Almost ten years ago I bought a Logitech keyboard with a fingerprint reader. People were saying that fingerprint readers would be the end of passwords. The keyboard came with a nice piece of software that automatically entered passwords on websites upon a verified fingerprint.
It didn't happen. I would attribute it to two main frustrations: the readers only worked inconsistently due to particulate build up, and would occasionally have false positives. I think false positives are an inherent risk with fingerprint readers and in any case are not suitable for security as lifting a fingerprint from someone unwittingly is easy.
What's worse: if someone can get to the software fingerprint image stored in the computer, they can create fake fingers that work in conventional fingerprint scanners. http://youtu.be/K1Sx_BmfZ8I
Having a stolen fingerprint is worse than a stolen password. For one, people tend to trust fingers more; for the other, it's impossible to change your fingerprint, unlike your password.
I really can't trust these kinds of consumer technologies until their designers use revocable biometric systems to protect the fingerprint template. That area of the literature is quite well studied, but everyone seems to ignore it.
Even if you just store minutiae points (lists of X,Y coordinates of "interesting" points in the image like ends, bifurcations, etc), recent research shows how to generate a plausible fingerprint image that has those same minutiae. Here's one work: http://www.cse.msu.edu/biometrics/Publications/Fingerprint/F... Take a look at the pretty figures. This was done four years ago; it's only gotten better since then.
Some governments etc. force you to submit to giving fingerprints of all ten fingers. If an adversary steals just that biometric database, you're done. That's it. No more fingers to use.
Any civil worker who takes fingerprints isn't going to let you put your foot on the fingerprint scanner to verify your identity, and the next customers certainly don't want to touch the device after you've had your way with it.
Fingerprints are great as a security token, but they should not replace passwords completely. Together with a PIN they will be useful.
"Led by Stephanie Schuckers, an associate professor of electrical and computer engineering at Potsdam, N.Y.-based Clarkson University, the researchers tested 66 Play-Doh copies of real fingerprints of 11 different people. The fake fingerprints were verified as the real deal 90 percent of the time."
Almost 8 years ago. Fingerprint readers could have improved since then (the article even points out that they have software in the lab to do so). Anybody know how good the current crop of HW/SW combinations is?
Sure, the high-end fingerprint scanners are reasonably good at this sort of liveness detection (eg. by detecting the pulse of blood flow or by inferring something about the 3D structure of the fingerprint so you can't just hold up a picture), but the cheap $20 scanners that many businesses use aren't going to be able to distinguish a real from a fake.
My girlfriend uses an app that lets her detect her heartrate by putting her finger in front of her camera while the light on the phone shines. I don't really see why whatever they're putting into the phone couldn't do something similar.
The purpose of the fingerprint is basically to be an extra button the device. You could get 95% of the security benefit of this with a special new button on the iphone ("login") and a normal passcode. The value is having credentials stored in the secure element of the phone, or encrypted under keys in the secure element (which is a standard keystore API thing since ios5), with a set of APIs for apps to access them and present a UI action to the user.
It's no different from the windows SAK (ctrl-alt-del) or the Mac "administrative user" dialog box.
That's exactly why "revocable biometrics" are so important. There are ways of combining a fingerprint and a password to combine the security of using both with the revocability of an ordinary password: http://www.wjscheirer.com/papers/wjs_icb2009_bipartite.pdf
Thanks for sharing the PDF. This isn't a subject I know much about but curious to learn more.
Bipartite biotokens do seem significantly more secure than naked biometrics, but I'm not sure I understand the benefit if security still boils down to user passwords, especially if one assumes that any static security component will eventually be compromised.
Using the password to salt the original biometric improves privacy and security, but there are a lot of other ways to compromise biometrics - people look at a lot of cameras and leave a lot of fingerprints, and existing biometric systems (while improving) are fooled by photocopies.
