Fingerprints are Usernames, not Passwords
All these academic arguments about the security of fingerprints are interesting but completely are detached from the day-to-day use of TouchID.
I've been using it for about a week or so now. It's incredibly convenient. It unlocks my phone almost instantly. It prevents random people near by phone from being unable to unlock it. If a thief got their hands on it, they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.
All in all TouchID basically removes almost the entire burden from the security of having a locked phone. It's actually faster to unlock my phone with TouchID than codeless swipe to unlock, so it's a no-brainer to turn it on. It doesn't matter that the NSA probably has my fingerprints, in practice it prevents most people from getting into my phone in a way that is transparent and easy to use. If the spooks want my data, they can already get it.
I'm not so sure. How many people are motivated to dupe your fingerprints to get into your iPhone? How many of those people could conceivably get into your iPhone through other ways?
Fingerprints are a nice way to keep almost everyone out of your device. And for the rest, well, I really doubt some other locking mechanism would've kept them out.
The author is a maintainer of eCryptFS. For those not familiar with it, eCryptFS is an encrypted filesystem used by several Linux distributions (including Ubuntu) to protect your home directory and/or the entire disk. It serves a similar purpose to TrueCrypt, BitLocker, FileVault, etc.
For the purpose of a full-disk encryption software, fingerprints are many times weaker than a good password. The purpose of such software is to prevent a thief, the cops, the NSA, or anyone else who takes possession of your computer, from viewing the contents of your hard drive. A fingerprint won't protect you from the cops, since your prints are already all over the place and they can probably force you to provide a fresh copy anyway. In that case, fingerprint logins would only give the user an illusion of security. So it's understandable that the author doesn't want to enable fingerprint logins to his software.
For the purpose unlocking a phone, on the other hand, a fingerprint is probably good enough. The contents of the phone usually aren't encrypted, so a determined attacker will just turn the phone off, pull out the SD card and/or the internal Flash memory, and read everything off of it. Or if you're NSA, forget the phone and get the data straight from Apple. TouchID is not for NSA-proofing your phone, it's for deterring common thieves and pranksters.
tl;dr: I agree with the author that fingerprints are not a good fit for full-disk encryption software. But I don't agree that fingerprints are completely useless. It all depends on the type of attack you're trying to defend against.
Not essential to the main thesis of the article, but still: "But let's just say you're okay with Apple sharing your fingerprints with the NSA, as I've already told you, they're not private at all."
Ok, they are not private but I'd still not willingly put them on anything controlled by an US corporation. Govt sending their agents to collect my fingerprints from glasses? Not feasible, too costly. Agency asking Apple to fetch the fingerprints willingly provided by the population "just in case"? Maybe not today and not tomorrow but in a few years? I wouldn't bet on them not doing it. And once there you're just one false positive away from some serious shit happening to you.
#66 on the Evil Overlord list:
My security keypad will actually be a fingerprint scanner. Anyone who watches someone press a sequence of buttons or dusts the pad for fingerprints then subsequently tries to enter by repeating that sequence will trigger the alarm system.
Why not have the sequence remain the password, but also scan fingerprints? If you have the wrong fingerprints (username), the right password still won't work.
"Once your fingerprint is compromised how do you change it?"
This is the central question for all biometrics for me and I believe one of the hardest problems to solve. There are many people who believe they are solving this by using ever more intricate biometric identifiers, thus increasing the bar to reproduce them beyond what they believe currently feasible. But I'm yet to see that central question addressed.
What happens when you lose control of a biometric key?
A very good point. One of the most important things about strong authentication schemes is the revocation protocol. When things go bad, how easy and secure is the process of changing the auth mechanism? The trouble with fingerprints is that you're stuck with them for life, even if somebody else <pun> gets their hands on them </pun>.
I'll be interested when someone breaks Touch ID in a real life theft. This is not a simple process, it's not clear that a determined thief is even likely to find a good enough print in a real life case, and you can't mess around because after 5 failed attempts it will prompt for a password.
Touch ID will likely cover the vast majority of security use cases for iPhone owners.
