Unhashable: Why Fingerprints Are Weaker Security Than Passwords (hackaday.com)

← Back to Stories (view on slashdot.org)

Unhashable: Why Fingerprints Are Weaker Security Than Passwords (hackaday.com)

Posted by Soulskill on Tuesday November 10, 2015 @10:54AM from the but-i-carry-them-with-me-almost-everywhere dept.

szczys writes: Fingerprints aren't terribly secure; you leave them on almost everything you touch. Many people won't realize that fingerprints can be captured and reproduced from casual photographs. It's actually worse than that. The very method with which fingerprints are stored is much weaker than passwords. Fingerprints cannot be hashed. By their very nature, each read of your fingerprint will be a little different, which breaks the hashing method. They can only be stored using encryption, which requires the same master password each time a new print read is compared to the stored key — a much weaker method than salted hashes. This more easily opens fingerprint credentials up to theft and brute forcing.

242 comments

Min score:

Reason:

Sort:

Bad practice. by Aethedor · 2015-11-10 10:57 · Score: 5, Insightful

Using a fingerprint for authentication is like using one unchangable password for every system. Bad practice!

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
1. Re:Bad practice. by jafiwam · 2015-11-10 11:00 · Score: 5, Insightful
  
  Using a fingerprint for authentication is like using one unchangable password for every system. Bad practice!
  Not to mention fingerprint authentication or encryption is not Fifth Amendment protected.
2. Re:Bad practice. by jellomizer · 2015-11-10 11:12 · Score: 1
  
  Except finger prints are good agains blanket attacks. They will suck at a targeted attack. Such as someone who really wants to get onto my device. However most problems in security including bad passwords is the ability for someone to remotely hack into your system who doesn't know or care who you are.
  So yes someone who is tracking me down can break in and steal my fingerprint. But that is very personal. Especially as such devices that read finger prints are mobile and are more often then not on my person. But if the data for my fingerprint is complex enough it will be hard via a brute force attack to get in.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
3. Re:Bad practice. by stazeii · 2015-11-10 11:18 · Score: 1
  
  This was my response. You also can't claim you forgot a fingerprint.
4. Re:Bad practice. by Anonymous Coward · 2015-11-10 11:18 · Score: 0
  
  How close are we to having eyeball scanning capable cameras in our devices?
5. Re:Bad practice. by DaHat · 2015-11-10 11:25 · Score: 5, Interesting
  
  You can't, but interesting things may be able to happen if you fail to disclose which finger will unlock the device.
  Maybe your right ring finger is what you use to login, but not having specific knowledge of which finger you actually use they have you try your thumb pointer finger... not knowing that your device treats that as a panic button and not only wipes out memory of the old finger print, but also remaining hope of them unlocking the device with or without your help.
  
  --
  Help Brendan pay off his student loans
6. Re:Bad practice. by MasseKid · 2015-11-10 11:25 · Score: 1
  
  Unless you wear gloves when you touch your mobile device, they generally steal your finger prints along with the device.
7. Re:Bad practice. by Cramer · 2015-11-10 11:34 · Score: 1
  
  Already there. Ever heard of "face unlock"?
8. Re:Bad practice. by Anonymous Coward · 2015-11-10 11:35 · Score: 0
  
  You can't, but interesting things may be able to happen if you fail to disclose which finger will unlock the device.
  Maybe your right ring finger is what you use to login, but not having specific knowledge of which finger you actually use they have you try your thumb pointer finger... not knowing that your device treats that as a panic button and not only wipes out memory of the old finger print, but also remaining hope of them unlocking the device with or without your help.
  Which device has the "wipe if Panic finger is swiped" feature?
9. Re:Bad practice. by viperidaenz · 2015-11-10 11:40 · Score: 2
  
  Any device that can perform different actions based on different finger prints?
10. Re:Bad practice. by behrooz0az · 2015-11-10 11:40 · Score: 2
  
  It will be patented by apple in the hour. Just watch the USPTO website for submissions.
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
11. Re:Bad practice. by viperidaenz · 2015-11-10 11:42 · Score: 1
  
  Last time I checked "face unlock" didn't scan my retina
12. Re:Bad practice. by swillden · 2015-11-10 11:42 · Score: 4, Insightful
  
  Using a fingerprint for authentication is like using one unchangable password for every system. Bad practice!
  Complete nonsense.
  You're equating fingerprints with passwords. They're not passwords. Password security derives from the secrecy of the password. Anyone who knows the password can enter it, but we presume attackers can't enter it because they don't know it. Fingerprint security derives from the difficulty of presenting the known value to the sensor. Everyone knows your fingerprint (you leave them everywhere!), but we presume attackers can't enter it because they only have a picture of it, not a finger with it.
  In practice, making fake fingers is not terribly hard. But shoulder-surfing PINs is even easier. Which is more secure? That depends on who you're trying to protect your data from. The FBI absolutely will make fake fingers and unlock your phone, but they may not have an opportunity to shoulder surf a PIN. Advantage: PIN. Your suspicious girlfriend probably won't make fake fingers, but has ample opportunity to shoulder surf you. Advantage: fingerprint.
  Which is better for you? You decide.
  In practice for most people the choice isn't between fingerprint or password, it's between fingerprint or nothing, because a password is just too inconvenient. Advantage: Fingerprint, by a very, very large margin.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
13. Re:Bad practice. by tlhIngan · 2015-11-10 11:47 · Score: 3, Insightful
  
  And Apple actually treats fingerprints as less secure - the real reason you have fingerprint readers is because it lets you be more secure than the default no PIN or passcode on your phone. The problem of this is human - the typical use case for a phone is you access it thousands of times a day for a few seconds each time. Entering a PIN or passcode makes it so much less convenient that much fewer people (less than 50%) actually do it. But a fingerprint that can be read while the phone is waking up means it's ready to go when you are, and you can have a passcode because that goes out of the way most of the time. Even better, it can be a complex passphrase that you type out - if you're only doing it a few times, it's a lot less inconvenient.
  And that's why Apple justified the use of the fingerprint reader - it's less secure, but it's also way more convenient, and if you're not entering your password 1000 times a day, you're more likely to use it. Of course, some people go overboard with their passcodes...
  But Apple also realizes the fingerprint is not the be-all end all, hence the rules where if you reboot the phone, or not use it for 48 hours, Apple demands you enter the passcode. The passcode still rules, and if the fingerprint reader goes awry, you can still unlock with it.
14. Re:Bad practice. by Cramer · 2015-11-10 11:51 · Score: 1
  
  That's just because a full face is easier to present to the device. It can take a picture of your iris just as easily, if you put your face up to the camera. A retina scan can also be done with minimal gear -- to put your eyeball in the correct position and illuminate the retina.
15. Re:Bad practice. by Moof123 · 2015-11-10 11:51 · Score: 1
  
  Yep. And really, once you have someone or some organization focused on just you as one person you are pretty much F'ed with pedestrian level security. Various leaks have shown that most everything has been cracked and is only a few GUI clicks away from law enforcement via Hacking Team software (or other less known software).
  My guess is that even today it is harder for the big guys to crack fingerprints than employ pre-canned software to defeat just about anything.
16. Re:Bad practice. by Applehu+Akbar · 2015-11-10 12:03 · Score: 3, Insightful
  
  Your fingerprint is the best password you will actually use. I do residential IT services in an area heavy with retired people, and the biggest problem I face is forgotten passwords. It's not supposed to be good advice, but I tell all of them to write every password down in at least two non-obvious places, because otherwise they will be forgotten. I keep running into users who have no machine password, or "12345" because "I wouldn't remember it!"
  Better you think of a good password, and write it down.
17. Re:Bad practice. by ShanghaiBill · 2015-11-10 12:03 · Score: 1
  
  Last time I checked "face unlock" didn't scan my retina
  Most eyeball scanners scan your iris, not your retina. Iris scanning can be done with inexpensive digital cameras. Retinal scans require expensive custom equipment.
18. Re:Bad practice. by mattventura · 2015-11-10 12:10 · Score: 2
  
  I'd argue that a fingerprint is better specifically for phones, but falls flat in most other applications. iPhones have a touchID chip paired to the CPU, so they're extremely difficult to crack even if you have physical access. A well-done fingerprint system like touchID is great for the security of a local device. But it doesn't work well for anything remote, since a fingerprint can't be hashed which has numerous implications. It also can't be used directly as an encryption key.
  Also, it's one thing to peek at someone's 4-digit phone passcode over their shoulder. It's an entirely different thing to try to get someone's password which may be really long or have lots of symbols as they type it on a computer.
19. Re: Bad practice. by Anonymous Coward · 2015-11-10 12:11 · Score: 1
  
  Mac books with retina may be expensive but I wouldn't call them custom.
20. Re:Bad practice. by Anonymous Coward · 2015-11-10 12:14 · Score: 0
  
  Last time I checked "face unlock" didn't scan my retina
  What about your iris?
21. Re:Bad practice. by swillden · 2015-11-10 12:16 · Score: 1
  
  I agree, but would point out that using a fingerprint to unlock a strong key on a phone, then using that to authenticate to a remote server is quite strong.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
22. Re:Bad practice. by bobbied · 2015-11-10 12:18 · Score: 1
  
  Using a fingerprint for authentication is like using one unchangable password for every system. Bad practice!
  I have ten fingers, so it's not as bad as you think... Although, rotating though 10 passwords isn't all that secure either....
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
23. Re:Bad practice. by rsborg · 2015-11-10 12:21 · Score: 2
  
  Unless you wear gloves when you touch your mobile device, they generally steal your finger prints along with the device.
  Is this the case? I mean, every time I put my phone in my pocket, it cleans off my screen including the fingerprint sensor. I do that explicitly too, at least once a day too.
  The CCC hack on TouchID was using a high-DPI scanner and a perfect print. Good luck getting my finger prints off my oleophobic screen that touches cloth constantly.
  
  --
  Make sure everyone's vote counts: Verified Voting
24. Re:Bad practice. by KGIII · 2015-11-10 12:31 · Score: 2
  
  I've only been dating my girlfriend for like a month (I'm sure she knows the exact date). She already knows my phone pin. I don't mind. I told her. I wanted her to do something for me while I was driving.
  I don't actually have any secrets on my cell phone. :(
  If she wants to read my old texts then that's fine but I hope she deletes them for me when she's done. It'd be nice if she'd clear out my voice mail for me too, now that I think about it. Worst case? She finds out I have drunk and stoned friends. Oh no!!! I think she's already figured that out.
  I don't do any banking on my phone or anything. I do have a debit card that's attached to a separate account. She's taken my car (worth much more than I keep in that account) and gone to the store with the card and thus either knows or has known the pin. If she runs off with my car and the, at most, $10,000 in that particular account then the car's insured and she can just keep the money - it will be less than I'd have just given her over time. If it turns out she's the type of person to do such then I'll consider myself as having gotten off cheap.
  So, I guess, there's a point to having good security and a point to knowing what needs higher security and what risks you're willing to accept to accomplish a certain goal. Even my house requires a thumb print and a PIN. Well, or a key. If you just turn around and look up, you'll see the key hanging on the nail. My friends and the lady that cleans the house all know where the alarm box is and how to enter the PIN to turn that off before the alarm company is notified.
  Why? Well, one keeps my house clean and the rest are friends who mostly go to my house to escape from their wives and families for a little while. I'm not even home and, given that it is 7:30 at night, there's probably someone in my house right now. I could probably look and see who it is, there are cameras in that area. I am a geek, at heart, after all.
  It's about acceptable risks and what you want to accomplish. What are your goals, how much risk are you willing to give. I'd never rely on a fingerprint, exclusively, for anything important. It's fine for my house, that also needs a PIN. If not, there's a key if you turn around and look up. I'd rather you just use the key and steal my shit than break my door down and then steal my shit. It's insured.
  
  --
  "So long and thanks for all the fish."
25. Re:Bad practice. by swillden · 2015-11-10 12:31 · Score: 3, Informative
  
  Any device that can perform different actions based on different finger prints?
  None are on the market that I'm aware of. iOS and Android both intentionally avoid distinguishing between different enrolled fingers, because the average user would find it very confusing. I don't know if Microsoft has done the same for Windows phone, but if they haven't they were remiss in their user testing, or they'd have discovered the same issue.
  It seems likely that some future alternative Android ROMs will provide this feature.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
26. Re:Bad practice. by DaHat · 2015-11-10 12:36 · Score: 4, Interesting
  
  Any device that can perform different actions based on different finger prints?
  And how many is that? Somehow I don't imagine Apple building such an explicitly anti-law enforcement feature. Maybe with a sufficiently jail broken device you could rig something.
  Any multi-user OS which supports a finger print reader for log-in is an easy candidate to do this yourself. You have your normal account, one or two for the kids and your spouse and one for your dog fluffy... one of which you have bound to your panic finger, which when logged into for the second time (the first being when you configure it) it executes a script or three which clears the TPM, overwrites a few key sectors of the HD and then reboots.
  
  --
  Help Brendan pay off his student loans
27. Re:Bad practice. by alvinrod · 2015-11-10 12:49 · Score: 4, Informative
  
  Actually they're about a year and a half ahead of you apparently: http://www.macrumors.com/2015/11/05/apple-patents-touch-id-panic-mode/
28. Re:Bad practice. by Anonymous Coward · 2015-11-10 13:10 · Score: 0
  
  >fingerprint better for phones
  Tell that to the guy who got caught cheating on his girlfriend when she unlocked his phone with his finger while he was drunk and asleep.
29. Re:Bad practice. by myowntrueself · 2015-11-10 13:11 · Score: 1
  
  In practice, making fake fingers is not terribly hard. But shoulder-surfing PINs is even easier. Which is more secure? That depends on who you're trying to protect your data from. The FBI absolutely will make fake fingers and unlock your phone, but they may not have an opportunity to shoulder surf a PIN. Advantage: PIN. Your suspicious girlfriend probably won't make fake fingers, but has ample opportunity to shoulder surf you. Advantage: fingerprint.
  The reasoning goes; you can change your PIN every day, even several times per day. Fingerprints not so much. Advantage PIN.
  
  --
  In the free world the media isn't government run; the government is media run.
30. Re:Bad practice. by Mashiki · 2015-11-10 13:23 · Score: 3, Insightful
  
  Is this the case? I mean, every time I put my phone in my pocket, it cleans off my screen including the fingerprint sensor. I do that explicitly too, at least once a day too.
  Sure, since you probably forget to clean the underside of the back panel and battery as well. Your fingerprints are likely on there somewhere, and if someone really wants your print and device and you are careful they'll likely follow you and wait for you to leave something behind that'll give a great print. Like a piece of paper, glass, can, other portable hard surface or even go digging through your trash for it.
  Fingerprints are a shit security measure.
  
