For anyone thinking of using fingerprints: There's a number of people, especially some older women (due to a lifetime of hand washing dishes) and chemotherapy survivors, who no longer have legible fingerprints. Insisting all users authenticate with legible fingerprints becomes discriminatory.
I'm not saying fingerprints are bad, just that there must be a process to support those that do not have them.
Basically anyone who washes their hands frequently (ie all medical personnel, food handlers, etc.) or does manual work with ungloved hands (including home gardening) can later in life have fingerprints so abraded as to be unidentifiable. Using a lot of hand lotion, as anyone with dry hands might, also tends to flatten the ridges. Any requirement for fingerprints as a biometric can render systems inaccessible for entire classes of people - it's a growing problem in banking for the elderly, for example.
Not even later in life. I spent a couple of weeks working with concrete blocks at home and I was unable to get into my workplace via the fingerprint scanner. (My fingerprints restored themselves a couple of weeks later).
I feel compelled to point out that hand lotion and hand sanitizer are not the same thing. However excessive use of hand sanitizer might have a similar effect on our fingerprints, for all I know.
My father has this problem. The last time he went for a background check they tried time and time again with an electronic scanner but it just could not get a legible scan.
After far too many unsuccessful attempts they pulled out the old ink roller and fingerprint card and called it a day with the first crack at it. At least the authorities had this option, what will happen when/if electronically scanned fingerprints are set as a hard requirement?
I've lost count of the number of times I've heard someone say, "don't use biometrics because you can't change your fingerprints". That's an absurd statement... because you can. There are acids, blowtorches, belt sanders and the good old boxcutter, to name but a few approaches
None of those will change your fingerprints, they'll grow back unless you took off so much skin that your fingers are scarred and the prints won't grow back. Which doesn't really help with the supposed problem that if someone steals your fingerprints, you can't easily change them to another pattern.
My kids, for one. They're sneaky little buggers and I could envisage them observing my password as I type it into my PC. I can't, however, see them having the sophistication to lift a clean print off a glass, melt down a bunch of gummy bears and create a prosthetic that could fool the fingerprint reader on my PC.
I think it won't be too long until they can dust your fingerprints, take a picture of it, then have it 3d printed on a substrate that will fool a simple fingerprint scanner.
It's definitely a lot easier for anyone to create a fingerprint with today's technology and will get easier as time passes.
I still think the author's main point stands, it's way easier for them to remember a pin that they observed and unlock your phone when you're not around versus the recreation of a "perfect" fingerprint
This is why I hate if my phone decides I need to use my PIN to unlock it while I'm out. It's too easy to watch the PIN being entered. No one even has to be looking over my shoulder, it could be captured by a security camera.
> I think it won't be too long until they can dust your fingerprints, take a picture of it, then have it 3d printed on a substrate that will fool a simple fingerprint scanner.
I'm struggling to find good references right at this moment - but I've seen reports/video of this being done using more basic means, years ago. But I may be misremembering details.
It seems that it's already possible to produce usable fingerprints using a laser printer, printable transparencies (i.e for overhead projectors), and some glue.
The idea is that you print the inverted fingerprint on a transparency. Because the transparency doesn't allow the toner to absorb in, it remains on the surface as a 3D structure.
You then apply glue to that structure, and wait for it to cure. After it cures it can be removed and trimmed to fit your finger, and then applied to your finger.
This apparently is reliable enough to fool basic fingerprint scanners, even ones with 'liveness' checks for conductivity/pulse because the glue is conductive and transparent enough for those basic checks.
The difference between biometric and password is extremely simple. A password requires your action to provide. A biometric can be taken from you without much force. I may need to torture you or hold you in a cell to get a password, but I can just put the phone to your finger or hold it to your face to get a biometric. (Who can forget Demolition Man?) So the dynamic with the threat actor is very different.
That is complicated, but also not related to the 5th amendment. Warrants are a part of 4th amendment rights.
The 4th amendment is intended to ensure (among other things) that the government can't search some locations for evidence without first proving they have a good cause for that search.
The 5th amendment is intended to ensure (among other things) that the government can't use force or threats to make you admit to a crime, regardless of if you committed or didn't commit that crime.
The distinction is that a court could grant the right to force someone to put their thumb on a phone, or look at a phone's camera, but they (in some but not all cases) cannot force you to type in your passcode.