A phone screen unlock is not like passwords as used elsewhere. It has to be short; otherwise it is impractical. We know that short passwords don't have much entropy. We also know that we can examine the grease on the screen and make a good guess as to what the password is.
If we consider phone unlocking mechanisms to be in a different "not fully secure, but at least practical" category, then I think it's perfectly acceptable to use a fingerprint as an unlock.
Mitigation is possible too. For example, the phone could lock out and require a proper password if it detects tampering (which, AIUI from other comments, the iPhone does).
I've been using TouchID for the past few days, although I'm going to disable it before international travel. It works amazingly well. It caused me to set my unlock timeout to 1min vs. 5min.
The biggest annoyance is I keep holding my thumb on the home button on my iPad, then get disappointed when I realize it won't work. I've probably done that 20 times so far.
I really wish I could do "per context security" -- requiring multiple discrete factors based on action and threat. That would be a huge innovation for the iPhone, which would sell the next billion phones, if integrated with Internet services and apps. In my house, maybe not require anything, or just a thumbprint. In my car, same. In a coffeeshop, normal passcode after a few minutes, unless the phone has just accelerated highly, in which case a much higher passcode. At Customs in China, a passphrase held out of country. etc.
A bigger deal than Siri, if slightly less of a deal than Retina, and something a team of 2-5 people could implement before iOS 8. I'd even be willing to work at Apple to do it.
I have my password set to wipe my iphone after only 3 incorrect tries but I disagree about touchID being more convenient. You can be compelled to give LEOs access to your device if it only requires your fingerprint. I can conveniently forget my PIN if necessary.
Any good thief is going to swipe a phone and worry more about getting away and less about unlocking it which they will do later. Furthermore, unless you're jailbroken and have changed your default sudo credentials then your data isn't all that secure anyway against someone with a computer and rudimentary software. All of which can be done while the phone is off or in an area with no service. That would also serve to defeat find my iphone as well.
Above is by a "maintainer of eCryptfs" noting that we would otherwise leave our passwords on everything we touch and without option when that password is compromised.
I wonder though, is there a biometric facet that can surmount the bar of unreplicable uniqueness? Contact lenses can fool iris scanners. Perhaps we should make a dental impression sensor?
Alternatively, fingerprints should be used as 2FA. They're something you have. Supplement it with something you know (or that your encrypted password store knows) and you're golden.
One issue here is that there is no way to give out unique username/password pairs to each service.
If apple uses this, and google follows, and facebook, twitter, linkedin, my paypal and CoolAppForYorFone(TM) and everything else, then if CoolAppForYourFone(TM) scans my fingerprints, then they have access to everything on all other accounts which use this info.
Once it becomes common, then on street corners, salespeople will ask your opinion on things, "Hi! We're doing a survey this week for Vodaphone - just a quick question - do you think people with android phones or iPhones have sex more often?" and ask you to give a fingerprint to sign it. And most people will.
Or "Hi! We're giving away 20 euros free credit today at PhonesForYou! Just place your finger on the scanner here, and tell us your phone number and we'll send it through!"
We're already trackable enough, why make it easier for scammers with scanners?
4 digits pin codes aren't passwords either. Sometimes good enough is good enough.
Fundamentally, a username and password are parts of the same thing - a collection of information (often a string of text) that you need to get access to something. The 'username' is usually just the part of that isn't necessarily hidden.
Part of the problem is that Apple's iOS has no username, just a password. Thus, one of the differences with a fingerprint 'password' that I haven't seen much discussed is that it would make him harder to share that tablet with his wife, since they can share one four-digit passcode, but not (as far as I know) two different fingerprints. The fingerprint makes it much harder for the popular family use cases between letting one person in and letting everyone in.
Edit: OK, cool, my comment is invalid.
This might be true for things that truly need to be secure (bank vaults, super secret government facilities, etc.). Clearly in those cases just relying on a fingerprint that could be compromised by motivated attackers is not enough. But personally (and I imagine this is true for many users) I'm not trying to secure my iPhone from highly motivated and skilled attackers. Those individuals will probably be able to access the data on my iPhone fingerprint or not. Given that, it just is a convenience feature, allowing me to secure my phone from the everyday person trying to pry into my phone and give me access much easier and quicker.