  --
  Om, nomnomnom...
31. Re:Bad practice. by Bender0x7D1 · 2015-11-10 13:39 · Score: 1
  
  However, if someone renders you unconscious, they can take your hand and unlock your phone - and you'll have no idea whether you were robbed in the normal sense, or robbed and forced to unlock your device (which might have your saved banking and credit card passwords).
  Of course, the real solution is to decide who/what you need to protect against and plan for that. If you are worried about someone in your family that could take advantage of you when you are exhausted, sick or inebriated - then a password is better. Protection against regular criminals - a fingerprint is probably the way to go. Someone targeting you, who is willing to commit assault to get what they want - a password might be better. Unless they would hit you with a $5 wrench to get your password. In that case you are pretty much screwed.
  
  --
  Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
32. Re:Bad practice. by davester666 · 2015-11-10 15:22 · Score: 3, Informative
  
  I think Apple just applied for or received a patent on doing this.
  http://9to5mac.com/2015/11/05/iphone-panic-mode-touch-id/
  
  --
  Sleep your way to a whiter smile...date a dentist!
33. Re:Bad practice. by Copid · 2015-11-10 16:54 · Score: 1
  
  Iris scanning works somewhat in the visible range, but you really want to be working in the near IR range for good results (especially with brown eyes). It's also tough to get enough pixels across the iris with even fairly high res face capture. Definitely not with the selfie camera on the same side as the screen.
  
  But you're right, retinal scanning has been basically dead for a long time.
  
  --
  An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
34. Re: Bad practice. by Anonymous Coward · 2015-11-10 18:41 · Score: 0
  
  Yeah, because after watching you unlock the phone a gazillion times she will not have a good idea of what your pin is.
35. Re: Bad practice. by Aethedor · 2015-11-10 19:46 · Score: 1
  
  You're equating fingerprints with passwords.
  No, I'm not. I'm comparing the usage of both in relation to the level of security they offer. Totally different.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
36. Re: Bad practice. by brunes69 · 2015-11-10 20:18 · Score: 2
  
  You can do this with any rooted android device and tasker.
  And the first thing anyone who cares about security does with an Android device is root it and install their own ROM that is free of carrier encumberances and spyware.
37. Re: Bad practice. by brunes69 · 2015-11-10 20:25 · Score: 1
  
  For one the back of a phone is ALSO wiped clean every time you put it in your pocket.
  For two unless you hold your phone very strangely, you won't have thumb prints anywhere but the keyboard and home buttons.
  Finally even if you did, good luck getting a clean grab and it HAOPENING to be the right print. Oh and did wrong mention yet that after 5 failed attempts the device locks.
38. Re:Bad practice. by Anonymous Coward · 2015-11-10 20:32 · Score: 0
  
  Every one that can handle multiple users?
39. Re:Bad practice. by rsborg · 2015-11-10 20:33 · Score: 1
  
  Is this the case? I mean, every time I put my phone in my pocket, it cleans off my screen including the fingerprint sensor. I do that explicitly too, at least once a day too.
  Sure, since you probably forget to clean the underside of the back panel and battery as well. Your fingerprints are likely on there somewhere, and if someone really wants your print and device and you are careful they'll likely follow you and wait for you to leave something behind that'll give a great print. Like a piece of paper, glass, can, other portable hard surface or even go digging through your trash for it.
  Fingerprints are a shit security measure.
  Sure, they're welcome to, on my porous leather or plastic cases. If they're following me around and can get a lab-quality print from the many glass surfaces I frequently grope, then more power to them. I'm pretty sure it's easy to turn that into a latex milk finger mask (no, really, how hard could it be?).
  
  --
  Make sure everyone's vote counts: Verified Voting
40. Re:Bad practice. by Anonymous Coward · 2015-11-10 20:40 · Score: 0
  
  Security guru Bruce Schneier recommends writing your password down:
  "Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."
  https://www.schneier.com/blog/archives/2005/06/write_down_your.html
41. Re:Bad practice. by Anonymous Coward · 2015-11-10 20:45 · Score: 0
  
  I'd argue that a fingerprint is better specifically for phones
  You clearly never carried your phone in a country where bad guys carry machetes.
42. Re:Bad practice. by bytesex · 2015-11-10 20:49 · Score: 2
  
  Are any such devices protected against cloning?
  
  --
  Religion is what happens when nature strikes and groupthink goes wrong.
43. Re: Bad practice. by swillden · 2015-11-10 21:30 · Score: 3, Informative
  
  You can do this with any rooted android device and tasker.
  No, it would require changes to the system, because the fingerprint subsystem doesn't expose the finger ID to the framework. The HAL API reports the finger ID to fingerprintd, but that doesn't report it further up the call stack.
  So you'd to modify fingerprintd to return the finger ID, change the Binder API between fingerprintd and the framework, and modify the framework to report it as well. Or I suppose you could hack fingerprintd to write the last-authenticated FP ID to a file and then allow apps that want to know which finger was used to read it. That would involve poking a few other holes in the security architecture, but would be the easy brute force way.
  
  And the first thing anyone who cares about security does with an Android device is root it and install their own ROM that is free of carrier encumberances and spyware.
  Or just buys a Nexus device and (optionally) refuses the various questions asked during setup about providing data to Google.
  BTW, be very careful with rooting, and I recommend absolutely refusing any rooting solution that involves disabling SELinux. It's up to you, but poking large holes in the security model does significantly damage your device security.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
44. Re: Bad practice. by swillden · 2015-11-10 21:33 · Score: 1
  
  You're equating fingerprints with passwords.
  No, I'm not. I'm comparing the usage of both in relation to the level of security they offer. Totally different.
  No, you're not comparing security levels, because you're talking about rotation and authenticator secrecy. Both of those concepts are completely irrelevant to biometric security, which means that you're completely misunderstanding how biometric security works, and also the ways in which it doesn't work. Please read my post; it offers an accurate assessment of relative security levels, with a correct understanding of the processes and security models underlying both.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
45. Re:Bad practice. by swillden · 2015-11-10 21:46 · Score: 1
  
  You didn't read my post. Rotation is irrelevant to biometric security.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
46. Re:Bad practice. by sociocapitalist · 2015-11-10 22:07 · Score: 1
  
  You can't, but interesting things may be able to happen if you fail to disclose which finger will unlock the device.
  Maybe your right ring finger is what you use to login, but not having specific knowledge of which finger you actually use they have you try your thumb pointer finger... not knowing that your device treats that as a panic button and not only wipes out memory of the old finger print, but also remaining hope of them unlocking the device with or without your help.
  Unless they lift even a partial print off the phone button first, to check against your available digits.
  
  --
  blindly antisocialist = antisocial
47. Re: Bad practice. by Aethedor · 2015-11-11 00:27 · Score: 1
  
  which means that you're completely misunderstanding how biometric security works, and also the ways in which it doesn't work
  Haha, sure dude. Whatever.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
48. Re: Bad practice. by AmiMoJo · 2015-11-11 00:45 · Score: 2
  
  You can do it with the Android multiple user feature. Android lets you have more than one user on a device, each with their own fingerprints. Just set one dummy user up with a Tasker script that wipes the phone (needs root) and register a finger for it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
49. Re:Bad practice. by AmiMoJo · 2015-11-11 00:53 · Score: 1
  
  Yes. You can clone the flash memory easily enough, but the encryption key is stored in a protected area of the SoC. Different manufacturers have different protections, but they usually involve tamper-proofing the chip so that attempts to decap it result in the key being erased. It may be possible to defeat them, but it's probably way beyond what the police have and what most security services are willing to reveal.
  Without the encryption key the flash memory won't reveal anything. When you erase the phone, it doesn't usually bother wiping the flash, just the protected encryption key storage.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
50. Re:Bad practice. by azcoyote · 2015-11-11 01:30 · Score: 1
  
  So in effect, the real weakness of fingerprints is not their non-hashability, but the fact that they are inherently linked with the user/owner. In the same way if you found a key in a hotel parking lot it would do you no good, but if that key had "Room 143" written on it, then its security is broken. Your fingerprint is harder to disassociate with yourself than a key or password. Someone pointed out above that you cannot tell someone that you forgot your fingerprint. Likewise, someone could always steal your fingerprint from objects you touch and have a reasonable certainty that that indeed is your fingerprint.
  But this means that fingerprints suffer intrinsically from the same defect that incidentally affects guessable passwords. Most people create passwords that are in some way symbolically associated with their own identity (birthdates, names, etc.). Thus, in a sense, fingerprints are beneficial in certain low-security situations not only because they are more convenient, but also because the kinds of passwords or PINs that they generally replace suffer from the same weakness as fingerprints anyway.
  
  --
  Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
51. Re:Bad practice. by samkass · 2015-11-11 02:03 · Score: 1
  
  I agree, but would point out that using a fingerprint to unlock a strong key on a phone, then using that to authenticate to a remote server is quite strong.
  It gets even better than this with iOS 9. iOS 9 paired with any iPhone in the last couple years can generate a public/private key pair where the private key is stored in the Secure Enclave. (For those not aware, this is an area of the chip with write-only access and its own coprocessor. The only thing you get out of it is verification. It's physically impossible to read the data via software.) The secure enclave has existed since TouchId was introduced two years ago, but with the new public/private key system you can validate a challenge-response query from a server with TouchId. Basically, the server sends a packet, the phone unlocks the keychain with TouchId, signs it, and the server then verifies the signature with a previously-onboarded public key.
  Yes, it is theoretically possible to lift a fingerprint from a glass and manufacture a fake finger to unlock a phone. But then you need the physical phone, and need to keep it from getting remote wiped. That's usually a state actor situation, so I guess it depends on who you're trying to protect yourself from.
  
  --
  E pluribus unum
52. Re:Bad practice. by Culture20 · 2015-11-11 02:33 · Score: 1
  
  The problem with fingerprints as "passwords" is you're "writing" them down everywhere you go. They're all over your house, and even on the devices you use them to unlock.
53. Re:Bad practice. by Rob+Y. · 2015-11-11 03:29 · Score: 1
  
  If this is the case, it would be nice to have a feature that lets you use your fingerprint to re-unlock your phone within a certain time limit of unlocking it with the passcode, but not to unlock an idle device.
  I occasionally disable my passcode for times when I'm holding the phone, but not actively using it, but want a quick wake up feature when a notification comes in. This is mostly useful for silly stuff like an ongoing game of Words with Friends - or for an ongoing text chat. Another nice option would be a variant on the Android Lollipop notification system that would allow you to designate certain apps (like WWF) that can be accessed from their lockscreen notifications without unlocking. Android already has a 'pin a single app' mode. All they'd need would be for a way to access this directly from the lock screen for apps you enable it for.
  
  --
  Posted from my Android phone. Oh, I can change this? There, that's better...
54. Re:Bad practice. by Applehu+Akbar · 2015-11-11 03:32 · Score: 1
  
  That's why you wouldn't want to use your fingerprint for root access, or for online access to your bank. But for making individual store purchases, or for logging on to your mobile device, or as part of a two-factor logon, it's ideal.
55. Re:Bad practice. by myowntrueself · 2015-11-11 03:39 · Score: 1
  
  You didn't read my post. Rotation is irrelevant to biometric security.
  You can try to make it irrelevant but thats just because its not possible. The problem is that rotation actually is relevant to security.
  
  --
  In the free world the media isn't government run; the government is media run.
56. Re:Bad practice. by Anonymous Coward · 2015-11-11 04:32 · Score: 0
  
  Girlfriend shoulder-surfs you -- Solution: Change PIN
  Girlfriend gets a hold of your fingerprint -- Solution: Chop off finger and get a replacement
57. Re:Bad practice. by MrSteveSD · 2015-11-11 04:33 · Score: 1
  
  Using a fingerprint for authentication is like using one unchangeable password for every system. Bad practice!"
  A password you also leave imprinted on anything you touch.
58. Re:Bad practice. by cellocgw · 2015-11-11 05:35 · Score: 1
  
  The problem with fingerprints as "passwords" is you're "writing" them down everywhere you go.
  Not to mention that those of us with current or previous government security clearances, or arrests, could have our machines unlocked by anyone with access to TLA or police fingerprint files.
  
  --
  https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
59. Re:Bad practice. by david_thornley · 2015-11-11 07:10 · Score: 1
  
  Good luck to them. I've gotten my iPhone unlocked with a fingerprint three times in two years.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
60. Re:Bad practice. by swalve · 2015-11-11 09:15 · Score: 1
  
  Fingerprint is fine for 99% of the uses out there. If you are in the 1% for which it is not, you probably know that a fingerprint is just part of a solution. It is a quick and easy way to assert identity. Nobody is going to pull a fingerprint off of a phone case and rig up some kind of prosthesis just to read your text messages.
61. Re:Bad practice. by Dixie_Flatline · 2015-11-11 09:27 · Score: 1
  
  My partner and I have enrolled one of each other's fingers on each device. If there's an emergency or I die or something, I want her to have access to my stuff. That's also why my master password lives in her 1Password vault and vice-versa. Too much of my life is governed by this stuff to have it non-retrievable.
62. Re:Bad practice. by KGIII · 2015-11-11 10:36 · Score: 1
  
  That's not a bad idea. I have a form that I fill out and make changes to, I then print it, save a copy in my safe, and email the form to my liar. Err.. Lawyer.
  