The argument is that your fingerprint or face is not "testimony" but a fact of who you are, but your passcode is a testimony, a declaration that you have some specific knowledge.
A phone unlocking is equivalent to it saying "Yes that is my owner/user", and that is not that person testifying, it is the device testifying against that person. Similarly it would be as if someone kept a picture of them committing a crime that was found with a valid warrant, they could not claim that having taken the picture it is their own testimony and can't be used against them. Taking the picture is a past event and requires no compelling of testimony to be used as evidence.
Getting biometrics without a warrant is a contentious issue. There are situations where a warrant is not needed, and these have also been abused to gather biometrics in situations that should have required a warrant but it was denied.
2020. They just make a virtual 3D model of you from all the data they collected and stream it directly to the device.
2022. They can now engrave fingertips on paper.
And you can't change your biometrics, at least not as easily. So it can be used as an identifier as well and also can be used to match you in between databases.
But it's easy to trick the user. Very easy. And because passwords tend to be difficult to use, users tend to pick easy ones, such that you don't need to trick the user at all. With bio, the user may opt to have the protection whereas with password they either may not, or it may be trivially bypassed. Bio systems can be engineered to be anti-phishing, anti-MITM, etc. Incredibly hard to do that with passwords.
By claiming that the user has to do something to use a password ignores the vast, vast set of vulnerabilities involved.
One is not really better than the other per se. It's very use case dependent and you optimize for a specific outcome based on the risks at hand. You won't perfectly get every possibility nailed.
I got my kid to hate Cortana by doing a weird voice that nonetheless was treated as theirs. “Hey Cortana” is still a joke in our house. Maybe.
But to your point, those require doing, which is the difference. Regular use in mixed environments (airport terminal, office, waiting for the train, etc.) is TBD. As long as I have a password backup for the days I’m in bed sick.
I dismissed this guy a long time ago as a Microsoft (or more precisely, mediocre and big-company biased) shill -- then I read a few of his articles and gained a bit of respect for him.
And then I read this and I'm back to square one.
Forest/trees man. He just sounds like he's trying too hard to hand-wave away serious flaws in biometrics by trying to reassure us "well, it's not likely to happen to you personally, so you shouldn't worry about it," which is always always the worst, and perhaps most dangerous privacy argument ever given -- because of its unreasonable effectiveness against the "common man."
His statement "Well, if the cops are your threat actor, then don't use biometrics! Instead, just sit in jail..." sounds a LOT like "If you have done nothing wrong, then why do you care if there is mass surveillance? Are you hiding something?"
Likewise. I watched a course of his and enjoyed it, followed his Have I Been Pwned stuff, and generally respected him. Then he came out with this article as well as some takes on Twitter about Apple's CSAM scanning, and I lost a lot of respect. He has some authoritarian leanings that seem at odds with his security work. He seems like he's interested in security, but not that interested in privacy.
the whole argument is “biometrics are harder than you think to fake, better than nothing, and in a scenario where you’re being physically assaulted a password isn’t much safer”
what’s the issue? he’s not advocating for you to stop using a strong password if you already are, he’s saying people who use nothing should be encouraged to use something… perfect is the enemy of good
You miss another part:
Normalizing the use of biometrics may create situation where you don't have a choice to use something else.
Its similar to phone number verification.
> he’s not advocating for you to stop using a strong password if you already are
Did you read the article? He is exactly saying that acquiring your password (however strong) is in most circumstances much easier than acquiring your fingerprints.
He's not just saying that biometrics are better than nothing, because of course everybody agrees with that - no privacy/security activist ever said 'the police could compel you to unlock your phone with a finger, therefore you should keep your phone unlocked'!
Correct. I'm not saying he's wrong, I'm saying he's irresponsible.
I absolutely want any so-called security expert to always also include the big picture or shut up forever. There's too much confusion and too at stake for people as big as him to isolate personal security from big picture privacy.
I believe that Troy is quite clearly including the big picture, but his assumptions about it may be different than yours - in particular, he's effectively making a point that in the big picture defense from competent adversaries there is no major difference between passwords and biometrics (by providing examples where trying to rely on passwords doesn't help much) and thus discussing those attacks simply isn't relevant for a discussion on "biometrics vs passwords for the common person"; it would be worthwhile to discuss the weakness of biometrics to e.g. state-level actors if and only if the alternative (pin-codes/passwords) is meaningfully different in that regard, and IMHO it isn't as a resourced attacker can e.g. unlock phones without owner's cooperation no matter if you're using a fingerprint or a passcode.