I don't lock my phone to keep out the NSA or the government. I suppose those organizations would be able to easily crack in regardless. I lock my phone so my child can't pick it up and mess things up. Or to hopefully deter potential robbery. Thus, I think TouchID is great even though I do agree with the OP. If I had something like my primary computer that I needed to keep very secure, I'd shy away from using my fingerprint.
I can't help but think that there's a whole segment of HN readers who are thinking as single men. In the context of a family with kids this is a very different thing. My kids have access to my phone and my wife's --which are not locked in any way. I have access to my kid's iphones, ipods and ipads. Having devices locked to fingerprints in any way would be a nightmare. If you have really young kids, its a logistical mess.
I can see it working just fine from the context of a single and otherwise unattached individual. That'd be OK.
...until you have an accident and someone needs to figure out who to contact...but they can't get into your phone.
...or, until you lose your phone and whoever finds it actually wants to figure out who you are in order to return it.
...or any number of other scenarios where you actually want other people to access the device.
There's also the angle of trust. What's your significant other going to think when he/she can't get into your phone without your fingerprint?
Again, I can see it being a really convenient tool for some people. Not sure it is a universally useful thing.
> I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings. We could each conveniently identify ourselves by our fingerprint. But biometrics cannot, and absolutely must not, be used to authenticate an identity.
I am not seeing the distinction. What exactly is the difference between an "identification" and an "authenticated identification"? With the family tablet, the fingerprint is still acting exactly like a password, and the reason the author is okay with it is because it's a password that's not protecting anything terribly important. Why not just have profiles that are selectable without any authentication? That would probably also work for a family tablet, but the fingerprint might be preferable to protect some info from your family members (even completely innocent things like shopping for gifts). Of course your family members could easily lift your fingerprint and bypass the biometrics, but it doesn't matter.
I was thinking that fingerprints would be phone numbers. Imagine getting calls routed to any phone that has been validated by your thumb print.
Uhhh, what?
This link has many of the hallmarks of bullshit, but it still spooks me.Of course, there are civil liberties at issue as well, since Apple could potentially share the information collected with governments. http://truthseekerdaily.com/2013/09/exclusive-apple-admits-iphone-5s-fingerprint-database-to-be-shared-with-nsa/But wait, the alternative is 4-digit PIN. How exactly is 4-digit password with only digits secure? How easy is it to see it over the shoulder?
The answer is: pretty easy.
Both phone locking technologies are not about securely protecting data, they are about preventing the phone from casual looks when you are away for 5 minutes and left your phone. And TouchID does a better job for this case.
Most of the comments seem to assume TouchID as implemented today will remain the same in future. Here are a few scenarios that I imagine it may evolve to:
1) Unlock using multiple fingers; 2) Unlock using the same finger repeatedly, but with different pauses between taps, e.g. two short taps, followed by one long tap; 3) Unlock using finger gesture, for example press your thumb, then move clockwise 45 degree; 4) Unlock using a single finger, the iPhone sends a passcode to your iWatch with which you can use to enter.
Such uses of fingerprint would be much more secured, yet still relatively convenient. Losing your fingerprints wouldn't really be a big problem. You only need to change the sequence.
To further the idea, iOS may offer multiple accounts. Family members may have access to a "guest" section, whereas the phone owner has full access. Fingerprints can be used to unlock the appropriate accounts.
Realistically 1) most people don't use a PIN code, 2) those that do use their birthday MMDD or DDMM.
If you think someone where you work/live might have to tools to lift your fingerprint from a beer bottle or spacebar, you probably have more serious problems than the contents of your iPhone.
I'm sure security nuts will put their iPhone in a shielded box with a coded lock on it, in addition to using (and painfully entering on each unlock) a high entropy passphrase that's as long as possible.
More power to them.