  --
  "So long and thanks for all the fish."
63. Re:Bad practice. by swillden · 2015-11-12 00:35 · Score: 1
  
  It gets even better than this with iOS 9. iOS 9 paired with any iPhone in the last couple years can generate a public/private key pair where the private key is stored in the Secure Enclave.
  Android devices with hardware-backed keystore provide something similar. Starting with Marshmallow you can bind a hardware-backed key to either password or fingerprint, so it can only be used with user authentication. I'm the lead engineer for that stuff on the Android team, so I can answer any questions you may have about it.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
64. Re:Bad practice. by swillden · 2015-11-12 00:36 · Score: 1
  
  You still didn't read my post. It's really not relevant, and wouldn't be relevant even if it were possible. Rotation matters for secrets. Fingerprints are not secrets.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
65. Re: Bad practice. by swillden · 2015-11-12 00:37 · Score: 1
  
  which means that you're completely misunderstanding how biometric security works, and also the ways in which it doesn't work
  Haha, sure dude. Whatever.
  Yeah, math is hard. Let's go shopping.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
66. Re: Bad practice. by swillden · 2015-11-12 00:53 · Score: 1
  
  You can do it with the Android multiple user feature. Android lets you have more than one user on a device, each with their own fingerprints. Just set one dummy user up with a Tasker script that wipes the phone (needs root) and register a finger for it.
  Interesting. When you unlock the device you have to first specify which user, so the process would be "swipe down, tap dummy user, then authenticate with finger". But that's pretty close to having a duress finger.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
67. Re:Bad practice. by Anonymous Coward · 2015-11-12 10:02 · Score: 0
  
  A jailbroken iOS device will do this.
  I have the exact same set up - a "panic print" if you will.
  Captcha: forbids
Fingerprints are public information by NotInHere · 2015-11-10 10:58 · Score: 4, Insightful

They aren't some super secret thing you try to keep secret from everybody. You not just leak your DNA everywhere, you leak your fingerprints too. And unlike passwords, you can't just simply change them.
1. Re:Fingerprints are public information by swillden · 2015-11-10 11:30 · Score: 4, Interesting
  
  They aren't some super secret thing you try to keep secret from everybody. You not just leak your DNA everywhere, you leak your fingerprints too. And unlike passwords, you can't just simply change them.
  Correct. The security of fingerprints, like all biometrics, derives not from the secrecy of the data (because it's not secret, particularly not your fingerprints), but because of the difficulty of providing someone else's data to the sensor.
  In an ideal world, with a sensor that is able to distinguish with 100% accuracy whether the finger (or whatever) it's being presented is real, live and attached to the person who is trying to authenticate, that would be really hard. In the real world, with the sensors on typical consumer devices, and in an unsupervised environment (i.e. no security guard watching to check that you aren't trying anything funny), it's really not very hard at all. Anyone who cares to can watch a YouTube video, spend $20 at the local hobby shop to get the materials, and spend a couple of hours turning an image of a fingerprint into a gummi finger which will fool most sensors. However, that doesn't mean it's worthless. It only means it's worthless against someone who is willing to do that.
  Compare this to a more common mobile device authentication method: a four-digit PIN. It's rather easy to shoulder surf a four-digit PIN, especially with the assistance of smudges, and particularly if you're a friend or family member of the target. In practice, friends and family members are the most common unwanted intruders on mobile devices. Against a typical person, who isn't likely to mess around with lifting prints and manufacturing fake fingers, a fingerprint -- weak as it is in absolute terms -- is stronger than a PIN or Android pattern.
  Even more important, many people find a PIN, pattern or password simply too cumbersome to use. Android's Smart Lock helps, by enabling the device to apply rules to determine when the device has probably not left your possession and to stay unlocked longer in those cases, but even that's too inconvenient for many. So that majority of mobile device users (on devices without FP scanners) don't use any lockscreen at all.
  Having no lockscreen is far less secure than fingerprint authentication, in case anyone is unclear about that.
  Thus, for people who would otherwise use no security, the extreme speed and convenience of a good fingerprint scanner makes it feasible to protect their devices. That's a big win for those people, even if someone messing with etching compounds and wood glue can get past it.
  IMO, the biggest problem with the current crop of mobile fingerprint sensors isn't the devices, sensors or software, it's the users' perception of them as very high security. They're not. They're relatively weak, but highly convenient security. As long as people don't expect too much from them, they're awesome.
  So, the bit about fingerprint template storage security is much ado about nothing. The new Android fingerprint subsystem (which I worked on) does a decent job. Templates are encrypted with keys that are inaccessible to the Android OS and kernel, and the matching of livescans against templates is likewise done where even a completely-compromised kernel can't alter or interfere. But that's actually not because templates are highly sensitive data. It's partly just good security hygiene and partly because the hardware-backed keystore can rely on fingerprint authentication to unlock secrets, and it doesn't make sense for it to simply trust the regular Android OS... since the reason that stuff is done in the secure context is so that compromises of the regular OS can't muck with it.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:Fingerprints are public information by Anonymous Coward · 2015-11-10 11:42 · Score: 0
  
  I don't understand one thing. You mention that the matching of livescans against templates is done in an area which can't be altered or interfered with. And yet, at some point that hardware (I'm assuming it's all hardware) must send a positive signal to the software that it's OK to unlock the screen.
  Surely I could compromise the code that accepts that signal to simply always be a positive signal? I mean, every security, privacy, and piracy measure comes down to a simple yes/no question that must be received by software, which can be rewritten to always be yes.
  Problem is, at some point, there's an interface between the hardware and the software, and I have access to the software, and can rewrite it to always get a positive from the hardware, effectively ignoring the actual result sent from the hardware.
  Or am I completely off base here?
3. Re:Fingerprints are public information by BeerCat · 2015-11-10 11:50 · Score: 1
  
  IMO, the biggest problem with the current crop of mobile fingerprint sensors isn't the devices, sensors or software, it's the users' perception of them as very high security. They're not. They're relatively weak, but highly convenient security. As long as people don't expect too much from them, they're awesome.
  Just a pity that many of the advocates of biometrics have convinced themselves (and hence aim to convince others) that they are high security, rather than convenient security.
  
  --
  "She's furniture with a pulse"
4. Re:Fingerprints are public information by swillden · 2015-11-10 12:10 · Score: 4, Informative
  
  I don't understand one thing. You mention that the matching of livescans against templates is done in an area which can't be altered or interfered with. And yet, at some point that hardware (I'm assuming it's all hardware) must send a positive signal to the software that it's OK to unlock the screen.
  Yup.
  
  Surely I could compromise the code that accepts that signal to simply always be a positive signal?
  Certainly... except for other code running in the area which can't be altered or interfered with.
  This is the reason that Android 6.0's fingerprint matching is required to be done in the Trusted Execution Environment (TEE), because that matching signal is used not just by the regular OS to unlock your screen, but also by other code in the TEE to unlock access to cryptographic keys which are presumably used to protect the most important stuff on your phone.
  For example, using the new features in Android Marshmallow's hardware-backed keystore (especially this one, your bank's app could set up an ECDSA signing key that is used to authenticate to their servers, providing access to your banking information. That key could be configured to be unlocked by your fingerprint. If the fingerprint matching were provided in the regular OS then any compromise of the regular OS would enable access to your bank account, because the TEE-based ECDSA key would be relying on a signal from the regular OS to tell it to unlock the key. But because the TEE-based ECDSA key relies on a signal from the TEE-based fingerprint matcher, a compromise of the regular OS won't get the attacker in to your bank account (not unless you're around to put your finger on the scanner).
  FYI, for Marshmallow the password authentication has also been moved into the TEE, and TEE-based keys can also be access controlled with password auth. So your bank could do the same sort of thing, but require you to enter your device password rather than present a fingerprint.
  
  Or am I completely off base here?
  Nope, what you said made perfect sense, you were just missing some pieces.
  I should mention that for Android 6.0 the Compliance Definition Document (which specifies what it means to be Android) makes all of the TEE stuff "strongly recommended", but not "mandatory" for Marshmallow devices. However, it is all mandatory for devices that have fingerprint readers. The CDD also warns that it will become mandatory for N. In spite of not being mandatory for Marshmallow, though, it looks like nearly all major device vendors will have the new TEE stuff in their new devices (those launching with Marshmallow).
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
5. Re:Fingerprints are public information by ShanghaiBill · 2015-11-10 12:14 · Score: 1
  
  Problem is, at some point, there's an interface between the hardware and the software, and I have access to the software, and can rewrite it to always get a positive from the hardware
  If you have physical access to the hardware and the software then NO authentication is effective. There is no such thing as a secure device in hostile hands.
  
  Or am I completely off base here?
  Yes. Authentication schemes are designed assuming that random people do not have access to the communications between an ATM and the bank. That is generally a valid assumption.
6. Re:Fingerprints are public information by swillden · 2015-11-10 12:26 · Score: 1
  
  Problem is, at some point, there's an interface between the hardware and the software, and I have access to the software, and can rewrite it to always get a positive from the hardware
  If you have physical access to the hardware and the software then NO authentication is effective. There is no such thing as a secure device in hostile hands.
  In an absolute sense, this is true. But in practice it's false.
  There are many different degrees of capability among attackers. Your kid sister will be defeated by just about anything. The NSA can penetrate virtually anything. In between, there are lots of gradations, and it is useful to deploy various levels of countermeasures that make the more important on-device secrets harder to access.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
7. Re:Fingerprints are public information by dgatwood · 2015-11-10 15:22 · Score: 1
  
  Anyone who cares to can watch a YouTube video, spend $20 at the local hobby shop to get the materials, and spend a couple of hours turning an image of a fingerprint into a gummi finger which will fool most sensors. However, that doesn't mean it's worthless. It only means it's worthless against someone who is willing to do that.
  The problem is, the fingerprint is already on the scanner, so there's probably a way to do it with a lot less effort. We just don't know what it is yet.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
8. Re:Fingerprints are public information by Anonymous Coward · 2015-11-10 20:52 · Score: 0
  
  the finger (or whatever) it's being presented is real, live and attached to the person who is trying to authenticate, that would be really hard
  Unless you are protecting the nuclear launch codes (google 00000000), the device realizing whether or not your finger is still alive and attached to you doesn't matter. For anything other than those launch codes, your finger is worth more than your device.
  When the bad guy with the machete fails to unlock your phone with your cut off finger, you are not going to praise the security off your phone. Especially not when you realize that he thinks the reason it doesn't work is that he cut off the wrong finger...
9. Re:Fingerprints are public information by swillden · 2015-11-10 21:45 · Score: 1
  
  Anyone who cares to can watch a YouTube video, spend $20 at the local hobby shop to get the materials, and spend a couple of hours turning an image of a fingerprint into a gummi finger which will fool most sensors. However, that doesn't mean it's worthless. It only means it's worthless against someone who is willing to do that.
  The problem is, the fingerprint is already on the scanner, so there's probably a way to do it with a lot less effort. We just don't know what it is yet.
  Meh.
  This isn't new technology, and people have been playing with breaking it for quite a long time. It's always possible that someone will come up with a brilliant and dramatically-easier way -- but, really, the gummi finger is pretty darned easy, so the bar for better breaks is high (or low, depending on your perspective) -- but it seems unlikely. And if it does, it will just revise the scaling a bit, not fundamentally change the analysis.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
10. Re:Fingerprints are public information by swillden · 2015-11-10 21:47 · Score: 1
  
  the finger (or whatever) it's being presented is real, live and attached to the person who is trying to authenticate, that would be really hard
  Unless you are protecting the nuclear launch codes (google 00000000), the device realizing whether or not your finger is still alive and attached to you doesn't matter. For anything other than those launch codes, your finger is worth more than your device.
  Liveness matters mostly because liveness seems to be the easiest way to validate "realness". All of the best up-and-coming technologies for detecting fake fingers focus on detecting liveness.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What does this mean for biometrics in general? by haruchai · 2015-11-10 11:00 · Score: 1

Your palm print or retina scan would have the same limitations.

--
Pain is merely failure leaving the body
1. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-10 11:04 · Score: 5, Insightful
  
  It means that biometrics should be the username, not the password.
2. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-10 11:19 · Score: 1
  
  Mod +5 informative. /thread
  New topic: Let's explore why the living fuck anyone who knows anything about electronic/computer security would even seriously consider something so fucking stupid and why laypersons consistently ignore our advice and refuse to learn things like how to use Enigmail or even the very, very, very fucking basics like what a public key is, the reason to collect them or have a repository, what a private key is, and the reason this is better than remembering 10 different passwords that dumbtarded IT policies force them to change every 10 days.
  My hypothesis. People love the fingerprint idea and iris scanners and such because they're plastered all over sci-fi. It also has a personal feel. One friends recognize one, and now computers can do the same! People want futuristic tech, and they're allergic to learning. They've been brainwashed by Hollywood for the past 20 years that fingerprint and iris scanners are the way of the future, and K-12 "education" is just a ritual form of child abuse that parents feel obligated to do to their children because their parents did it to them (most of the time, this is how child abuse keeps on going like the Energizer bunny).
  (Higher "education" being entirely about being a member of an exclusive club. Merit-based admissions is just a temporary mistake that will go away as the Aristocracy asserts itself once again. Nobody is supposed to actually "learn" something, that's just for NEEEEEEERDs!)
  This is why Johnny can't encrypt. He wants an iris scanner just like in all those sci-fi movies. Those public/private keypair thingies are just for NEEEEEEERDs!
  (Read NERD like Piccolo from DBZ abridged.)
3. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-10 11:22 · Score: 0
  
  Same AC here. Holy cow, that was a grammar catastrophe! Should have used preview! Eh, not like I care. Slashdot is just for trolling anymore. The meaningful discussions have moved to the blue and red sites.
  Grammar Nazis, attack!
4. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-10 11:43 · Score: 2, Funny
  
  Same AC here: Disregard that, I suck cocks.
5. Re:What does this mean for biometrics in general? by glenebob · 2015-11-10 11:59 · Score: 4, Insightful
  
  You don't think it has anything to do with an utter pain in the ass it is to keep track of user/password and private/public key pairs, vs how simple a bio-scan is?
  Bio-scans are easy to understand in practice. You walk up to a thing and touch it/look at it, and you're in. That's the appeal.
6. Re:What does this mean for biometrics in general? by swillden · 2015-11-10 12:15 · Score: 2
  
  It means that biometrics should be the username, not the password.
  No. This is just as wrong as viewing a fingerprint as a password. Biometrics make lousy identifiers. You still need to use a username when authenticating with a biometric. Biometrics work fine as authenticators but they work completely differently from passwords.
  I went into detail here.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
7. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-10 18:55 · Score: 0
  
  I wish I wasn't an AC here, but dang it, I felt the need to respond.
  
  It means that biometrics should be the username, not the password.
  No. This is just as wrong as viewing a fingerprint as a password. Biometrics make lousy identifiers.
  What? They make fine identifiers, when compared to the other option, entering your user name or id into a box. It's perfectly fine to view some biometric data as user identification. It's not fine to view that same data as authentication, simply because it doesn't prove the user is who he claims to be. The biometric data says "this is who I claim to be", something else needs to be there to say "and this is how I can prove it".
  
  You still need to use a username when authenticating with a biometric.
  If you really did work in the industry as you say, then you know this isn't true. I've written code and done multiple integrations for fingerprint sensors on embedded devices, many of which had no "username" tied to them. The LG eXpo had no username. The Moto Atrix had no username (initially). Parental control TV remotes often have no concept of a username. Safe locks have no concept of a username.
  
