useful.
Um, so I have to comment on this.
Again Apple has stated this information is not stored on a cloud or server. It also doesn't send your fingerprint scan to a server, your fingerprint generates a data key that is compared against data stored in an encrypted section of the CPU. So there is no centralized "data" to send to the NSA, court approved or otherwise. Apple is not consolidating a list of user profiles with fingerprint scans that the NSA or any policing agency could then demand access too.
Leaving a fingerprint on a cup at Starbucks is not going to lead to the NSA hacking into your iTunes account to profile your taste in music and movies to find out if you are a suspect terrorist.
You have the audacity to ask people to learn by the news, but when the news is spreading FUD and garbage all you are asking, and contributing to, is an increase in social ignorance.
The only thing I fear these days is a growing lack of common sense and outright stupidity of the Idiot Elite that would rather believe in Hollywood fictitious level of government conspiracy, and "report" on it, rather than actually trying to understand the science of the technology they are using.
I haven't thought of anything clever to put here, but then again most of you haven't either.
It's how you apply the tech, and what you do with it. The ATRIX 4G had a fingerprint sensor, but it was definitely a less elegant implementation, having to swipe your finger down across a sensor on the back of the phone. Apple puts it right where you always touch to activate the phone anyway, and dooesn't even make you change your behavior -- just touch. It also allows touch from any orientation and tilt of your finger so you don't have to worry about getting the touch perfect.
Fingerprint scanning while allowing the user to not do anything special to scan the fingerprint. That's the elegance. That's what's going to get it used in large numbers as opposed to the ATRIX, where it ended up being a rarely used gimmick.
It occurs to me that if you use a good passcode to lock your phone, a law enforcement or intelligence agency cannot compel you to give up the passcode if you don't want to. But they can take your fingerprint or use your finger to unlock it by force if necessary. All without violating your rights or the 5th amendment. I would prefer a fingerprint AND a passcode required together.
Then they've been failing to comply with their own standards - but I don't believe you.
Harder to get?
How about I beat your finger with a hammer until you give me your password?
Not that much harder.
A violent assault sure seems a hell of a lot harder to me than simply following someone around and wait until they touch something you can pull a print from without the person even realizing it.
ARGH!
Ok, I know sometimes a type-o or two can get through even the most closely proofread post, English isn't necessarily a given poster's primary language and I was raised in a family with multiple English teachers. However, lately this one drives me absolutely bonkers on a daily basis, seemingly on every thread, here on /.
http://grammarist.com/usage/than-then/
Thank you!
Foreign nationals get their fingerprints taken and retinas photographed at the customs desk (where they also check our passports and ask us the funny questions like "business or pleasure?", "anyone handled your luggage but you?", "what address are you staying?" etc).
The NSA has had my fingerprints and retina pattern for over a decade now.
"Total destruction the only solution" - Bob Marley
I know Slashdot is mostly single guys, but I'd be curious to know if this feature supports multiple fingerprints for family situations. I unlock my phone, my wife will unlock it to look something up, my kids will unlock it to play a game or watch a video - How will this work in these scenarios? I'd also expect customization - I'm fine with my kid using a fingerprint to unlock the phone, but I don't want them to be able to make iTunes purchases at all. I own that right.
And apparently Apple's DNA, as they keep saying.
I don't trust anything technological anymore that requires uniquely identifying information to be used and stored for my access to the device. In theory it is the best thing since sliced bread; in reality it is a much different story. The whole catch-22 about supplying uniquely identifying information is that it has to be stored and anything that is stored has already been proven to be vulnerable to collection and that collection is further vulnerable to mass distribution or to be used against you. Security is no longer secure in a digital format in a connected world. I can change my password, not so much my fingerprint without great pain I'd imagine.
Uh, no - the definition of elegance is "pleasingly graceful and stylish in appearance or manner," not "doing the same thing as everyone else, in a slightly different manner."