That's true. It all boils down to whether you have more information than the adversary. By default, you have both a password and a biometric; with the biotoken strategy, authentication requires both. If you lose your password (eg. password database being compromised, doesn't require local access), only your biometric can protect you. With biotokens, the idea is that if the biotoken fingerprint database is compromised, the adversary can't get any useful representation of your fingerprint, even if they have your password. Sure, as you say, you can lose your fingerprint if your attacker tails you at the coffee shop to lift it from the glass table or your discarded coffee mug ("local access"). But now the adversary has all the information that you do -- your password and your biometric -- so you're doomed no matter what.
Boult and Scheirer, the author of the above paper, gave a great tutorial about these kinds of privacy/security issues at 2011's International Joint Conference on Biometrics (IJCB), if you're interested about learning more. Both happen to be my former advisors too ;)
If Apple's hardware implementation is as good as my two year old Motorola Atrix, their customers will love the fingerprint reader. But I, for one, would never entrust all my passwords to Apple's closed source software, especially given their record in the area of software quality control.
I currently do trust a good portion of my passwords to OS X's Keychain app, because based on my knowledge I'm fine with their record of software QC. What am I missing?
Just look at the recent Developer site snafu. Or look at all the times their simple alarm clock choked on New Year's Day or leap years. Or even that hilarious bug where typing File:/// would crash almost all OSX and iOS apps.
Thank you for a thorough reply. IMHO, these bugs do not differ in severity or frequency when compared other closed source software vendors or from open source projects.
The iCloud aspect does bother me quite a bit though, particularly when combined with likely NSA backdoors.
The Finder bug I linked to actually deleted the source file before checking that it was moved successfully to the destination. The unix "mv" command predates the Finder by 30 years or so, and gets it right, of course. This is an elementary, student-level blunder that made it in to the Finder, the center of the user's interaction with the system. A lot of people lost a lot of data as this bug remained uncorrected for months. There were similar bugs in Mail, getting IMAP semantics wrong and deleting messages. Anyone who offers an assessment of Apple's software quality control at least needs to take this history into account.
I'm sure that there are open source projects out there that are just as bad. I don't use those. The ones I do use, like mutt, don't contain this level of blunder. It's not that we should expect software to be free of bugs. It's just that the nature of these Apple bugs suggest a cavalier attitude to software quality and a severe lack of testing. Combine this with closed source and a critical security function, and you have an explosive mixture.
To sign on and off, I would enter my 6 digit employee number into a pin pad, then scan my right index finger.
It worked about 99% of the time, and mostly only failed because I worked in the meat dept. and often my hands would be extremely hot and wet from soap & hot water, or frozen and numb from handling meat all day. Then I would just use my left index finger.
It worked great in 1997, I see no reason it can't in 2013.
Your experience is that it gave very few false negatives in 1997, but you have no idea what its rate of false positives was b/c you presumably only entered your own ID. The required rate of false positives for an iphone has to be orders of magnitude lower than a Safeway employee sign-in which additionally required a 6 digit ID. Plus the false negative rate has to be at least as good.
It's the cycle of technology, we've grown to live without watches and now they want us to strap "smart" watches on our wrists. We've grown to live without glasses (thanks to better vision and contact lenses) and they want us to wear "smart" glasses.
Not so convinced, sometimes use a Bloomberg finger login and even after they changed it to the high sensitivity setting I can only manage 50% so I won't go for any fingerprint solution.
It also depends which sensor version you have -- my older unit was terrible after a number of years of constant use but as soon as I upgraded to one of the newer ones, it was snappy and worked much better.
But on my iphone? 1password has had to integrate it’s own browser on it’s iOS app that i need to use if I want a simple way to login to all my sites.
Please edit the post, this is just ghastly.
I would love something like this. I hate signing into apps (mobile banking, in particular, is a pain). It'll end up being up to app developers to integrate the new fingerprint APIs though, and I bet you my bank still decides that their stupid username, password, 3 random letters from a 'memorable word' scheme is more secure.
There seems to be a lot of focus on replacement of keylock. The wonderful thing about the fingerprint reader is that it effectively enables both the username and password and makes for a much simpler path to supporting multiple users in future iOS releases/devices.
But but iPhone is not he only device I access many sites from. What if I need to sign into the website from my PC and need to use firefox or IE for that?