  Biometrics work fine as authenticators but they work completely differently from passwords.
  What? No, they are terrible authenticators. That's why they call this biometric _identification_. That's why you'll see the word 'identify' used to describe matching across a population.
  They make terrible authenticators because they are public information, much like your username. Anyone can type in your username at a 'Windows' prompt to try and identify themselves as you. It takes some piece of private information (like your password) to authenticate.
  Identification can happen when we're given many samples and need to single out one (or two). Authentication can happen when you present some private thing that others are not allowed to know, possess or access. There's a HUGE difference here, and putting forth fingerprints as an acceptable authentication mechanism -- this is bound to fail, even with anti-spoofing efforts in place. The only reason that it's acceptable now is that it's more difficult to make a spoof than it is to type in common PINs and passwords to 'hack' in to a device. .. and wait a minute here. Didn't you say that fingerprint biometrics as an identifier was "just as wrong as viewing a fingerprint as a password." ... and yet you go on to say that fingerprints "work fine as authenticators". Really? All fingerprint matches have a FAR less than 100%. Do you really want an authenticator that works less than 100% of the time? Someone might shoulder surf your password, but when he types it in, in most cases he has to type it in 100% correctly.
  You do seem reasonably intelligent, but the positions that you've taken here are misguided.
8. Re:What does this mean for biometrics in general? by swillden · 2015-11-10 21:42 · Score: 4, Interesting
  
  I wish I wasn't an AC here, but dang it, I felt the need to respond.
  
  It means that biometrics should be the username, not the password.
  No. This is just as wrong as viewing a fingerprint as a password. Biometrics make lousy identifiers.
  What? They make fine identifiers, when compared to the other option, entering your user name or id into a box. It's perfectly fine to view some biometric data as user identification.
  Nope. You're wrong.
  The birthday paradox is deadly to biometric identification on large-scale systems. It's okay on small systems with relatively few users, but scale it up and it simply doesn't work unless (as many systems do) you also apply some other disambiguating information, like a phone number or an identifier of some sort or statistical modeling to narrow the set of likely candidate templates. Well, unless you're okay with lots of false positives. Put 50K people in one system and identify them by fingerprint only, and virtually anyone who walks up will be identified as someone, and many people in the system will frequently get identified as someone else.
  
  It's not fine to view that same data as authentication, simply because it doesn't prove the user is who he claims to be. The biometric data says "this is who I claim to be", something else needs to be there to say "and this is how I can prove it".
  Nope. Assuming you already have a claim of identity (i.e. a username), a biometric provides a decent proof of that identity. How strong that proof is depends on the context and the procedures. For an extreme example (from a system I actually built), if there's an armed guard examining your finger for evidence of fakery, then it's actually very strong. On a mobile device, not so much, but it's still useful. See the other post I linked.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-11 03:26 · Score: 0
  
  Same AC here; I think everybody's right - except me, so just forget I said anything.
10. Re:What does this mean for biometrics in general? by Anonymous Coward · 2015-11-11 04:37 · Score: 0
  
  Same AC here: I love being bipolar, it sucks!
Vulnerable to brute force attacks by plopez · 2015-11-10 11:03 · Score: 1

Am I the only one who immediately thought of amputation?

--
putting the 'B' in LGBTQ+
1. Re:Vulnerable to brute force attacks by Anonymous Coward · 2015-11-10 11:09 · Score: 0
  
  As opposed to 30 seconds with a Butane powered gas soldering iron on their fingers to extract a persons passwords.
  Passwords etc are only to keep honest people out, those that want to break in...WILL.
It doesn't matter... by beelsebob · 2015-11-10 11:04 · Score: 4, Interesting

The question isn't "is a fingerprint more secure than a password", it's "is a fingerprint more secure than no security". Most phone users didn't have any password on their device. Adding a fingerprint secured those devices.
1. Re:It doesn't matter... by peragrin · 2015-11-10 11:09 · Score: 1
  
  Not only that depending on the setup it should be the daily use, but not the secure use.
  iOS 9 at least the fingerprint reader has a 48 hour lock code requirement. use the finger print scanner only to unlock your phone and once every 48 hours it asks you to unlock it with the passcode in addition to the number of tries to break.
  just do not willing unlock your phone. even if they drug you they will hit one of the two limits before unlocking the phone.
  
  --
  i thought once I was found, but it was only a dream.
2. Re:It doesn't matter... by Anonymous Coward · 2015-11-10 11:13 · Score: 0
  
  Indeed, surely it is more secure than my 4 digit numeric PIN I used to use instead.
3. Re:It doesn't matter... by Anonymous Coward · 2015-11-10 11:29 · Score: 0
  
  Indeed. iOS really does take the right step here, and uses it as a matter of convenience only. I do not like putting my completely random 16 character password in every time I want to use my phone, but I *do* want it to keep adversaries out of my phone in case something happens.
4. Re:It doesn't matter... by Anonymous Coward · 2015-11-10 11:35 · Score: 0
  
  THIS!
  Fingerprints are about getting SOME security and getting a lot of convenience. They are perfect for devices that have data you do not want to be easily accessible, not for data that actually needs a high-level of protection.
5. Re:It doesn't matter... by amicusNYCL · 2015-11-10 11:44 · Score: 2
  
  It doesn't matter...
  It does though.
  
  The question isn't "is a fingerprint more secure than a password"
  It is, that is actually the question that this article is attempting to answer, and also to prove. And they helpfully answer it right in the first paragraph: But you know what’s worse than a password? A fingerprint.
  
  it's "is a fingerprint more secure than no security"
  No one is asking that question, because it's a stupid question.
  
  Most phone users didn't have any password on their device. Adding a fingerprint secured those devices.
  No, it didn't. In fact, the title of The Fucking Article makes that pretty clear:
  YOUR UNHASHABLE FINGERPRINTS SECURE NOTHING
  Your fancy phone is not "secure" because you put your fingerprint on it. It's still not secure, it still takes $5 and a few hours to replicate your fingerprint and have a master key to your device. Is it "more secure" than having no security at all? If you're asking that question, then you should realize that it's a stupid question to ask. It's like asking if a $2 TSA-approved padlock on a suitcase is more secure than having no lock at all. Yes, your $2 padlock will probably keep out some random kid. It doesn't make your suitcase "secure" though.
  A fingerprint scanner on your phone is what we like to refer to as security theater. It gives you that warm feeling of your stuff being secure without the hassle of your stuff being secure. Is it better than not having any password at all? Well, sure, but if someone can't be bothered to enter a PIN or swipe a line then they probably also don't want to be hassled with a fingerprint scanner. You either care about security or not. If you do, then you use a password or something similar (for a phone). If you don't, then I guess a fingerprint scanner still helps you feel like your stuff is secure, anyway.
  But that doesn't mean you need to go around asking questions like "is a bare minimum of security more secure than no security at all".
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:It doesn't matter... by mattventura · 2015-11-10 12:15 · Score: 1
  
  Well, yes, except for the part where the iPhone requires the passcode in addition to the fingerprint after a certain period of time.
7. Re:It doesn't matter... by Anonymous Coward · 2015-11-10 12:18 · Score: 0
  
  Bingo. It's a lot more secure than the PINs I always memorize when people use swipe on their Android and it lights up the numbers as they go. Fantastically easy to steal compared to me using my thumb. I could have every one of my co-workers phone PINs this way, if I cared. I doubt any of them could get my fingerprint and use it in half the time I could use ALL of their PINs... PIN is more secure on the device, but LESS secure when you actually use it. remember, it's all about what the goal is.
8. Re:It doesn't matter... by KGIII · 2015-11-10 12:46 · Score: 1
  
  Using your metric, no computerized device, that is able to be powered on, is secure. While that'd be tough to argue against, there must be some reasonable middle ground for the sake of brevity. I think "more secure" is applicable and acceptable. Just like the TSA lock is more secure than no lock at all.
  
  --
  "So long and thanks for all the fish."
9. Re:It doesn't matter... by zippthorne · 2015-11-10 14:46 · Score: 1
  
  A few hours? More like 5 minutes in a photo editor and twenty cents worth of effort. At least at the level Mythbusters tested a while back. All they needed to do was print the fingerprint using a laser printer.
  
  --
  Can you be Even More Awesome?!
10. Re:It doesn't matter... by Solandri · 2015-11-10 19:58 · Score: 1
  
  You're assuming "no security" is the worst possible state. I'd rate them from best to worst:
  
  Strong security
  Weak security
  No security
  Security people think is strong but is in fact weak
  
  If Apple et al were marketing fingerprint scanners as weak security, I'd have no problem with it. But they've been trying to market them as strong security, e.g. claiming it's based on the structure inside your finger and not your fingerprint itself (which was quickly discredited when people bypassed it with latex copies of fingerprints). Lulling people into a false sense of security like that just makes them easier targets for thieves and criminals. If your email is permanently logged in on your phone and your only security is a fingerprint scanner, then any thief who gets your phone and goes through the effort to lift your fingerprint can request password resets from every online account you have. Never mind the new phone-as-a-credit-card systems.
11. Re:It doesn't matter... by scamper_22 · 2015-11-11 04:00 · Score: 1
  
  It's also a matter of having multiple forms of security.
  After a few years, I signed up for Google's two-factor authentication. So if I am on signing in from a new location, it sends a text message to my phone with a code.
  I happen to like this system. It's very convenient. In my day to day use, it never even appears.
  If they could add finger printing to the process without making it more annoying, it would just be another good level of security.
12. Re:It doesn't matter... by david_thornley · 2015-11-11 07:21 · Score: 1
  
  There are levels of security. There's the level that would thwart my mother, were she not dead (actually, her ability to defeat security systems didn't go down much when she died), for five minutes. There's the level that would keep the NSA out for at least fifty years There's all sorts of levels in between.
  Fingerprints will stop the casual attacker pretty well. On an iPhone, it only has to last forty-eight hours or less, at which time the fingerprint becomes insufficient to unlock the iPhone. They're useless against a trained attacker who wants to specifically target your phone. They won't stop law enforcement.
  So, the question is what level of security you want, and what inconvenience are you willing to put up with? A fingerprint is at least a little better than nothing, and will protect you against the average phone thief. That's the most likely threat for most of us.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
13. Re:It doesn't matter... by painandgreed · 2015-11-12 06:38 · Score: 1
  
  A fingerprint scanner on your phone is what we like to refer to as security theater. It gives you that warm feeling of your stuff being secure without the hassle of your stuff being secure. Is it better than not having any password at all? Well, sure, but if someone can't be bothered to enter a PIN or swipe a line then they probably also don't want to be hassled with a fingerprint scanner. You either care about security or not. If you do, then you use a password or something similar (for a phone). If you don't, then I guess a fingerprint scanner still helps you feel like your stuff is secure, anyway.
  But that doesn't mean you need to go around asking questions like "is a bare minimum of security more secure than no security at all".
  I don't think you argument stands up as 99.99% of what everybody needs protecting against is "some random kid". It's the same with everybody's house, bike, and most cars. The locks most people use only keep out "some random kid" and are opportunistic in nature. People are able to get into your house easier than they can get into your phone with a thumbprint lock on it. You seem to be arguing that people should just not lock their houses if they aren't buried bunkers with steel doors. And forget securing your bike. The biggest, baddest NYC bike messenger chain and lock will still take second to break for someone that wants that bike enough to get the tools.
Fingerprint are not passwords by throbber · 2015-11-10 11:08 · Score: 5, Insightful

Fingerprints, in fact all biometrics, are not passwords -- they are usernames.
In the 'perfect' security combination of { something you are, something you know, something you have }, they are the "something you are" part.
1. Re:Fingerprint are not passwords by Anonymous Coward · 2015-11-10 11:14 · Score: 0
  
  A very large portion of the article addresses that they are *not* "something you are". Because they are reproducible they are simply "something you know".
2. Re:Fingerprint are not passwords by sexconker · 2015-11-10 11:19 · Score: 2
  
  Everything passed over a wire (or through the air) to a machine are effectively "something you know".
3. Re:Fingerprint are not passwords by Sperbels · 2015-11-10 11:27 · Score: 1
  
  So I can only have 10 accounts per website? That's not nearly enough.
4. Re:Fingerprint are not passwords by WolfWithoutAClause · 2015-11-10 11:27 · Score: 1
  
  Yes, they can be used as part of a multi-factor security system, but as a single security factor, they don't work.
  
  --
  -WolfWithoutAClause
  "Gravity is only a theory, not a fact!"
5. Re:Fingerprint are not passwords by Anonymous Coward · 2015-11-10 11:31 · Score: 0
  
  Ding ding ding, we have a winner.
  (GP AC)
6. Re:Fingerprint are not passwords by unrtst · 2015-11-10 11:45 · Score: 1
  
  They may be like usernames, but usernames should be considered "something you are".
  Most people would argue that, like usernames, fingerprints shouldn't be considered as a auth factor (something you are), because of their inherent insecurity and availability.
  Please, before someone argues that "something you are" could be twisted to include X, Y, or Z, that's not helpful. "Something you have" could be twisted to mean the knowledge of the password, but that's not what it means. The common three factors mean:
  1. something you know. This is commonly your password. It's a secret. This should NOT be some fact about you - that's an entirely different topic (those "security" questions).
  2. something you have. This means some physical thing that you can prove you have and is uniquely yours. This is commonly a RSA Secure ID, or a YubiKey, or FIDO U2F key, etc.
  3. something you are. This is commonly some biometric value: finger print, palm print, iris scan, dna, voice ("Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me."), etc.
  AFAIK, your username is not considered a factor. It is an identifier that keys into all those other things. None of the factors are absolutely and unequivocally unique, unlike a username on a given system. You can not use a fingerprint as a username due to collisions.
7. Re:Fingerprint are not passwords by unrtst · 2015-11-10 11:46 · Score: 1
  
  Ugh... where's the "edit" button for my "clicked past the preview too quickly" nature?
  I meant to start that with:
  
  They may be like usernames, but usernames should NOT be considered "something you are".
8. Re:Fingerprint are not passwords by throbber · 2015-11-10 11:52 · Score: 2
  
  Actually, no the article does not say biometrics are "something you know" ie. a password. It spends its entire time pointing out that biometrics make very poor passwords.
  Let me quote one sentence from the article for you:
  "For them [Customs] your fingerprint is only really used to verify that you are you ..."
  That was in the context of biometric passports.
  That is actually the correct use of biometrics ... they are something you are -- the same as your username. They are not a substitute for a pasword
  Oh ... hang on ... the article even states that in its conclusion:
  "Don’t use fingerprints as if they were passwords. Being permanent and relatively-easily verified and obtained makes them great for criminal investigations or for certifying that you are who you say you are. But they’re not passwords because they’re not secret, they’re not revocable, and they’re very difficult to store securely."
  Let me state that again .... fingerprints (biometrics in general) are who you are. The other two pieces are how you prove it to someone who doesn't know you and possibly can't see you.
9. Re:Fingerprint are not passwords by Overzeetop · 2015-11-10 11:59 · Score: 1
  
  They're all usernames. A username is a way to uniquely identify you. Whether it's a token, a password, or a biometric it's all just a way to identify you. The only reason we have usernames is so that we can look up the record for the identifier and compare the two.
  Think of it this way: If systems required that all passwords be unique, there would be no need for a username. If you have a token which is impossible to counterfeit, you need only a token for your identification. If you could provide a truely unique physical trait, you could identify someone based only on that trait without a need for any other identifier.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
10. Re:Fingerprint are not passwords by bobbied · 2015-11-10 12:25 · Score: 1
  
  So I can only have 10 accounts per website? That's not nearly enough.
  Take off your shoes and socks and double the count...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
11. Re:Fingerprint are not passwords by KGIII · 2015-11-10 12:47 · Score: 1
  
  Well, you've got toes. Just tell 'em that you're fat.
  