An enigma, wrapped in a riddle, shrouded in bacon and cheese
... haven't you been reading the news? Apple just invented the fingerprint scanner! :p
I'll concede the point to you, since you actually have a solid, reasonable explanation and aren't responding out of pure fanboy-ism like GP did.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
The iPhone will popularize fingerprint readers because companies are run by idiots incapable of thinking for themselves. No one brought this up when Motorola and LG both brought the functionality to their phones, or when a multitude of other companies started sticking it on their laptops. The difference here is that Apple didn't allow engineers and accountants to compromise aesthetics by plopping down whatever suppliers had available wherever it fit on the device. That's an important detail and a key to Apple's continued success, but it doesn't make the technology better than prior implementations.
Interestingly, I've already seen a number of usability flaws with Apple's implementation in demo videos. First, there's a momentary delay which I assume is by design so that the scanner isn't responding to every minor touch. People don't like waiting, they'd rather be engaged doing something than waiting even when the delay is short. Second, most people seem to mistakenly keep the home button press resulting in the phone loading Siri or whatever the instant the phone unlocks. I suppose they could patch the OS to not react to the initial press, but now we're just adding complication. Undoubtedly there's an exploitable fail safe in place because there must be a way to unlock or reset this in the event that something happens to the phone, the sensor or the owner.
What I'm really curious to know is what Apple is going to take credit for next year. Last year Apple somehow got a patent for facial recognition unlock, something that's been present on Android for several years.
The NSA has had my fingerprints and retina pattern for over a decade now.
Mine, too, with a lot of visits to the US. I wonder if they're doing any sort of analysis of changes over time in fingerprints and patterns in the retina and cornea. More interestingly, would this weaken further the FBI's insistence that fingerprints are unique identifiers which are invariant over long periods.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Again Apple has stated...
Stop right there. Anything that Apple has 'stated' cannot be trusted in this context (*even* if you consider them generally trustworthy). We *know* that they can be ordered by the NSA via a secret court appearance to collect the fingerprints, and then lie about it. This technology allows the NSA to potentially harvest millions of fingerprints (in the same way as they harvest colossal amounts of other data) with almost no effort at all. They don't care if it's illegal, or even if it's particularly useful at present, they obviously just harvest 'because they can' for unspecified future use. The fact that they could get *your* fingerprints from a cup in starbucks is completely irrelevant; they couldn't get millions of fingerprints, all conveniently associated with named people, that way.
Too bad that won't break the iPhone's fingerprint scanner.
There are two types of people in the world: Those who crave closure
While I understand some users concerns about theft of the print/data/etc my concern is more to do with legal issues that have been brought up about this. The fingerprint could be considered a key and used to circumvent 5th Amendment issues. Currently the government (US at least) cannot compel you to give them a password or combination to unlock something but they can compel you to give them blood/urine or any other forensic item. They can already fingerprint you at arrest so it is not a far leap to envision the courts deciding that compelling you to unlock your phone by fingerprint is permissible.
Example: They cannot compel you to revel the combination of a safe because that requires you to give them knowledge that only you know that could incriminate yourself. However, they *can* compel you to hand over the key to a lock as that is evidence and is not considered knowledge covered by the 5th. This technology removes the lock code which would be considered 5th Amendment territory and places the fingerprint into evidentiary collection. They could compel you to place your finger on the phone for the purpose of unlocking it same as they could compel you to provide the key to unlock a door/safe/etc. Now the 2 day PIN code would help, but seriously who has not unlocked their phone in 2 days?
Yes, I know they can currently confiscate your phone and break into it same as they could any other obstruction, but that is not the point. As phones get ever more sophisticated encryption this is opening a very large door for the government to walk through.
I've been using fingerprint and face recognition to log into my PC for years. The software always allows a person to register one or more (upper limit so far always 10) prints in the database per user. The face recognition requires the user to sit in front of the cam for a while and sort of bobble around so it can get a good look. I assume they are detecting features and relating them and constructing a LSH value from this, since this is how this sort of thing is generally done.
I know Slashdot is mostly single guys,
...How? That seems a really stupid thing to say. Having a quick look at the US Census http://www.census.gov/population/www/socdemo/hh-fam/cps2011.html above 15 only 30% have never been married. I suspect the numbers here are higher.
And now the NSA will have a finger print database for all iphone users with minimum effort.
Stop this. Stop it this very instant. The NSA (or any other nefarious creature / corporation / government entity / evil deity) is not interested in a user's fingerprint.