This article thinks you need to be physically present to steal a fingerprint when OPM stores them on hard drives by the millions that have already been hacked? I’m confused about the conclusions.
“It’s okay - you’re not worth hacking enough to worry about weaknesses in biometric security” seems like a better title for the assertions made here.
> We've all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set.
Maybe that's true or not, but that's never been conclusive.
What has happened was that after the 3/11 attacks in Madrid , an American was suspected because his fingerprint was misidentified, partially because of this reasoning.
When the biometrics on the client client send the credential for the server for authentication, it's going to be serialized somehow. This is the part I'm worried about. I'm not so worried about someone lifting my print off a wine glass. Somehow a print (or iris or face or whatever) is encoded into bits and bytes. And that's going to be handled by every service I want to authenticate with? I don't trust them. Passwords leak all the time from leaky databases. Why wouldn't my fingerprints? The only difference is... I can't change my prints.
They don't necessarily serialize and send your biometrics over the internet. FIDO biometric implementations, for example, use it to unlock an on-device private key, which is then used to sign a challenge for the server to authenticate. No secrets, biometrics included, leave the device.
So how would I be able to use a new device to authenticate using an existing account. How would I be able to do that if the original device was cast into the fires of Mount Doom?
IMO biometric auth will never completely displace passwords unless it can beat the user experience of a password manager.
But, as it may be obvious, I really don't understand how the biometric stuff works.
The simple answer is that generally you don't, you first authenticate in some other way and then add biometrics (stored on the device) as an alternate means of authentication. It displaces other methods as the day-to-day commonly used authentication, but not completely.
Which is a really big deal! I don't buy into Apple's flashy marketing crap, but TouchID got a few things right. Things that are easy to get wrong. Specifically, if an attacker steals my phone, getting my fingerprint out of the touchID chip is (supposed to be) nigh impossible, but no matter how possible that is/isn't, the point is that an attacker can't snoop the wires between the touchID chip and the phone's CPU, and then replay that conversation. There's a ton of ways to implement it wrongly. That the iPhone did it well isn't a reason that it would be okay to YOLO post picture of your fingerprints on Twitter.
>So, what was required to obtain the print and how does it differ from obtaining a password? […] A knowledge of spy tradecraft, specialist equipment and perhaps most importantly, physical presence."
> I've lost count of the number of times I've heard someone say, "don't use biometrics because you can't change your fingerprints". That's an absurd statement... because you can. [...] Thing is though, [...] it really provides no benefit whatsoever to those who've had their biometric secrets revealed.
Why call the statement "absurd" only to essentially agree with it by the end of the paragraph?
Mostly off-topic, but what do you do when Android forces you to type your password again for "additional security" and you're in front of a bunch of people you can't practically hide your phone from? Do security-conscious folks disable it somehow (and if so, how)? It happens when you least expect it which makes it actually worse than just a plain password in that respect.
I turn off my phone when I go to sleep and turn it on in the morning. It requires me to enter the password then, while I'm still at home and never prompted me to enter it over the day again
I think my favourite Usenix paper is appropriate here:
"Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT." -- https://www.usenix.org/system/files/1401_08-12_mickens.pdf
Good passwords and biometrics help if your adversary is not-Mossad.
Anybody who thinks biometrics or encryption or anything short of "Magical amulets? Fake your own death, move into a submarine?" is going to protect them again a nation state level adversary is kidding themselves.
> you’re either dealing with Mossad or not-Mossad.
No, you’re leaving out one very important class of actors, which I will call the NSA: The NSA, and others like them, unlike Mossad, are not after you personally, in that they don't want to do anything to you. Not immediately. Not now. They simply want to get to know you better. They are gathering information. All the information. What you do, what you buy, how you vote, what you think. And they want to do this to everybody, all the time. This might or not bite you in the future. You seems to imply that since nothing immediately bad is happening by using slightly bad security, then it’s OK and we shouldn’t worry about it, since Mossad is not after us. I think that we should have a slightly longer view of what allowing NSA (et al.) to know everything about everybody would mean, and who NSA could some day give this information to, and what those people could do with the information. You have to think a few steps ahead to realize the danger.