  --
  "So long and thanks for all the fish."
12. Re:Fingerprint are not passwords by Qzukk · 2015-11-10 13:13 · Score: 1
  
  "something the connection claiming to be the device that is claiming to have read your fingerprint knows"
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
13. Re:Fingerprint are not passwords by Anonymous Coward · 2015-11-10 14:23 · Score: 0
  
  Pulldown your pants, and you're up to 21
14. Re:Fingerprint are not passwords by unrtst · 2015-11-10 18:45 · Score: 1
  
  They're all usernames.
  Wrong.
  
  A username is a way to uniquely identify you. ...
  As I said above, "None of the factors are absolutely and unequivocally unique, unlike a username on a given system. You can not use a fingerprint as a username due to collisions."
  I hope you're just trolling :-/
  As you said, "If systems required that all passwords be unique, there would be no need for a username".... then lots of people would end up quickly finding out other peoples full credentials (username+password, since you're saying there is no longer a need for a username), assuming you're allowing users to choose their own "password". The moment someone finds a password collision, they could just login with it.
  In an ideal world, where you could have some mythical token that is globally unique to you and also impossible to counterfeit, you still need a username (or a system ID, or a login ID, or some unique identifier besides said token). You need it so you can perform one of the most fundamentally important roles of a password - being able to change it and have different passwords for different accounts, yet still retain your unique identification / customer record / whatever.
15. Re:Fingerprint are not passwords by swillden · 2015-11-10 21:55 · Score: 1
  
  Fingerprints, in fact all biometrics, are not passwords -- they are usernames.
  This is completely wrong. Biometrics are neither usernames nor passwords. They have fundamentally different security properties from both. See http://it.slashdot.org/comment...
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
16. Re:Fingerprint are not passwords by Anonymous Coward · 2015-11-11 00:55 · Score: 0
  
  Ewwwwww I don't want to hack your phone... in fact, get that thing away from me!
17. Re:Fingerprint are not passwords by david_thornley · 2015-11-11 07:23 · Score: 1
  
  Depends on whether you can send the same thing again and get in. The random-number fobs or apps are more secure, since the password that gets you in this minute won't work the next minute. However, since fingerprints don't change much, you're sending the fingerprint scan down the wire. Unless the validating server has some way of detecting a straight replay attack, it's "something you know".
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
18. Re:Fingerprint are not passwords by Anonymous Coward · 2015-11-13 05:20 · Score: 0
  
  But I am fat, you insensitive clod!
orly? by goodmanj · 2015-11-10 11:09 · Score: 2

Is that actually true, though? I thought law enforcement, at least, identified fingerprints via a series of distinctive "features" rather than a full image of the fingerprint. In theory, couldn't these features be listed as to their presence/absence and coordinates relative to the center of the fingerprint, creating a consistent hashable value?
1. Re:orly? by Anonymous Coward · 2015-11-10 11:16 · Score: 0
  
  They're a set of features of which you are expected to produce some subset to identify.
2. Re:orly? by Anonymous Coward · 2015-11-10 11:43 · Score: 0
  
  Is that actually true, though? I thought law enforcement, at least, identified fingerprints via a series of distinctive "features" rather than a full image of the fingerprint. In theory, couldn't these features be listed as to their presence/absence and coordinates relative to the center of the fingerprint, creating a consistent hashable value?
  When you 'register' a print, it's doing several repeated captures. This results in a series of datapoints, with a 'margin of error'.
  When you then scan to authenticate, it compares your scan against the original, and if it falls within the 'margin of error' then it's a "match".
  If you hash the values, and don't store the original datapoints+error factor, then only an *exact* match will result in a hash match. Any deviation, no matter how slight, will result in a different hash. You can't compare two hashed values to see if they are within the error range.
  Your idea doesn't really change anything, since any deviation in the distance from the center point results in a different hash. You need the original values to compare against.
  So yes, the article is (surprisingly) correct in this aspect.
3. Re:orly? by Overzeetop · 2015-11-10 11:48 · Score: 2
  
  Oh, they're nominally unique. The article merely argues that they are useless against someone who has the time, means, and knowledge to steal one of your devices which uses fingerprint authentication AND create a usable copy of your fingerprint from some other method.
  It's entirely possible to do so. It's quite difficult to do so without the targets knowledge.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
4. Re:orly? by viperidaenz · 2015-11-10 11:48 · Score: 1
  
  Yes, if you put your finger in exactly the same orientation with the same pressure and your skin doesn't move either.
  Fingerprints aren't as easy to read as a QR code. They're attached to a flexible squishy thing.
5. Re:orly? by Anonymous Coward · 2015-11-10 14:41 · Score: 0
  
  Which is why the software in the phone/chip duing the comparison is tuned to very lax standards.
  There are literally thousands of persons walking around with fingers that COULD unlock your iphone, but solong as it's only one in 1000 or 10,000 or whatever and there is no easy way to predict who would match that's good enough for an overpriced toy (that goes for all phones in that pricerange).
6. Re:orly? by Tony+Isaac · 2015-11-10 17:28 · Score: 2
  
  they are useless against someone who has the time, means, and knowledge
  And this is really what any kind of security is about. It raises the effort and/or cost of accessing whatever is being protected. This is true whether it's your car (which thieves can break into in seconds) or your data. Given enough effort and money, any kind of security can be broken. The point, though, is to incur a cost high enough to protect an asset to a sufficient degree that thieves will be deterred.
7. Re:orly? by Anonymous Coward · 2015-11-11 03:03 · Score: 0
  
  Yes, fingerprints can be hashed.
  http://www.tomshardware.com/news/authentec-entrepad,2111.html
  Authentec (now Apple) proved that you could make an algorithm that can hash the fingerprint. The hash also has the advantage of allowing faster authentication of individuals because it is not an image comparison but a string comparison. With that in place, salting is also possible.
  There are some real corner cases with fingerprints (like people missing hands, injuries that change them temporarily, faking a fingerprint with a photocopy, incentivizing a thief to cut off a person's hand, etc.), but there are some advantages. A more fundamental thing is that there is no proof that fingerprints are absolutely unique. Even if there were, there is no proof that the hash algorithm leads to absolutely unique results. The result is that you will most likely have some significant hash collisions.
8. Re:orly? by goodmanj · 2015-11-11 03:18 · Score: 1
  
  Best. Anonymous Coward. Ever. Thanks!
9. Re:orly? by Anonymous Coward · 2015-11-11 05:00 · Score: 0
  
  Yes, and not only in theory, this is how fingerprint search works. The author is woefully misinformed on the subject. In a system that doesn't know who you are until it's identified the fingerprint, from a catalogue of 10,000 people, it first creates a feature set which is basically the kind of hash that the article says is impossible.
  This same technique, incidentally, is how apps like Shazam work. Same situation - you need "good enough" "closest" matches, from a database of millions of records, from an input stream which is basically analogue and contains all kinds of noise sources.
Even worse.. by Anonymous Coward · 2015-11-10 11:10 · Score: 0

.. you can change a password once it is compromised, but you cannot change your fingerprints.
1. Re:Even worse.. by viperidaenz · 2015-11-10 11:49 · Score: 1
  
  Meet my friend, the knife.
  Just make sure you keep picking at the scabs, so you create permanent scars.
2. Re:Even worse.. by Anonymous Coward · 2015-11-11 00:58 · Score: 0
  
  You know Meck personally? Please introduce me! I am a fan!
  http://capcom.wikia.com/wiki/M...
No more secure way than human memory by bogaboga · 2015-11-10 11:14 · Score: 1

I say this because I wonder whether there's a way for scientists to read a password from my memory. I doubt! I have one that consists of a special combination of my school registration numbers since grade 9. Unbeatable!
To this sequence, I have added space, special keyboard characters from those number keys. It has worked for me for 21 years so far. One password of mine had 31 characters. All from my mind! No wonder the NSA can't beat this approach.
1. Re:No more secure way than human memory by KGIII · 2015-11-10 12:53 · Score: 1
  
  The NSA has a whole closet full of monkey wrenches. If not then they're buddies with the CIA who do have a whole closet full of monkey wrenches, ball peen hammers, and pliers. What were you saying about your clever and unbeatable system again? (My longest password is 15 characters. I suck. I'll tell them that they can't have it right up to the point where they get out the monkey wrench. After that, I'll give them said password - I might even give them yours.)
  
  --
  "So long and thanks for all the fish."
2. Re:No more secure way than human memory by david_thornley · 2015-11-11 07:28 · Score: 1
  
  Again, we're talking about levels of security. It's not absolute.
  Monkey wrenches are a targeted attack, not a general one, and they can only be used in limited circumstances. They tend to taint evidence in criminal trials, and can easily result in civil lawsuits or even criminal charges if their use becomes provable. It would be most usable by organized crime, next by covert intelligence organizations, and not very usable for anybody else.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
3. Re:No more secure way than human memory by KGIII · 2015-11-11 11:02 · Score: 1
  
  The guy that I responded to is talking about scientists reading his brain. I'm pretty sure that's a targeted attack. :/ Unless he's picturing giant rays of mind reading beams. I'm pretty sure he's talking about the one where they put the electrodes on your skull and monitor the output. I seem to recall this being theoretically possible according to a Slashdot post a few years (maybe) back.
  
  --
  "So long and thanks for all the fish."
4. Re:No more secure way than human memory by david_thornley · 2015-11-12 03:25 · Score: 1
  
  Targeted all right, and it requires imprisonment but not other violence. It has its advantages over the wrench, if it can be made to work.
  It's probably better used to see if the subject reacts to a picture than to try to get decimal digits.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
5. Re:No more secure way than human memory by KGIII · 2015-11-12 06:05 · Score: 1
  
  I think that's how the article described it. I seem to recall it was interesting enough for me to even read the article. They were showing letters and numbers and then able to accurately guess them based on brainwaves or electrical readouts - I don't recall if it was MRI or electroencephalograph? (I also have no idea if I spelled that right.)
  
  --
  "So long and thanks for all the fish."
6. Re:No more secure way than human memory by david_thornley · 2015-11-13 04:19 · Score: 1
  
  There's lots of letters and numbers I know, and only one of them unlocks my phone. They're as likely to determine the year of some historical event, or an old phone number, or a mathematical constant. They can tell if a number has special significance to me, but currently not what the significance is.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
7. Re:No more secure way than human memory by KGIII · 2015-11-13 08:28 · Score: 1
  
  I seem to recall they asked "is this in your password?" (Or similar.) Then they monitored the output. Then they put the password together. "Is this the first letter of your password?" I think they mentioned something along the lines of being able to narrow it down even further. I did a quick search and I'm not able to recall or find where the article is but I'm pretty sure it was on this site and I think that's what the AC was referring to. I've no idea how accurate the findings were or nor if it is in use anywhere. I am also thinking it might have been with an MRI.
  I did find this:
  http://www.wired.com/2012/08/b...
  That mentions use of an EEG. I could have sworn it was refined and using either a CT or MRI scan??? However, that article is about the right time-frame, so that may be it it it may have just been conjecture, in the other article, about what the future could hold?
  
  --
  "So long and thanks for all the fish."
Premise is not necessarily correct. by JMZero · 2015-11-10 11:17 · Score: 3, Interesting

It's more awkward to hash a fingerprint than a password, sure, but it's certainly not impossible. An image of a fingerprint is mutable and "analog" feeling, but you could, instead, base your fingerprint comparison on a more "digital" digest of information from that fingerprint (eg. you boil image data down to bits that are repeatable in the face of repeated scans, like you check whether feature X is significantly more prevalent than feature Y in this print).
It'd be tricky, sure, and potentially impractical given current scan quality - but non-hashability is not some inherent limitation of fingerprints or biometrics in general.

--
Let's not stir that bag of worms...
1. Re: Premise is not necessarily correct. by Anonymous Coward · 2015-11-10 11:26 · Score: 0
  
  Serialize fingerprint data/ object, run through sha512 a few times. Done. Thank you.
2. Re:Premise is not necessarily correct. by swillden · 2015-11-10 11:35 · Score: 1
  
  eg. you boil image data down to bits that are repeatable in the face of repeated scans, like you check whether feature X is significantly more prevalent than feature Y in this print
  But you can't check if feature X is significantly more prevalent than feature Y if all you have to compare against is a hash of the features. That's the point. And, no, you can't usefully hash the individual features independently because the sample space of each is too small. If there are only, say, 10 bits of entropy in the hash of each feature, you can brute force each of them independently and de-hash the template, so the hashing was useless.
  However, hashing of fingerprint templates is pointless anyway. Salted hashing is a way to keep attackers who get the hashed secrets from being able to recover the original secrets. But fingerprints are not secrets.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Premise is not necessarily correct. by Sique · 2015-11-10 11:41 · Score: 1
  
  The problem is that you have to compare the received image with the stored one, and then calculate the distance. If the distance is smaller than a certain treshold, the image is accepted.
  A hash can't do that. Actually, a hash is designed to not allow that. The distance of two sources should always be completely unrelated to the distance of the respective hashes.
  