First, as has been mentioned ad nauseaum, you don't get a fingerprint - you get a hash of an output off a sensor that relates to a fingerprint.
Second, even if you could reconstruct the loops and whorls of the fingerprint then so what? You leave a veritable trail of fingerprints (and DNA and a host of other things we don't want to talk about here) everywhere you haul your ugly bit of meatspace around to. Nobody cares about a single fingerprint. The only valid concern is whether or not someone can take an existing copy of your fingerprint and gain access to the device. We shall see.
IF it works (big if) then it's a fine bit of biometrics to allow you to play Angry Birds. If you are carrying more sensitive information on your iPhone and you don't have it encrypted separately from phone access, sucks to be you.
Not every bit of security has to be able to foil three letter government agencies.
Look, dumbass. That part in bold IS HOW THEY DO FINGERPRINT SEARCHES.
That step, is 90% of the way toward doing a fingerprint look up, 1) get fingerprint 2) hash the interesting parts 3) search 4) sort through the results by hand. Steps 1 - 2 will be done by the user voluntarily with these phones, step 3 by court order to Apple (or without), NSA already stated they have been illegally (without a warrant) collecting data off smart phones.
Sure, their list of candidates may be 100 people, but it's easy to cross reference them out using the metadata they already have on where they collected those prints.
They very well could decide you are a terrorist and do deeper searches on you in particular, or more likely, start to harass you via the IRS like the Obamaites have been doing.
I've been waiting to break out my foil hat since launch. LET THE DONNING BEGIN!
Where I work they have fingerprint scanners, so you swipe your ID card and then it asks you for one of the two registered fingerprints.
It don't work that well.... lots of false negatives, if your skin is dry... And occasionally I can use about seven of my eight fingers and get it to accept them, when only two of my fingers are supposed to work.
In this time-clock setup it is possible that the software involved is poor--and to that end, a device like a cellphone could get software updates pushed to it. Ultimately it would make more sense to just scan the fingerprint, and upload the image to a more-powerful remote system for processing,,,, but then, that blows the whole "fingerprints don't get uploaded" thing out of the water, as well as allowing for cataloging them permanently.
So they're probably lying about that part. I would bet. Maybe not right now, but eventually.
Is there some new kind of weed that makes the smoker think they're a cryptographer?
No.
a 'hash' isn't some sort of inviolable crypto-packet...it's a string of numbers that correlate to the graph from the scan of the fingerprint
hash away!
whatever hash function you use is completely crackable
using a fingerprint is, from a Claude Shannon type perspective is exactly the same as using a 'password'
fingerprints are harder to copy, lose, or steal and impossible to 'forget'
that's the benefit from a user's perspective
in that sense fingerprint ID is 'more secure' but it's not on the system side...it's on the human side of the equation...
Thank you Dave Raggett
IF it works (big if) then it's a fine bit of biometrics to allow you to play Angry Birds. This. I don't get why everybody is riled up about this iPhone feature. It's not even about Apple - plenty of laptop uses this way before iPhone. I think we can infer that technological progresses are all evil. GPS can pinpoint, internet has porn...etc.
Alternative? Outlaw finger print scanner? Why stop there? Let's do that with GPS, social media, cloud computing....etc.
that's because they don't know what they are talking about ;)
GP is confusing pass/key interface with a signal intercept.
I'd wager GP got their understanding from Wired articles and TED talks, b/c most of the cutting-edge-ooh-shiny-'quantum' literature on cryptography involves 'man-in-the-middle' attacks where anyone can intercept the signal (in this example, the whole world would have to be able to look over your shoulder as you type your iphone password for the his analogy to work)
entering a password onto an iPhone is not a 'man-in-the-middle' scenario...(now, theoretically a person could use a man-in-the-middle attack to, say, snif your IP traffic via your mobile browser which is different than circumventing password access, but this attack in this scenario would require cracking the encryption of the signal).
for one single instance, a good and proper user generated password with a direct interface to the device (not transmitted externally) is theoretically practically uncrackable, especially if you have say 3 chances to guess, and the # of characters is long enough
so why need fingerprint technology if 99.999999% of phones are secure under the conditions I described above?