The fingerprint sensor auth will just fill in the form fields with your username and password. You can sync these over to your desktop machine and use them like you usually would there.
Also, as the post alludes, if they can figure out how to integrate the fingerprint sensor into the touch screen itself then they could, in theory, do the same with your touchpad on the Mac. So authenticating on your desktop would be the same as the phone assuming you were using a Magic Mouse or Magic Trackpad.
My thought exactly! I still occasionally want to login to sites on, for example, my Android tablet. Given that Apple doesn't provide other platforms access to my data in iCloud, I find it hard to see how they would allow software on other platforms access to my login credentials.
The more layers of security, the better. A while back, I expressed delight at the potential scenario of using NFC as a layer of security using proximity as a parameter.
I'm sure Apple are aware that storing the "plaintext" equivalent of a finger print would defeat the entire purpose.
1. Sorry that iOS sucks for multitasking and it's an inconvenience to use password managers on them. On Android, I tap the site, I get two notifications, one that puts my username on the clipboard, one that puts my password on the clipboard. All I do is longpress on the entry boxes and hit "Paste".
2. Fingerprint scanners are a joke. Mobile finger print scanners are a bigger joke. They're easy to defeat. They're unrevokable. They're a security nightmare. The first thing any admin would do for a corp connected device is turn that feature off and require a pin.
I think prior to release lots of people will lean towards dreaming about fingerprint recognition being built into the glass touchscreen, but I do not think the tech is miniaturized enough yet. I looked into this a while ago and all I could find were a handful of Polish researchers using ultrasound technology which required ultrasound guns around the edges of the glass which reflect the beams off the fingerprint:
While fingerprints might work as a proof of identity, they should not be a replacement for passwords. Identity is who you are, passwords are authentication, and they are better when kept separate. Besides I cannot look at this issue without being paranoid: Apple is one of the companies that comply with the PRISM program. By putting your fingerprints in their products, you are just giving away more data for survelliance and creating a security "issue" rather than solution. Do we really need this?
Identity is something that can be seen public. Authentication is a way of proving that you are "the" person who is supposed to get the access to the system. When your identity is stolen in a system where identity is equated with authentication, you are the one who is responsible for "thefts" actions. Users can be held responsible for their actions only when identity and authentication are kept separate. An article that explains this point in more detail: http://technet.microsoft.com/en-us/library/cc512578.aspx
I don't think it's a good idea to use fingerprint as a way to authenticate. Fingerprint is not private data. By "private", I mean as private as a private GPG key. Any fingerprint is able to read a fingerprint as long as you put your finger on it. When there're more fingerprint powered applications, it's gonna be really easy to steal credentials.
You may use a passphrase. But that would be as secure as using a passphrase alone.
Fingerprint is the public key. The private key would be your hand + your physical presence. However, since fingerprint itself is public, you can't rely on fingerprint to identify physical presence.
Unless, you make fingerprint private enough. For example, permanently attach something on to your finger. Instead of providing your fingerprint to third-party application, it generates a key pair based on your fingerprint, and use these keys for authentication.
53 comments
[ 3.2 ms ] story [ 110 ms ] threadIt didn't happen. I would attribute it to two main frustrations: the readers only worked inconsistently due to particulate build up, and would occasionally have false positives. I think false positives are an inherent risk with fingerprint readers and in any case are not suitable for security as lifting a fingerprint from someone unwittingly is easy.
See the Mythbusters episode on stealing a thumbprint: http://www.youtube.com/watch?v=3Hji3kp_i9k
Having a stolen fingerprint is worse than a stolen password. For one, people tend to trust fingers more; for the other, it's impossible to change your fingerprint, unlike your password.
I really can't trust these kinds of consumer technologies until their designers use revocable biometric systems to protect the fingerprint template. That area of the literature is quite well studied, but everyone seems to ignore it.
More details on WSQ format: http://en.wikipedia.org/wiki/Wavelet_Scalar_Quantization
Even if you just store minutiae points (lists of X,Y coordinates of "interesting" points in the image like ends, bifurcations, etc), recent research shows how to generate a plausible fingerprint image that has those same minutiae. Here's one work: http://www.cse.msu.edu/biometrics/Publications/Fingerprint/F... Take a look at the pretty figures. This was done four years ago; it's only gotten better since then.