  --
  .sig: Sique *sigh*
4. Re:Premise is not necessarily correct. by Anonymous Coward · 2015-11-10 11:46 · Score: 0
  
  I would argue that if you can have a threshold of acceptance for any given fingerprint, then it is hashable with same fuzzy function that accepts or rejects.
  The logic is flawed in the article and I use a fingerprint to get into my phone, not a bank vault. I don't encrypt my phone yet because unlike the Intel line-up. not many ARM versions support hardware AES yet (if any? not sure)
  My current solution is to not store anything private and valuable on the phone - anything important, I backup.
5. Re:Premise is not necessarily correct. by JMZero · 2015-11-10 11:59 · Score: 1
  
  I don't think you read my post?
  My whole point is that you don't have to compare image to image. I'm saying that you could take a fingerprint image and digest it into a set of boolean qualities that are stable for various images of that fingerprint (ie. this one has significantly more dipsees than doodads, so that can be a bit in our stable digest). Then you hash that digest and store it. For a new authentication attempt, you do the similar digest and hash, and the two hashes have to match (like a normal password check).
  Finally, to repeat from my previous, I grant that this might be difficult in practice, but it is not impossible (and thus this is not some intrinsic limit to using fingerprints for authentication).
  
  --
  Let's not stir that bag of worms...
6. Re:Premise is not necessarily correct. by JMZero · 2015-11-10 12:08 · Score: 1
  
  I'm not suggesting hashing the image, I'm suggesting hashing a stable digital digest, the contents of which might be determinations like "are there significantly more of feature X than Y" that were repeatable. I thought that was clear?
  Your next point is a reasonable possible problem with practicality - if your "stable digest" is too small then it obviously won't work. But there's no reason this digest couldn't be usably large with a scan of appropriate quality; to be clear, I'm taking issue with the idea that hashing a fingerprint is impossible in principle, I'm not saying it would practically work right now in realistic scenarios.
  And I would say fingerprints are secrets to some extent. If someone were able to harvest a ton of identified fingerprint images from a database breach, I think that would be a significant negative. Being able to hash is a positive for an authentication system.
  
  --
  Let's not stir that bag of worms...
7. Re:Premise is not necessarily correct. by swillden · 2015-11-10 12:20 · Score: 1
  
  On hashing, it really doesn't matter, even if it is feasible. And if it were, it would have been done.
  
  And I would say fingerprints are secrets to some extent.
  When thinking about security, you should assume they're public knowledge. If they happen to be less available than that, then you're in better shape than you thought. But given that they're not rotatable and are left everywhere, no good security design should be based on the premise that fingerprints are secret.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Premise is not necessarily correct. by KGIII · 2015-11-10 12:59 · Score: 2
  
  Err... I could be wrong but fingerprint scanners don't actually store images these days. They store data points. Ridge x was in this location in relation to feature Y which is in this location compared to feature C, etc...
  Someone on Slashdot works in the industry and explained it quite nicely a few years ago. It was verified by a few other posters. So, I could be wrong but that's my recollection in simple KGIII-acceptable-terms. They don't store images, don't compare images, etc... That's why your finger needn't be in the same spot every time and why the initial scanning takes more than one scan of the features. I understand you can also increase the verification process by scanning multiple times when the device is used to read the prints. So, out of 30 scans, 15 much match exactly and 10 must be within a certain subset, and 5 can bugger right off as being unreadable for any one of a number of reasons.
  I'm quite certain that they used more precise verbiage. That's how it was interpreted and stuck with me. Like I said, I may be wrong but I kind of, sort of, doubt it - except maybe a small detail here and there but I don't think that I got any of those wrong. They were pretty eloquent and gave good information.
  
  --
  "So long and thanks for all the fish."
9. Re:Premise is not necessarily correct. by Bite+The+Pillow · 2015-11-10 14:23 · Score: 1
  
  You were clear. We are all looking forward to your implementation.
  
  I'm taking issue with the idea that hashing a fingerprint is impossible in principle, I'm not saying it would practically work right now in realistic scenarios.
  How about in unrealistic scenarios? Because half of the new and cool stuff mentioned on this website is rubbished because it's not practical in reality. And then someone refines it, so then it is realistic.
  Are you talking about having an indicator for ridge A, with a radius relative to the whole finger of X percent? And a vector for the direction of whorl Y?
  If so, you're going to have to establish one classification system to start with, and there are several. They can be exclusive systems, or inclusive. Just from Wikipedia, which I assume you read before posting your assertion:
  
  The Henry Classification System is a method to classify fingerprints and exclude potential candidates. This system should NEVER be used for individualization.
  So there is at least one classification system that you can't use to identify someone, but you can tell if someone is NOT a match.
  So we get to feature extraction. Can you define a system of features where all existing and once-existing fingerprints can be uniquely identified? Because systems like AFIS have been trying to solve this problem for a while, and your contribution would reduce the search time greatly.
  Some of the experts in the area are trying to invent the next generation fingerprinting system. I assume you are one of them? If not, either apply or shut the fuck up about things that "make sense to you". Because the world is not a thing that armchair philosophers can contribute to by simply asserting a truth.
10. Re:Premise is not necessarily correct. by dgatwood · 2015-11-10 15:39 · Score: 1
  
  A hash can't do that. Actually, a hash is designed to not allow that. The distance of two sources should always be completely unrelated to the distance of the respective hashes.
  Not necessarily. It is a property of a good hash for cryptographic purposes, but it isn't inherent in the definition of a hash. Strictly speaking, a hash has only two requirements: that an input maps to exactly one output every time, and that more than one input produces a single output. In many cases, you want similar inputs to hash to similar outputs, to make searching a large data set easier (for example, when searching for a matching image). That's a hash function, too; it simply wouldn't be considered a good cryptographic hash.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:Premise is not necessarily correct. by JMZero · 2015-11-11 03:49 · Score: 1
  
  Wow, that was a stupid, bizarrely aggressive post. What's extra bonkers is that it seems like you agree with me.
  No I'm not an expert on fingerprints (or security or cryptography in general), but that doesn't mean I can't clarify a pretty simple misunderstanding. In this case, my point was that building a hashing system suitable for fingerprint authentication may have challenges, but is not inherently impossible (as the original article implies).
  Everything you said agrees with that determination (challenging practically, but no reason to think it's actually impossible). I didn't think this would be a controversial stance at all really, and I certainly didn't expect to induce hilarious rage-posts like yours here.
  
  --
  Let's not stir that bag of worms...
Fuzzy Hashing, Extractors and Vaults by steamraven · 2015-11-10 11:28 · Score: 1

This is an area that has seen quite a bit of research and there are ways to hash fingerprints. I little google searching led to Fuzzy Extractors which create a cryptographic key from biometric data and Fuzzy Vaults that store fingerprints in a secure way.
https://en.wikipedia.org/wiki/...
http://www.cse.buffalo.edu/tec...
https://eprint.iacr.org/2004/0...
Naive analysis by Anubis+IV · 2015-11-10 11:28 · Score: 4, Interesting

The whole suggestion that fingerprints cannot be hashed or are unhashable is rather preposterous. The author points out that a tiny flaw in a fingerprint can result in the hash being different, and he may very well be right that that happens, but that's an implementation issue, not an inherent problem with hashing fingerprints. After all, if you're doing things properly, you won't be hashing the raw raster scan of the fingerprint itself, but rather a normalized/filtered vectorization of the fingerprint that can be trained to ignore slight discrepancies like those.
Will it be perfect? Nope. Will it allow for mismatches (i.e. hash collisions)? Absolutely, but if you implement your normalization/filtering properly the hash collisions should only occur once in a blue moon, just the same as they do with normal passwords (e.g. Apple says the chances of a random match are 1 in 50,000 with Touch ID; see page 8 of their iOS Security document).
When you get down to it, this problem isn't much different from how YouTube or Shazam do their content matching, namely, they can take some sort of noisy data, apply a set of filters, generate a hash/fingerprint of the relevant data, then do a quick search based on that hash, rather than trying to actually match the noise in the coffee shop I'm in against the millions of tracks they've sampled. There are differences between those problems and this one, to be sure, and simply encrypting the fingerprint instead of hashing it does make things a LOT easier to implement (e.g. Apple doesn't hash fingerprints, but they do take the extra step of discarding minute details that would be necessary to reproduce a fingerprint before they encrypt it for later use), but to suggest that fingerprints are unhashable just seems silly. We're in the early days of fingerprint scanners in widespread use, and I'd expect that things will head in that direction with time.
1. Re:Naive analysis by Anonymous Coward · 2015-11-10 12:26 · Score: 2, Interesting
  
  YouTube or Shazam [...] generate a hash/fingerprint of the relevant data
  I doubt they hash anything. The output of the set of filters gives a point in high-dimensional space, and they run a nearest-neighbor algorithm on it. The coordinates might get discretized, but not hashed. Hashing at any point in the process is counter-productive because hashing causes two nearby values to become very different, so you lose distance information unless the distance is exactly 0.
2. Re:Naive analysis by bobbied · 2015-11-10 12:51 · Score: 1
  
  1 in 50,000 is pretty unsecure if you ask me. That means that there are 200 people in a million that can get into my phone...
  Why not increase the hash size? Because, then you have to come up with some way to account for the physical variations between scans of the same finger, so you lower the hash size and sacrifice the false positive rate to get a lower false negative rate.. There is the real problem with the hash idea, it involves trade offs between convenience and security... The best security involves storing the full fingerprint scan, and storing the ACTUAL data on the device is a really big security problem of it's own. Trade offs are heck sometimes.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re:Naive analysis by flink · 2015-11-10 15:39 · Score: 1
  
  1 in 50,000 is pretty unsecure if you ask me. That means that there are 200 people in a million that can get into my phone...
  1 in 50,000 is better than the 1 in 10,000 you get with a 4 digit PIN, which is what the fingerprint is usually replacing. And since you usually get at least 10 wrong guesses before the phone locks for a long time or erases itself, the PIN is more like 10:10,000 or 1:1000. And to be fair, your chances of matching a random fingerprint are actually 5:50,000 since it lets you try 5 times (or 5 different fingers) before locking out TouchID.
  Having TouchID lets me set a long alphanumeric passcode. This is tolerable since I don't have to enter it very often. So I am arguably more secure now than with the 4-digit PIN I was using before since the convenience of the biometric allows me to set a longer, seldom-used passcode.
4. Re:Naive analysis by Copid · 2015-11-10 17:01 · Score: 2
  
  I think the overall point is that if you quantize the point in high dimensional space aggressively enough and then hash that value, you're in business. The problem is designing the features such that you can do the quantizing without creating a bunch of collisions. Unfortunately for fingerprinting, that's a tall order. You're limited to metrics that are invariant over the plastic deformation of the fingerprint as you mush it against the sensor. People would be surprised at the number of different ways a typical user can find to smash his finger on a flat surface.
  
  --
  An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
5. Re:Naive analysis by Anonymous Coward · 2015-11-11 02:14 · Score: 0
  
  I think the overall point is that if you quantize the point in high dimensional space aggressively enough and then hash that value, you're in business.
  I don't think it works at all. How aggressive are we talking about? If you quantize each coordinate into buckets that are 10x larger than a typical measurement variation, then you're going to be accepting a valid measurement 9/10 of the time, but in exchange you're going to be accepting a lot of crap measurements. And even then, the 9/10 probability is for one axis only. We talked about a high-dimensional space and a probability of (9/10)^n quickly gets very low for a true positive rate.
Fingerprints are Hashable by Stormy+Dragon · 2015-11-10 11:28 · Score: 2

Fingerprints cannot be hashed. By their very nature, each read of your fingerprint will be a little different, which breaks the hashing method.
Just pre-process them with something like SIFT to eliminate the variations introduced from one reading to the next and hash that.
1. Re:Fingerprints are Hashable by Anonymous Coward · 2015-11-10 11:52 · Score: 0
  
  You can't eliminate all variations. At some point you'll have to check whether fabs(x,y) < 0.1. It's impossible to hash x and y such that the test becomes hash(x) == hash(y).
2. Re:Fingerprints are Hashable by Stormy+Dragon · 2015-11-10 12:18 · Score: 1
  
  You can't eliminate all variations.
  Sure you can. Unless the detction algorithm accepts every potential fingerprint is presented, there is implictly some invariant feature of the fingerprint that is being used to make the decision. Eliminate everything but that invariant during pre-processesing and you have something you can hash on.
  
  At some point you'll have to check whether fabs(x,y)
  Quantize x and y.
3. Re:Fingerprints are Hashable by Anonymous Coward · 2015-11-10 13:28 · Score: 0
  
  there is implictly some invariant feature of the fingerprint that is being used
  There can't be. The verification algorithm must tolerate small errors and reject large errors. If applying a small error hashes to the same thing, then applying a sequence of small errors will have to hash to same thing, and a sequence of small errors is a large error.
  
  Quantize x and y.
  You haven't thought this through. If x = 2.49 and y = 2.51 and you round them to 2 and 3, then you'll fail the check.
4. Re:Fingerprints are Hashable by JMZero · 2015-11-11 04:20 · Score: 1
  
  Sure this is a problem, but not an unsolveable one.
  As long as only a small percentage of measurements fall into ambiguous bands, you can solve this in practice by simply jittering any of the measurements that were very close. IE, if you have 9 measurements that are clearly in a band, and one that's right on the edge, you can just try both the nearby values for the tenth and see if either matches the hash. If you have too many measurements that are equivocal, then your system has failed as you couldn't (and wouldn't want to) be jittering everything... but overall, this is a design challenge, not an absolute showstopper or something.
  