1. those conditions don't happen very often in real life
2. marketing
3. platform for expansion across all devices
That's what's going on here....it's about marketing and weening users over to a new system for corporate profit
In marketing and TED talks, Apple can say this fingerprint shit is 'more secure' but that's **only if the user was an idiot before hand...**
Thank you Dave Raggett
You missed the part about the hash. You understand the part about a (salted) hash, right? Unless Apple releases the keys (unlikely, but possible) the EvilOrganization has to break that. Then figure out the specifics of the output sensor (likely not the same as the one the FBI uses), then spend all that work to get a useless bit of information.
Faster! Faster! Faster would be better!
I sure hope Apple could improve Motorola's implementation. They've had 3 years to study it.
ayottesoftware.com
Certain countries take my fingerprint when I enter them. My country takes fingerprints when registering for certain papers (even if you are not a criminal).
So .. my fingerprint is out there, it is not for authentication. If you use it to log-into your laptop, phone, anything: you are fooling yourself into thinking it is anyhow safe.
Listen, if the government wants your fingerprints, right now, they'll just find some reason to arrest you and fingerprint you. It's not actually a thing that they have to worry about. The phones are already trackable.
Your fingerprint is at best a password, and has no inherent value beyond letting you into your data. The NSA can already crack the data, or demand that Apple decrypts it, and that's WAY faster than mucking around with a fingerprint.
Also, as has probably been pointed out before, fingerprints are only unique-ish. This isn't a DNA sample. Fingerprints don't count as evidence on their own anymore, they're sort of add-in evidence that helps firm up a case.
Once the iPhone starts asking for DNA samples, maybe I'll find a reason to be worried.
Your phone wasn't hardened against NSA intrusion yesterday, and it won't be tomorrow. The fingerprint is a convenience that should prevent CASUAL access, like at a party. It may slow someone down for just long enough to get your phone back. You think the 4 digit PIN that it (partially) replaces was a lot stronger? Really?
I think even more to the point is that this data is irrelevant.
Let's pretend that Apple is lying through its teeth. Does that actually change anything? Not really.
If the NSA wants your data, they'll get it. Your fingerprint is only meaningful as a method to get that data. They can crack your phone themselves, or ask Apple to do it for them. The fingerprint is a humongous waste of time.
Your fingerprint isn't sufficiently unique that they care about a fingerprint database anyway. We KNOW there's overlap in fingerprints. The fact that the phone is yours and tied to your bank account and that you're paying for it is FAR more information than they need if you're in court. Your fingerprint is on the OUTSIDE OF THE PHONE.
They don't need your digitised fingerprint for anything. This is to keep your friends from taking your phone at parties and photographing their junk and sending it to your Mom. It's so that if you drop your phone and someone else picks it up, they don't have immediate access to all your stuff. It's a faster authentication method, and that's it.
You've asserted this in at least three different posts in this thread. What exactly do you mean by "reads living tissue under the skin"? What is it looking for there? How does it differentiate between the living tissue of my finger versus the living tissue of your finger? And here's a big ol' [citation needed] tag for the claim that it's more secure than a fingerprint scanner. What's the basis of that claim?
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Even better, when you want to plant a fingerprint to cast blame elsewhere for a crime it really helps to have these nice databases. Hmmm... thoromyr made a comment that could be construed as anti-government. Let's see, correlating the user id the real name is... address... ah, fingerprint!
(I'm not sugggesting that Apple is collecting fingerprints, or that the NSA would stoop to framing someone for a crime to ruin their life, but hill climbing is a technique for reversing "unreversable" processes and the planting of prints is an unfortunate reality.)
Right. The NSA is very picky about getting good data so they're not interested in just dragnetting the whole internet and dumping it all in a huge database... No, wait, that was the NSA in that fantasy land I made up the other day that wasn't run by asshats.
This is the NSA in this reality and yes they will store any quality data on any users fingerprint, not because it might actually be good for stopping terrorists but because they can use it as a selling point to up their budget. Or sell it to governments they can trick into thinking it's useful. So of course the NSA will get a copy, pre-hash, of the fingerprints and they'll store it together with the rest of the useless crap they have stored. They won't stop any terrorists with it, but they'll claim they did and maybe they'll nail one or two false positives for fun.