You get ten revocations before you have to take off your shoe.
Any civil worker who takes fingerprints isn't going to let you put your foot on the fingerprint scanner to verify your identity, and the next customers certainly don't want to touch the device after you've had your way with it.
"Led by Stephanie Schuckers, an associate professor of electrical and computer engineering at Potsdam, N.Y.-based Clarkson University, the researchers tested 66 Play-Doh copies of real fingerprints of 11 different people. The fake fingerprints were verified as the real deal 90 percent of the time."
http://www.informationweek.com/biometric-readers-fooled-with...
http://www.azumio.com/apps/heart-rate/index.html
Mythbusters tested a bunch of fingerprint readers and they could break even a few of the ones with "life" detection.
It's no different from the windows SAK (ctrl-alt-del) or the Mac "administrative user" dialog box.
Bipartite biotokens do seem significantly more secure than naked biometrics, but I'm not sure I understand the benefit if security still boils down to user passwords, especially if one assumes that any static security component will eventually be compromised.
Using the password to salt the original biometric improves privacy and security, but there are a lot of other ways to compromise biometrics - people look at a lot of cameras and leave a lot of fingerprints, and existing biometric systems (while improving) are fooled by photocopies.
Boult and Scheirer, the author of the above paper, gave a great tutorial about these kinds of privacy/security issues at 2011's International Joint Conference on Biometrics (IJCB), if you're interested about learning more. Both happen to be my former advisors too ;)
Tutorial: http://www.securics.com/~walter/IJCB2011/
Slides, "Part I: An Overview of Issues Related to Biometric Privacy and Security" http://www.securics.com/~walter/IJCB2011/IJCB11-tutorial-par... "Part II: A Survey of Template Protection Technologies" http://www.securics.com/~walter/IJCB2011/ijcb-survey-templat...
The iCloud aspect does bother me quite a bit though, particularly when combined with likely NSA backdoors.
I'm sure that there are open source projects out there that are just as bad. I don't use those. The ones I do use, like mutt, don't contain this level of blunder. It's not that we should expect software to be free of bugs. It's just that the nature of these Apple bugs suggest a cavalier attitude to software quality and a severe lack of testing. Combine this with closed source and a critical security function, and you have an explosive mixture.
To sign on and off, I would enter my 6 digit employee number into a pin pad, then scan my right index finger.
It worked about 99% of the time, and mostly only failed because I worked in the meat dept. and often my hands would be extremely hot and wet from soap & hot water, or frozen and numb from handling meat all day. Then I would just use my left index finger.
It worked great in 1997, I see no reason it can't in 2013.
Please edit the post, this is just ghastly.
I would love something like this. I hate signing into apps (mobile banking, in particular, is a pain). It'll end up being up to app developers to integrate the new fingerprint APIs though, and I bet you my bank still decides that their stupid username, password, 3 random letters from a 'memorable word' scheme is more secure.
I'm sure Apple are aware that storing the "plaintext" equivalent of a finger print would defeat the entire purpose.
What's great is there is an NFC Yubikey that I just put close to my phone to get the phone version of LastPass to auth.
2. Fingerprint scanners are a joke. Mobile finger print scanners are a bigger joke. They're easy to defeat. They're unrevokable. They're a security nightmare. The first thing any admin would do for a corp connected device is turn that feature off and require a pin.
http://www.optel.pl/article/english/article.htm
and yes, we need this. convenience is the antithesis of security, so anything that builds a bridge for more users is welcome.
You may use a passphrase. But that would be as secure as using a passphrase alone.
Fingerprint is the public key. The private key would be your hand + your physical presence. However, since fingerprint itself is public, you can't rely on fingerprint to identify physical presence.
Unless, you make fingerprint private enough. For example, permanently attach something on to your finger. Instead of providing your fingerprint to third-party application, it generates a key pair based on your fingerprint, and use these keys for authentication.