The NSA _is_ Mossad. The NSA has means way beyond what an individual actor has. The NSA splices cables and taps directly into ISPs and large companies to vacuum up all your data. Do they read your encrypted data ? Maybe not. But the moment you truly become interesting to them, they _will_ have a wrench to make you give out the password. Don't kid yourself.
All that is true. What I was criticizing was the logic of the linked paper, which went, essentially: ‘When I do slightly insecure things, nothing bad observably happens. Therefore, Mossad must not be after me. It follows that it’s OK to not be very secure, since only Mossad could break through my security anyway’. This logic is faulty for the reason I wrote; your slightly bad security can be broken without you necessarily knowing about it, since the reason the entities I termed “the NSA” have for breaking your security is different from the reason which what he termed “Mossad” has.
Whether passwords are considered testimony or not is not quite settled in US and Canada yet. There are instances where the court has determined that the accused can be forced to put their finger on the fingerprint reader of their device, but cannot be forced to give up their password. Although there are cases where the password was forced to be given up as well. Until this is resolved one way or another, passwords remain potentially safer than biometrics.
There's a difference. Your finger can be used against your will. Your brain can't be scanned for password against your will, you have an ultimate choice to provide password or not.
Your brain has different failure modes to your fingerprints, though, and your brain in itself cannot [yet] be used involuntarily in the way that your finger[-tip] can, and as a result of factors like these it's harder to implement distress protocols in biometric authentication systems.
Throw someone in an MRI or whatever. Continuously scan their brain, while their eyes are taped open, and display a changing character on the screen. Meanwhile, play a sound file with someone saying "password" in the background constantly, so diversionary mental tactics won't work.
Soon, the first character of their pass will appear, a part of their brain will respond, and you have the first char. Continue until the entire pass appears, and "despair" alights in their brain.
If someone is relatively unfamiliar with torture, they might think something like this. It is difficult to grasp the loss of physical and even mental autonomy and the lasting effects that it can have. One of the arguments against torture (from the point of view of effectiveness) is that everyone talks, even when they don't have the information sought.
I have plenty of passwords memorized. I could think of my email password from 2002 (yes, I remember it), or any of my work passwords, or my Steam account password.
You do however, have close relatives, family, friends, things you own, people you care for, your own life, that can be used and threatened for you to give out your password.
Don't kid yourself. Torture methods exist for a reason: as horrible as they are, they work, no matter the person. And they won't stop until they get your vacation pictures.
if it really works it should not be to hard to overcome this. there will be a different reaction when you see letters of the password you've been actually asked for piling up. so just second session looking for this yet unseen pattern could work.
I think this is quite interesting and would not only work for passwords if it does at all. i would love to read more about this :)
I think you can disable that by disabling "require attention". If "require attention" is enabled FaceID won't work unless you are looking at your phone. I believe it is enabled by default.
But pro-tip if you are being apprehended by police is to furiously click on the side button as the phone will require pin code after that.
> But pro-tip if you are being apprehended by police is to furiously click on the side button as the phone will require pin code after that.
Apparently that won't work on Android -- though there's a lockdown feature (that will disable biometric-unlock) that you can access after long pressing the power button.
Yea, I wish lockdown was easier to access on Android. An alternative would be holding the power button for long enough to turn the phone off. Not great either though.
I don't know about Germany but here in The Netherlands Face ID falls in same ballpark as fingerprint. The police can use reasonable force to have you unlock your device with fingerprint, or with your face.
You can quickly disable biometric access on iPhones while the phone is locked by pressing the wake and a volume button simultaneously or pressing the wake button five times, although the latter triggers a call to emergency services too. Of course, that's only useful if you are in position to do so.
Every police officer should know this, and try to work around it when the situation arises.
My fingerprint reader on my smartphone is so fucked up that if I just quickly move my finger on it, I had to many attempts and its disabled. Then it requires whatever you use else (PIN, password, ...)
It's worth noting are some countries out there collecting innocent citizens' fingerprints at the time of common operations such as obtaining a drivers' license (presumably to match them later early on). Does a citizen even have any protection against these practices, perhaps with hard to notice prosthetics?
Using biometrics is far riskier than passwords at short physical distances. Meaning, if you're in the room with your assailant (alive, sleeping, or dead) then your bio-password is in plain sight. In fact, only your head and/or fingers need be present.