  --
  Let's not stir that bag of worms...
5. Re:Fingerprints are Hashable by Anonymous Coward · 2015-11-11 06:57 · Score: 0
  
  The "invariant feature" is simply that MOST of the 2 fingerprints match. Comparing fingerprints seems analogous to how QR-code reading software can deal with arbitrary parts of the QR-code being corrupted, as long as there's not TOO much corruption. I don't see how one could only compare hashes of the two fingerprints to do this.
6. Re:Fingerprints are Hashable by Stormy+Dragon · 2015-11-11 07:11 · Score: 1
  
  Not only CAN there be, there MUST be. If there is absolutely no invariant whatsoever, then there is no way to explictly distinguish between two fingerprints that match or don't match. The phrase "small errors" implies a distinction between variations that are truly part of the data and variations that are part of the "error".
7. Re:Fingerprints are Hashable by Anonymous Coward · 2015-11-12 06:17 · Score: 0
  
  How can you still fail to understand the problem after two rounds of explanation? Tell me which step you disagree with so we can narrow it down:
  1. It's possible to design a sequence of 1000 plausible fingerprints such that fingerprint_1 is yours, fingerprint_1000 is mine, and fingerprint_n is extremely similar to fingerprint_{n+1}.
  2. hash(fingerprint1) != hash(fingerprint1000) otherwise I can authenticate as you.
  3. There must be some n such that hash(fingerprint_n) != hash(fingerprint_{n+1}).
  4. Training the system to recognize fingerprint_n and testing with fingerprint_{n+1} will fail to authenticate because the hashes are different.
  5. This is a failure of the system because by construction the two fingerprints are "extremely similar".
  6. Since the hash() function was arbitrary, we conclude that no system that compares fingerprint hashes will work.
The downside of biometrics by Anonymous Coward · 2015-11-10 11:29 · Score: 0

I always think of this scene when I hear about biometrics....
http://cdn.av.s3.amazonaws.com/wp-content/uploads/2013/07/15142727/Wesley-Snipes-eyeball.jpg
fingerprints and retinas are username replacements by Anonymous Coward · 2015-11-10 11:31 · Score: 0

fingerprints and retina scans are more like usernames, not passwords. Just another way to verify that you are who you are. The password is still necessary to get access.
I can hash fingerprints by Kim0 · 2015-11-10 11:32 · Score: 1

I can also extract a cryptographic code from a fingerprint, and it can be revoked and a new one made.
I know this sounds impossible, and nobody but me seems to have made a good system for this.
Probably because the math is quite tricky and unpublished.
1. Re:I can hash fingerprints by NotInHere · 2015-11-10 11:51 · Score: 2
  
  ... and this comment would give too few space to write down the beatiful proof?
2. Re:I can hash fingerprints by Kim0 · 2015-11-10 11:53 · Score: 2
  
  ... and this comment would give too few space to write down the beatiful proof?
  No, but I see no point in giving it away for free.
3. Re:I can hash fingerprints by locofungus · 2015-11-10 19:40 · Score: 2
  
  Why not? I remember seeing an example of how to hash fingerprints something like 20 years ago. It may not work with the current fingerprint checking tools but it went something like this:
  1. user (fingerprint owner) Generates a random image the size of the fingerprint image.
  2. Add error correcting - e.g. an R-S code on the rows and columns
  3. Hash this resulting data
  4. XOR the image in 2 with the fingerprint.
  5. Send 3 and 4 to the person who wants to verify the users fingerprint later.
  (User might want to save a hash of 4 so that they can verify that when presented with this data again they can tell it hasn't been tampered with)
  When the time comes to verify the fingerprint:
  1. Verifier sends 4 above to the user
  2. User XORs their fingerprint with 1
  3. Apply error correcting to 2
  4. Generate the hash from this data and send to verifier
  5. Verifier compares with hash stored. aka password.
  The challenges are related to detecting the rotation and position of the fingerprint when you don't save any data about the fingerprint itself. What you need is an algorithm that can consistently align a fingerprint by shifting and rotating a fingerprint when it's presented slightly differently.
  There's also the challenge of getting the amount of error correcting correct. Too little and the random image recovery won't work. Too much and you'll start accepting fingerprints that are similar but different or allow brute force to recover the hash.
  
  --
  God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
4. Re:I can hash fingerprints by Kim0 · 2015-11-10 19:46 · Score: 2
  
  That method will usually fail because fingerprints are deformable.
  And I need money to survive. My knowledge might help me get money, by selling it.
Someone forgot to tell Apple. by strredwolf · 2015-11-10 11:35 · Score: 2

Someone forgot to tell Apple that they're not hashable... because that's how they're storing them.
But then, you don't use them as a key to encrypt, you use them to *verify* that you are you. This takes care of dumb people trying to break into your phone. The smart ones just open up the phone and try to read the flash and security EEPROM directly.

--

--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
1. Re:Someone forgot to tell Apple. by Anonymous Coward · 2015-11-10 14:59 · Score: 0
  
  They aren't hashable (at least not in a consistent way to make them usable). Apple like others create a mathematical representation of the fingerprint data which has a lot more flexibility than the raw data, they hash this.
2. Re:Someone forgot to tell Apple. by david_thornley · 2015-11-11 10:09 · Score: 1
  
  The flash memory is normally encrypted. The key is in a separate spot in the CPU chip, and can't be accessed easily, if at all. I don't know if it's possible to extract information from a recent iPhone without the fingerprint or PIN authorization.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Yes they are hashable! by Anonymous Coward · 2015-11-10 11:37 · Score: 2, Interesting

Just ask the FBI if fingerprints can be hashed. They've been doing it for decades as part of AFIS - the Automated Fingerpritn Identification System.
In a nutshell: Software looks for minutae in the print - locations of whorls, loops, valleys, etc. Once those are located it decides where they are relative to each year, then puts those relative coordinates into bins. The smaller the bins, the less tolerance there is for variability like being squished hard against the scanner and spread out. If you set your bins too small then you'll get a bunch of false negatives. But you don't have to do just one set of bins - you can do multiple bins, progressively more precise and then put them in a search tree where the further you go down the tree the more confidence you have that the print is a match.
Those bins are effectively a password which can be hashed just like any other password and you can store hashed bins instead of originals in the clear if you want because you are just doing a bit comparison with each higher level of precision.
1. Re:Yes they are hashable! by viperidaenz · 2015-11-10 12:01 · Score: 1
  
  Except if you know what the bins are and the algorithm, you can generate fingerprints that will match them.
  Sure, what you've described is a hash and it's great for hashtables and indexes, but I think what was implied is a cryptographically secure hash.
2. Re:Yes they are hashable! by Anonymous Coward · 2015-11-10 12:57 · Score: 0
  
  > Except if you know what the bins are and the algorithm, you can generate fingerprints that will match them.
  That presumes you can reverse engineer out the points from the hashed list of bins. That's what salts are for.
3. Re:Yes they are hashable! by zippthorne · 2015-11-10 14:55 · Score: 1
  
  I think he's saying that at each accuracy-level you're cryptographically hashing something, and then when you do the compares, you do the same thing.. cryptographically hash at the different levels and compare those to the stored hashes and the best one that matches defines your confidence in the match.
  
  --
  Can you be Even More Awesome?!
4. Re:Yes they are hashable! by Anonymous Coward · 2015-11-10 15:01 · Score: 0
  
  They aren't really hashing a finger print. They are collecting pieces of descriptive information about the fingerprint and then hashing that. It is like writing a description of someone's face and hashing it and then claiming you are hashing the persons picture.
You can't change your fingerprint by Anonymous Coward · 2015-11-10 11:40 · Score: 0

I think people who come up with this stuff watch too many movies where its so cool to have facial recognition or fingerprint security. How about retina next?
If you have a stagnant security system then someone has the ability to hack it. At least with passwords you have the ability to change it and if you do it with a reasonably good one it then makes that stagnant security fluid and ever changing. Which makes the hackers cringe. I totally agree fingerprint authorization is about as worthless as a 4 digit pin.
1. Re:You can't change your fingerprint by mark-t · 2015-11-10 12:25 · Score: 1
  
  I agree with your general point, but 4 digit pins are not entirely worthless.... they have the significant advantage that they are short enough to easily remember, and while this is undeniably also an advantage from a hackability perspective, a card that is used for too many invalid pin attempts is always temporarily deactivated, and typically, the owner of the card is contacted by telephone. They will only reactivate the account when they have confirmed that the owner has the card. If it were to occur again, they would probably cancel the card and just issue a brand new one.
  Of course, that doesn't stop people from using keyloggers or something similar to discover your password....but then no length of code is secure against such techniques unless the password is never the same.
  
  --
  File under 'M' for 'Manic ranting'
2. Re:You can't change your fingerprint by Bert64 · 2015-11-10 19:20 · Score: 1
  
  You can protect against *online* attacks in that way as it can keep track of how many attempts have been made, but if you find a way to perform an offline attack then the 4 digit pin becomes very weak.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
3. Re:You can't change your fingerprint by mark-t · 2015-11-11 03:54 · Score: 1
  
  An offline attack is only viable if you have a local copy of their password data. A four digit pin is therefore no weaker than the banks own security, since the latter must be defeated first to obtain such a copy, and even then, it must be done without the bank beng aware of it or the bank may alert its users.
  My point being that the security in short length PINs isn't as particularly weak as one may think.
  
  --
  File under 'M' for 'Manic ranting'
4. Re:You can't change your fingerprint by david_thornley · 2015-11-11 10:14 · Score: 1
  
  The iPhone can be set to erase all data after ten failed attempts. Since it can't be attacked in an offline mode, that means that the attackers have a one in a thousand chance of guessing correctly, given a random four-digit passcode. That's pretty good odds.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
5. Re:You can't change your fingerprint by Bert64 · 2015-11-11 20:10 · Score: 1
  
  If the pin is only kept on a bank server then sure, but if the pin is on a mobile handset which you've stolen then you do have a local copy of the password data.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:You can't change your fingerprint by mark-t · 2015-11-12 11:18 · Score: 1
  
  I think we can probably agree that having physical access to where important data is stored trumps root.
  
  --
  File under 'M' for 'Manic ranting'
7. Re:You can't change your fingerprint by mark-t · 2015-11-12 11:28 · Score: 1
  
  The iPhone can be set to erase all data after ten failed attempts. Since it can't be attacked in an offline mode, that means that the attackers have a one in a thousand chance of guessing correctly, given a random four-digit passcode. That's pretty good odds.
  If they have the physical phone, you're screwed. They could make a virtual duplicate of it, and attempt to find the password inside of the VM
  
  --
  File under 'M' for 'Manic ranting'
Fingerprints, the worst kept secret by TME1040 · 2015-11-10 11:42 · Score: 1

As some others pointed out, you leave your fingerprints everywhere, making it a very bad authentication method. Damn, imagine someone breaking into one of your accounts just because you tossed your used cup of coffee in a public bin...
Fingerprints can be hashed by WillAffleckUW · 2015-11-10 11:51 · Score: 2

Most match protocols use point algorithms to store the points and patterns.
The fact that you've never seen this does not mean we don't have it. We just don't tell you.
However, all biometrics are highly hackable. Including and especially facial recognition.
The chief way to stop people is to pay attention to your actual vulnerabilities and concentrate on those, and vary the more easily defeated protocols.
Stop believing movies. Most of what you see in those are fake.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:Fingerprints can be hashed by Anonymous Coward · 2015-11-10 18:17 · Score: 0
  
  Most match protocols use point algorithms to store the points and patterns.
  exactly, hence they are NOT hashing the fingerprint, they are hashing a derived algorithm or description of the fingerprint.
Theft and Brute Forcing by irrational_design · 2015-11-10 11:52 · Score: 1

I assume Theft refers to someone cutting off your thumb and Brute Forcing refers to a brute putting you in a headlock while his partner forces your thumb onto the sensor.
1. Re:Theft and Brute Forcing by ElectricHellKnight · 2015-11-10 14:19 · Score: 1
  
  Obligatory: They took my thumb!
Passwords aren't passwords by Overzeetop · 2015-11-10 11:55 · Score: 1

We keep talking about passwords as if they were some magical key. They're not. They're no different, on a theoretical basis, than a unique physical token or a unique biometric - it's simply a means for you to verify WHO YOU ARE. There are no passwords, only versions of usernames.
Yes, fingerprints can be copied. As can usernames. Tokens can be stolen. Passwords can be beaten out of you (and I use beaten in a general sense, not necessarily a physical one). Using two of those will prove to be rather difficult to circumvent on a properly created challenge system without the enduser's knowledge. Getting to someone's data by using their login and password (or biometric equivalent) is rarely the easy way; it's often simpler to break the backend or intercept the data in transit.

--
Is it just my observation, or are there way too many stupid people in the world?
Even worse.... by mark-t · 2015-11-10 12:11 · Score: 3, Insightful

.... there is absolutely nothing that you can actually do, barring the use of what would probably amount to excessive physical violence, to prevent someone from taking your fingerprints who is intent upon doing so.
You can, at least, refuse to divulge your passwords.

--
File under 'M' for 'Manic ranting'
1. Re:Even worse.... by Anonymous Coward · 2015-11-10 21:12 · Score: 0
  
  Even better, you can choose to divulge your passwords.
  When the guy with the machete wants your phone, you give him your phone. When he wants your password, you give him your password.
  When he wants your fingerprint, you can't give it to him. He's going to use his machete and take it. And if you're really really unlucky, your phone will refuse to accept a dead finger. Do you think he will say "oh, too bad" then? I'll tell you what he'll say: Oh, wrong finger...
2. Re:Even worse.... by Tom · 2015-11-11 04:31 · Score: 1
  
  What kind of secrets do you have that are more important than keeping your balls, or eyes?
  The threat scenario is law enforcement in civilized countries. They can legally take your fingerprints. They cannot legally cut off your balls and poke out your eyes.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
3. Re:Even worse.... by mark-t · 2015-11-12 05:41 · Score: 1
  
  It's not so much that one might have secrets that are worth so much them, as much as that they may have secrets that are worth so much to whomever is wanting to get the information... if they kill the person, then they *cannot* divulge the information, and for certain rather broad classes of neurologically atypical people, most notably certain kinds of mental illness sufferers who might otherwise be capable of functioning in regular society (presumably with medication), subjecting the person to abnormal levels of stress such as what might be endured during torture or even brainwashing can be entirely counterproductive to obtaining any factual information.
  Fingerprints can be taken from a dead man... the secrets that are locked by them may be obtained without any cooperation on the part of a person whatsoever.
  
  --
  File under 'M' for 'Manic ranting'
Homomorphic encryption by Anonymous Coward · 2015-11-10 12:16 · Score: 0

which requires the same master password each time a new print read
Are they claiming that homomorphic encryption is impossible? This was an open problem for a long time, but the Ishai-Paskin cryptosystem is supposed to be a solution. Is there a flaw in it?
You naively ignore the $5 extraction technique by rsborg · 2015-11-10 12:29 · Score: 1

.... there is absolutely nothing that you can actually do, barring the use of what would probably amount to excessive physical violence, to prevent someone from taking your fingerprints who is intent upon doing so.
You can, at least, refuse to divulge your passwords.
Sure, but then you're pretty much leaving yourself to this:
http://www.explainxkcd.com/wik...

--
Make sure everyone's vote counts: Verified Voting
1. Re:You naively ignore the $5 extraction technique by mark-t · 2015-11-10 12:55 · Score: 1
  
  You still have to give the passwords willingly... whether you are willing only because you are being tortured or under extreme duress is irrelevant, another party must take measures to directly influence your mental state in order to obtain the password, and even then, there is no guarantee of success. Your fingerprints, however, can be taken whether you object to them being taken or not, and do not require your cooperation to obtain.
  