" Apple is not consolidating a list of user profiles with fingerprint scans that the NSA or any policing agency could then demand access too."
I pretty much assume everyone that has an interest--however slight--will immediately bend over for the NSA and cough up everything they have. Why? Because it is pretty obvious that everyone is lying. Corporations covering their asses, Clapper himself lying directly to Congress numerous times, governments feigning surprise and disgust although the leaked documents clearly show their direct involvement. Has nobody else noticed the massive PR blitz all of these implicated companies have started in the last few weeks? Fuck that--we've all suspected these people of massive fraud, corruption and manipulation on a global scale for a very long time. They've done well covering it up with the media outlets they own, but Snowden has pulled aside the curtain and shown us the Wizard. Your suspicions and intuition were correct.
We all have to assume we are being lied to--anything less leaves us just as exposed as if we continued to believe the likes of James Clapper. Assuming Apple is acting in your best interests is just plain stupid. In terms of privacy and electronics, my advice would be the exact opposite--TRUST NOBODY. While you may be an entirely trust-worthy person in your field of expertise, even you cannot vouch for the guy in the next cubicle, or the guy running the company (and making the big bucks).
Considering the fingerprint scanner on the new iPhone uses capacitance (ie, minute differences in electrical conductivity) instead of optical imaging, it will be very interesting to see how "hackable" this is.
I don't have many devices lying around that can simulate the electrical conductivity signature of a fingerprint, do you?
Of course it's technically possible, but the chicken littles running around squawking about how easy it will be to fake this out are pretty hilarious.
"Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
I'm sure it'll popularize finger-cutting among iPhone thieves...
most people would expect dominant hand index or thumb, just out of ease of use
For added security, you should use your big toe to unlock your phone. And triple tie your shoelaces to make it harder for the bad guys to get your shoes off.
The smartphone has been used as a tracking device for some time now. With fingerprint reading technology, it will be easier to ensure who you are tracking is who you think it is.
True, your random fingerprint with no identifying info is worthless. But your fingerprint tied to your identity via your phone is valuable. It allows the agency collecting the data to put a name to a random fingerprint found at a crime scene, etc.
The problem is who knows what use that information will be in the future. Maybe police cars will be equipped with fingerprint scanners that can scan everything within 50m of the car for fingerprints and identify everyone who has touched any object within view, like license plate scanners they are now being equipped with, and facial recognition software being used on cameras in public spaces. Maybe your fingerprint is found on a door, making you a suspect in a crime inconveniencing you mightily and requiring you to hire legal defense (along with the 300 other schmucks who happened to touch that door that a criminal passed through).
A fingerprint is a password. It's a password in physical form. It's read and then a hash is generated. The hash is the actual "password" that is passed to the program.
Now you're using this hash everywhere that uses the same kind of fingerprint reader. Because manufacturers are lazy.
What's the first rule about passwords besides "it shouldn't be easily guessable"? Never share passwords. Because one leaked password can be used to unlock other accounts if you do. But now you've been using your fingerprint on various devices, and the same hash is shared everywhere now.
So say you're someone evil. You write a program that grabs these hashes off of iPhones (or some other device) through a security hole (because there are always vulnerabilities). Now you've got the hashes that can be used to unlock other devices/accounts.
The same can be said for other biometric security schemes. Irises, retinas, nose prints (security has gone to the dogs!), whatever.
--
BMO
The PRISM program would LLuuuuuvvv you to buy and use a finger print swiping iPhone, JJJuuuusssttt LLLuuuvvv it!
The ATRIX 4G had a fingerprint sensor, but it was definitely a less elegant implementation, having to swipe your finger down across a sensor on the back of the phone. Apple puts it right where you always touch to activate the phone anyway
On Atrix 4G, back of the phone IS where you touch to activate the phone anyway. There is only one physical button on Atrix 4G, and that is the back button, which is the fingerprint reader.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
When I read a question like "can such and such do whatever" it comes off like somewhere there's a group of people desperately hoping it will.