The threat model for the vast majority of people does no include "the people in the room with me" with those same people being willing and able to defeat biometrics.
The vast majority of people need to worry about ransomware operators and phishers. Biometrics are great for defending against those.
The article ventured into Mossad territory, so I pointed out the absurdity of such a scenario.
Distance or not, biometrics are part of a totalitarian future, and as such are to be avoided. The conversation about passwords will be moribund before you know it.
Use a password manager and sufficiently high entropy passwords and you are fine for now. You can't brute force them and because you can't remember them, you won't be typing them manually or do any of the other things that make passwords a problem.
Bio-metrics are convenient though. I use them with my password manager. For things where it matters, use multi factor authentication. Long term, multi will have to be more than 2. The more factors, the harder it is to break through. For example, I use a separate tool to store my 2FA secrets than my password manager (which can do this). That's almost (not quite) an extra factor. You might call it 2.5FA
> And when you do unlock your biometric-enabled device, you can do so in front of people whom you wouldn't want to know your PIN. You can be on public transport, standing in a queue or even sitting down at your biometric-enabled PC with a friend and authenticate without disclosing an easily reusable secret.
YES! Both Android and iOS insist we re-type our password at random times when using biometrics, and of course "random time" is always the worst possible time (in the subway, on a plane, etc.)
I don't understand this. Why force me to type a password at the risk of divulging it? What's the point of this?
I think it's just timeout of few days. Point is that if your phone got stolen or taken away from you, attackers have a limited time to attempt a fingerprint attack, after which they must use more sophisticated pin bruteforce attack. Not sure if it adds much to security, but it's something.
The actual reason is to make you practice your password so you don't forget.
You might scratch your finger or the sensor might get dirty or break. Biometric in (current) phones is convenience, not security.
The slides showing passcode adoption going from about half to 90% with Touch ID's addition are fascinating, and an aspect I hadn't considered. Anyone know if the research there is publicly available?
Someone stealing your fingerprints may be more difficult than stealing your password, but you can change your password.
The essay mentions this as an absurd argument, but then completely fails to explain why it's an absurd argument.
He does make a strong case for the use of biometric authentication with the group of people who aren't willing or able to spend any energy on security, but he didn't make the case for why people who are so willing and able should use it.
Man I'm not not worried so much about malicious state or corporate actors getting my biometrics. I'm worried about the incompetent ones (which is all of them). Those are the guys who collect biometric data, store it, and then lose it. Like my social once my face is out there I can't get it back. I know that nobody is going to make a copy of my beautiful face to get access to my iphone, but more about the future when biometrics are used to let us into -- for instance -- a cloud provider's platform[0]. At that point there's no physical device to bypass it's just a question of sending the right bits to a server. Then my biometrics are defeated and I won't be able to reset them.
The arguments are built on hyperbole. People who are concerned are compared with people burning off their fingerprints and anti-vaxxers. For passwords, it's possible for "any kid anywhere in the world with an internet connection to grab troves of them with ease."
The approach is undeniably dramatic but the primary purpose is to highlight that using biometrics for passwords is beneficial for most people and shouldn't be dismissed.
I personally used a pin code on my second phone because I was fearful of the biometrics chatter but this article convinced me that using the fingerprint scanner is safer in most scenarios than otherwise.
The core of Troy Hunt's argument about the legal difference of biometrics vs a password seems to be that the cops are "going to shoot you (too) and take your phone". Which is dramatic but doesn't really address the issue. Yeah fine sure, if you're a criminal drug dealer and Denzel Washington's crooked narcotics cop character from Training Day rolls up on you and wants your phone, you're either going to give up the phone or you're going to die.
Back in the real world, we saw civil unrest (of varying types) in the past 12 months, but the rule of law is still there. See how the case against Backpage for sex trafficking is being re-run.
> "Use biometrics. It incentivises people to secure more things, it's resilient to all sorts of risks passwords are not and as an added bonus, it makes your digital life a whole lot easier"
The articles conclusion sums up IT well, people being clever talking about the problems with biometrics are the problem.
Not really. Security is built around likelihoods, and most attacks are really not likely, so it’s just a question of which attacks are likely and mitigating them.
I'm not saying fingerprints are bad, just that there must be a process to support those that do not have them.