  --
  File under 'M' for 'Manic ranting'
2. Re:You naively ignore the $5 extraction technique by rsborg · 2015-11-10 15:00 · Score: 1
  
  You still have to give the passwords willingly... whether you are willing only because you are being tortured or under extreme duress is irrelevant, another party must take measures to directly influence your mental state in order to obtain the password, and even then, there is no guarantee of success. Your fingerprints, however, can be taken whether you object to them being taken or not, and do not require your cooperation to obtain.
  I'm sorry, I fail to see your distinction. The only benefit to passwords is that you can change them. Both can be forcibly extracted.
  
  --
  Make sure everyone's vote counts: Verified Voting
3. Re:You naively ignore the $5 extraction technique by mark-t · 2015-11-10 17:23 · Score: 1
  
  You can't forcibly extract a password... it must be given. Y The most someone else can do to "extract" it is do things to a person that might coerce them into volunteering that information or cooperating, and even then there will never truly be any guarantee. You see, nobody really knows for sure exactly how the brain works, and every human mind is ultimately different. Torture and brainwashing, for example, would be entirely ineffective against certain classes of neurologically atypical people, not because they are necessarily strong willed, but simply because their minds work so differently than most. Some might even entirely mentally shut down under such conditions, or enter a completely catatonic state, incapable of performing any conscious act or even speaking, making it impossible to gain any useful information from them.
  No.... passwords cannot be forcibly extracted. Fingerprints can be taken from you without any of your cooperation.... they can be taken from you when you are dead, even. Can't exactly do that with a password now, can you?
  
  --
  File under 'M' for 'Manic ranting'
Re:Hacking biometrics by bobbied · 2015-11-10 12:42 · Score: 1

I hear that 99.9% of statistics are made up.... (Which must be true, because I just made that up.)
Seriously, you are laboring under the delusion that it's hard to get a finger print or come up with a way to fool the sensor reading the finger print. You literally leave finger prints EVERYWHERE you go and like it or not, most scanners in use these days are chuck full of compromises on things like not looking at the whole print or they don't save enough detail but condense down your print into some mathematical expression. Not to mention that if you ever are able to break into a system that accepts fingerprints and obtain this data, you can easily construct a way to "fake" the system so they don't need access to you, ever.
Like all security ideas, it sounds great on paper, but when you start looking at the details of how it all works, the wheels quickly come off the train because doing it the right way is too hard, too expensive or too inconvenient to be useful. Most Fingerprint bio-metric based access control schemes fail in some way because of the implementation issues, they get compromised because they are expensive, or start to loosen the acceptable standards for a match because users complain of too many rejections.
Fingerprints just look like they'd be secure but as implemented they just don't turn out to be all that secure.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
This is a job for homomorphic encryption by goombah99 · 2015-11-10 13:00 · Score: 1

This sounds like an ideal job for homomorphic encryption. Compare a sample to a fingerprint without ever revealing the sample or the fingerprint to a third party.

--
Some drink at the fountain of knowledge. Others just gargle.
Re:Hacking biometrics by myowntrueself · 2015-11-10 13:18 · Score: 1

You can lift fingerprints from photos. Photos can be accessed remotely by people you have no contact with.

--
In the free world the media isn't government run; the government is media run.
Fingerprints Can Be Hacked! by Irate+Engineer · 2015-11-10 14:04 · Score: 1

Literally.

--
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
Apples and Oranges by transfire · 2015-11-10 15:13 · Score: 2

I am so tired of this over-hashed argument (see what I did there?). Fingerprints are not meant to be passwords, they are *secure usernames*. In other words they provide a username that no one knows or can figure out. As such they provide some security, but not to the degree of a good secret password. So by itself a fingerprint shouldn't be used for security. But, a fingerprint makes a good part of a multi-part system. In most cases a fingerprint and a pin is quite sufficient and much better than a known or obvious username and a typically poor secret password. P.S. Inferred handscans are even more secure than fingerprints, and given all the issues with passwords, are probably sufficient in themselves in most cases.
Lack of hashing is irrelevant by Antique+Geekmeister · 2015-11-10 15:55 · Score: 1

The large vulnerability is not in the encryption of the stored fingerprint information. It's in the very poor tools for measuring and reporting valid fingerprints, which allow matching with even vaguely similar fingerprint images. The original infamous study on the problem is at http://web.mit.edu/6.857/OldSt..., and there was even a MythBusters episode demonstrating the essential vulnerability of the system to casually sampled, stored, and replicated fingerprints at https://www.youtube.com/watch?... .
It was especially impressive that Mythbusters used a printed copy of a fingerprint, licked it, put it on the commercial biometric scanner, and were able to defeat the security scanner. These devices are security theater at its worst.
So I know something about this.... by FrankSchwab · 2015-11-10 17:24 · Score: 5, Interesting

Finally, a slashdot topic where I can be informative. Disclaimer: I work in the industry building fingerprint sensors.
Fingerprints aren't perfect security. As so many others have pointed out, you leave them everywhere. That doesn't mean that they're not useful.
1. It's extraordinarily difficult to create a fingerprint spoof from a latent print. Yes, there are people who can do it - I can do it - but it's not easy. Notice on the videos of breaking into the iPhone 5s or 6 that latent prints are taken from a single fingerprint placed carefully on a squeaky clean screen. On your average phone, not so much. Someone who picks up my phone off the seat in a subway will be incapable of breaking in - unless I've just cleaned the screen with windex and carefully placed my fingerprint on it.
2. A fingerprint on a phone makes an excellent two-factor authentication system. The average hacker in east Elbonia can't break fingerprint security - because they don't have my phone or my fingerprint.
Perfect? No, but strong? Yes.

--
And the worms ate into his brain.
1. Re:So I know something about this.... by swillden · 2015-11-10 22:02 · Score: 2
  
  1. It's extraordinarily difficult to create a fingerprint spoof from a latent print. Yes, there are people who can do it - I can do it - but it's not easy. Notice on the videos of breaking into the iPhone 5s or 6 that latent prints are taken from a single fingerprint placed carefully on a squeaky clean screen. On your average phone, not so much. Someone who picks up my phone off the seat in a subway will be incapable of breaking in - unless I've just cleaned the screen with windex and carefully placed my fingerprint on it.
  This is not true, unfortunately. It is true that most devices will have a set of partial prints on them, but it's not actually that difficult to assemble them into a whole print, especially if you're okay with making a whole batch of gummi fingers. You simply apply feature extraction to the partial prints, match up common features across the partials and generate a set of candidate full prints. Doing this requires some software knowledge, but not really that much. I expect to see open source libraries that do it, soon. Once you have your set of candidates, use a high-resolution 3D printer to generate a set of molds, cast your gummi fingers, and try them.
  However, this still doesn't mean they're ineffective. They're less secure than a decent password, yes, but that's far from useless.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:So I know something about this.... by Dixie_Flatline · 2015-11-11 10:28 · Score: 1
  
  I think his point was merely that it's not as trivial as getting a phone with fingerprints on it and suddenly having full access. The list of steps you included is still non-trivial, and I think we'd probably agree that almost all phone security is about discouraging trivial access. That list of steps is complicated enough that it probably requires a dedicated location (nobody is going to be able to do it while still on the subway), which gives me time to recognize my phone is gone and remotely kill it.
3. Re:So I know something about this.... by swillden · 2015-11-12 00:44 · Score: 1
  
  I think we'd probably agree that almost all phone security is about discouraging trivial access
  We wouldn't agree on that, actually. My goal over the next couple of Android releases is to make password-based security very strong. Even a four-digit PIN can provide very strong security if brute force countermeasures are good and the password storage and comparison is done properly, in secure hardware.
  But unless/until we get really good liveness detection, biometrics are strictly weaker. That doesn't make them useless, but we need to understand the limits.
  
  That list of steps is complicated enough that it probably requires a dedicated location (nobody is going to be able to do it while still on the subway), which gives me time to recognize my phone is gone and remotely kill it.
  True, up to the "remotely kill it" part. The attacker's first step after getting your phone is to turn on airplane mode.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:So I know something about this.... by FrankSchwab · 2015-11-12 08:35 · Score: 1
  
  So is it OK if I drop by and hand you my Galaxy S6, and start a timer to see how long it takes you to break in? I'd guess 8-10 hours of solid work for you, someone who appears knowledgeable in this area. That qualifies at least as "very difficult" to me, though perhaps I overstated it with "extraordinarily difficult".
  You seem quite knowledgeable, and I find no fault with your analysis and subsequent posts, other than the quibble with the level of effort needed.
  
  --
  And the worms ate into his brain.
5. Re:So I know something about this.... by swillden · 2015-11-12 10:11 · Score: 1
  
  So is it OK if I drop by and hand you my Galaxy S6, and start a timer to see how long it takes you to break in? I'd guess 8-10 hours of solid work for you, someone who appears knowledgeable in this area. That qualifies at least as "very difficult" to me, though perhaps I overstated it with "extraordinarily difficult".
  How much money is in your bank account? Most likely it's well worth that level of effort... and it wouldn't take that long. Probably half that. Even if it did, 8-10 hours is far from enough time for me to consider my phone secure. I want the break-in time to be measured in months, not hours or even days.
  
  You seem quite knowledgeable
  I would hope so, it's my job :-)
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
master password? seriously? by Anonymous Coward · 2015-11-10 18:25 · Score: 0

They can only be stored using encryption, which requires the same master password each time a new print read is compared to the stored key — a much weaker method than salted hashes.
You're doin' it wrong.
Way to Miss the Point Everyone by Anonymous Coward · 2015-11-10 18:31 · Score: 0

Most people aren't worried about some sophisticated attacker that is performing a targeted attack involving extracting fingerprints from pictures or surfaces, stealing your phone, and finding someway to physically enter the extracted fingerprint. Furthermore, phones that have fingerprint authentication drop the encryption key that's backed by the fingerprint on reboot and after a certain amount of time since last unlock (48 hours on the iPhone, but might be configurable). Then you need the password to login or read the data on the device. So an attack would have to steal the phone and successfully perform the attack within that time. For almost all users, that's more than secure enough and incredibly convenient.
It's a problem for nailbiters by Anonymous Coward · 2015-11-10 19:05 · Score: 0

I'm a nailbiter and it's common for nailbiters to not just bite their nails, but also bite the skin around their nails. I bite the skin on my thumb so I'm sure I'd have problems if I ever use a fingerprint scanner.
ISIS by harvey+the+nerd · 2015-11-10 20:58 · Score: 1

not to mention the ISIS type problems....
Fingerprints are a USERNAME not a PASSWORD! by martinjaudley · 2015-11-10 21:01 · Score: 1

Fingerprints cannot be changed, and claim your identity - so they are a username. They can cannot be kept secret, and can easily be copied off a glass - so they are not a password.
Of course fingerprints can be hashed by aaaaaaargh! · 2015-11-10 21:50 · Score: 1

Anything that can be recognized automatically can be also hashed by hashing the parameters used for recognition rather than the image they're extracted from.
Bond, James Bond. by fredgiblet · 2015-11-11 00:02 · Score: 1

I'm reminded of the Bond movie where he scans the fingerprint using his cell phone, then turns it around uses the scanned fingerprint to access the lock.
Queue Mission Impossible Theme by sjbe · 2015-11-11 01:15 · Score: 1

Your fingerprints are likely on there somewhere, and if someone really wants your print and device and you are careful they'll likely follow you and wait for you to leave something behind that'll give a great print.
Are you REALLY worried about that? Seriously? Anyone that serious about getting the contents of your phone is probably going to just grab you and put your finger on the reader.

Fingerprints are a shit security measure.
Maybe if you are worried about the Impossible Missions Force. In my case they work just fine. It's kind of like the lock on my house. No, it won't keep a determined intruder out but it will keep out casual snoopers.
Unhashable? by luis_a_espinal · 2015-11-11 01:59 · Score: 1

. Fingerprints cannot be hashed.
Bollocks. Utter bollocks. I admit I didn't read TFA, but this is just bollocks. If a biometric system can identify what seems to be a fingertip (the presentation of which changes every time due to sweat, scars, position of the finger, whatever), it means that system originally stored a model that can match all possible (and reasonable) presentations of said fingerprint. If there is a standard model for representing a fingertip, then you hash that. That is your hash. It might be specific to the system using the "model", and thus incompatible with another system using different models. But this wouldn't be different from a system requiring SHA-512 hashes vs another one that requires MD5.
Fingerprints are temporary (if you actually work) by Anonymous Coward · 2015-11-11 02:03 · Score: 0

You not just leak your DNA everywhere, you leak your fingerprints too. And unlike passwords, you can't just simply change them.
Mine change all the time. Fingerprint readers hate me, and I hate them.
But see, I actually do manual activities more demanding than typing, so I'm not the target demographic for fingerprint readers. The target's the wealthiest 20% (a group that includes almost 80% of the US population, since most of us no longer do real physical work, we just shuffle words).
When I lost the very tip of my right index finger it took six months to heal, and now it has a completely new print, mostly made of scar tissue. Works for everything except fingerprint readers!
not true by Anonymous Coward · 2015-11-11 03:39 · Score: 0

This is not true. Extracted fingerprint templates can be hashed. It is also possible to create modified templates using a transformation function and thanks to this, create "cancelable" fingerprint credentials.
its common sense day by Torvac · 2015-11-11 04:56 · Score: 1

biometric feature cannot be the password, only the login. is this still open for discussion ?
From photographs? No. by Anonymous Coward · 2015-11-11 05:09 · Score: 0

I used to work in biometrics, and I am very sceptical of the idea that fingers can be reproduced from photographs. Even with training and willing subjects, it is not guaranteed that you will get a good fingerprint. I can't imagine a random photograph having enough detail of a finger to get a usable print. Maybe someone has this technology, but it is definitely not widespread.
Re:fingerprints and retinas are username replaceme by gnupun · 2015-11-11 06:04 · Score: 1

No, they should not be used as usernames! We don't want facebook-like big brother stuff where every moron uses their real names for usernames just to discuss trivial stuff with his buddies.
Why? by Anonymous Coward · 2015-11-11 07:21 · Score: 0

I read the hackaday article yesterday, and it's missing one vital piece of information: WHY can fingerprints not be hashed?
It simply states they cannot, which sounds like bullshit.
Anything digital can be hashed. You can hash a txt file, you can hash an image.
Admittedly, my knowledge of fingerprint matching is limited to what they show on TV, as in "points of identification" or something, so why can't the "points of identification" be hashed?
Finger vein recognition by Anonymous Coward · 2015-11-11 23:30 · Score: 0

Finger vein recognition is the answer. almost all of the objections of getting spoofed.
Change it? by cwsumner · 2015-11-15 07:06 · Score: 1

Imagine that you had a password for everything, and it was known to be stolen or broken. And, that you could not ever change it!!
However, they can be used -with- a password and be better than just a password by it's self.