TouchID is a good enough to prevent my daughters from seeing the naughty texts I send to my wife (none of your business either), and that's more or less the level of security TouchID is designed for.
then don't use it. For me, it far outweighs having to type my password in everytime.
A fingerprint is a perfectly acceptable means of authentication for low security needs (read: most needs). For higher security it serves well as one of multiple authentication layers, e.g. a fingerprint AND a pin code.
Flagging due to him pointing to an obviously fake story to support his position.
All security is based on either something you know, something you have, something you are, or a combination of the three.
- A username is something you know.
- A password is something you know.
- A pinpad is something you have.
- A finger print is something you have.
This is a great point, but I'd love to see a passcode system that isn't vulnarable.
The "swipe puzzle" things (I'm not sure what to call them.)? I've been able to see people enter them once and unlock their phone. Passcodes? Even if people used secure ones, with a combo of looking while they're entering it and the smudges it leaves, it's not that hard to get.
Those are the 2 most frequent models of password input I've seen, both flawed. Any ideas for a better one?
Something you have. Something you know. Something you are. The point is to have more than one, not switch one for the other.
In this argument we are trying to find a balance between convenience and security - - but it's not possible. Anything that is easy for me to do to unlock a phone can be faked and/or hacked.
I'd rather just have an NFC chip hidden on my body that I had to tap the phone on before entering a numeric value on a randomized keypad.
About the only person I use even a pin lock around on my phone is my girlfriend, and that's just because she gets upset if I communicate with any girl. Fingerprint is fine for that purpose. Anything else I wouldn't bother locking it at all, I'd just disconnect the phone from my accounts if it is ever lost.
Wiping a phone in dfu mode removes the password as well. I learned the hard way when I forgot my pin and had to wipe and restore.
It also bypasses activation lock because phones sold overseas are usually sold to countries that do not subscribe to the national blacklisted imei database and this won't block the device on their network.
> Fingerprints are Usernames, not Passwords
No they're not. A username is something you intentionally give out to other members of some community so they can identify you. A username is by definition not secret at all, and it must necessarily be easy for others to replicate. It is not easy to replicate a fingerprint.
> But let's just say you're okay with Apple sharing your fingerprints with the NSA
Can we stop with this BS already?
undefined
Makes sense. Just like in a PGP web of trust, where that key is your unique identity, so will these fingerprints be. But it's a lot riskier to use them as your passwords (either against the NSA or other dedicated hackers).
Have there been any attempts to ascertain PINs by analyzing the finger residue left on touch screens? That strikes me as something that would be pretty easy (for an expert with the right gear), especially if patterns were used.
Fingerprints are passwords, they just aren't good ones. Just like "password" is a password and not a good one. Your phone number is your username.
Here's the thing folks- this is not an alternative to having a 16 digit passcode. this is an alternative to not having a passcode at all.
Only the mind is secure. I think this is all fairly obvious: we need to build thought reading technology to have entry-less authentication.
How about, "fingerprints are pass codes that I don't have to enter 200 times a day, which I currently do"?
The only thing different between a your fingerprints and a password is that you can change your password...
Sorry for the possibly stupid question.
Why do we not just use passwords to log into things? Why do we need a Username too?
That's a great way to tl;dr my tirade against biometric security. Is the link worth reading?
Wife (not a techie) says she wants Android now, so there's no one stealing her fingerprints.
This article is missing its own point. Username+password combinations are nothing but an identification means. Fingerprints solve the same purpose.
The issue this article should be trying to shed light on is one of inadequate fingerprint scanners, not that fingerprints themselves are compromised. Make a scanner that requires epidermal prints, and go from there.
I agree! Imagine yourself being drunk or having a deep sleep. Anyone can unlock your phone.
The best thing in this article is the list of things-that-turned-out-to-be-bad-ideas!
"Fingerprints are usernames" <-- that is an excellent insight.
OP too hung up on theory to see that TouchID works well in practice.
Agreed 100%
Well said!
my friend was a jobless searching online job... now what she makes 1000 of dollars online check out here big57.com