260 comments

[ 3.0 ms ] story [ 362 ms ] thread
Above is by a "maintainer of eCryptfs" noting that we would otherwise leave our passwords on everything we touch and without option when that password is compromised.

I wonder though, is there a biometric facet that can surmount the bar of unreplicable uniqueness? Contact lenses can fool iris scanners. Perhaps we should make a dental impression sensor?

"without option when that password is compromised."

I don't understand why people keep repeating this. As long as fingerprints are an optional authentication mechanism, you absolutely have an option if your fingerprint is compromised: switch to a passcode.

Unique? Maybe. Unreplicable? I can't imagine so, we're all just a bunch of molecules.

At some point in the perhaps-not-too-distant future, we will likely have very sophisticated brain-scanning technologies, and combined with advances against biometric methods, basically any form of authentication will be useless.

I have absolutely no idea how to get around this, and can only hope that our society has advanced enough by that point that we don't need to keep any secrets at all. Not much chance of that really, IMHO...

That's an rather interesting idea. If you could get Cory Doctorow to write "The Day the Password Died" from your prompt, I'd be very happy.

Synopsis: an evil government steals the private thoughts and passwords of its citizens, most of whom are unaware of the threat. A few paranoid individuals come up with increasingly bizarre biometric passwords, but the government has secretly approved unauthorized (and speedy) cloning to bypass these protections.

Finally, the freedom fighters use the government's own technology against it, replicating the president's bio-metrics in order to shutdown and disclose the program.

No meaningful political change occurs.

That would be pretty cool. I can't imagine that nobody else has thought of this idea before, though...

What really scares me, though, is when we get to the point of not just being able to read thoughts, but being able to write them. How would you ever know that your memories and emotions have not been tampered with? As far as you know, you've always loved your corporate overlords, and would never do anything to work against them...

Isn't that the point of 1984?

The protagonist is unable to make a physical record, and so must trust his brain retain any proof of the government's wrongdoing.

However, the brain is a poor vessel for this - it can be manipulated and tortured to discount information. And so, Winston ends up loving Big Brother.

Paper and bits are what we rely upon; there is a reason eye-witness reports are trusted so little in comparison to physical evidence.

A very good point. One of the most important things about strong authentication schemes is the revocation protocol. When things go bad, how easy and secure is the process of changing the auth mechanism? The trouble with fingerprints is that you're stuck with them for life, even if somebody else <pun> gets their hands on them </pun>.
Wouldn't the revocation process be very simple? If some one has acquired your prints, just stop using touch ID? I mean, there are still 2 other authentication options on the iPhone.
There are also 9 other fingers. Granted, not all of them are convenient to use.
That's a bit like saying "if someone has compromised your SSL certificate, stop using SSL; how about Kerberos?"
then don't use it. For me, it far outweighs having to type my password in everytime.
I don't think anyone cares what level of security you are personally comfortable with. If you are fine with its weaknesses, go for it.

However, those of us that set security on company devices are very interested in the quality of different methods, and are glad to as many learned opinions on the matter as possible.

> For me, it far outweighs having to type my password in everytime.

I'd rather type my password in every time than leave my data unencrypted--and using a fingerprint is essentially leaving it unencrypted.

I'll be interested when someone breaks Touch ID in a real life theft. This is not a simple process, it's not clear that a determined thief is even likely to find a good enough print in a real life case, and you can't mess around because after 5 failed attempts it will prompt for a password.

Touch ID will likely cover the vast majority of security use cases for iPhone owners.

I saw the CCC video and I think you are right, a suitable print being found on the phone is a bit slim, although not impossible.

However, I think the point of the article is that you can change a compromised password, you can't change a compromised fingerprint. As is mentioned, there are plenty of databases with fingerprint information. Also, for the crowd that is paranoid about government accessing their data, an authority might have an easier time getting into a device when they already have your fingerprint as opposed to figuring out your passwords.

But you can change a compromised fingerprint, to a password.
I'm not so sure. How many people are motivated to dupe your fingerprints to get into your iPhone? How many of those people could conceivably get into your iPhone through other ways?

Fingerprints are a nice way to keep almost everyone out of your device. And for the rest, well, I really doubt some other locking mechanism would've kept them out.

I'm sure 5s's are fetching at least $400 on the conservative side. If all I have to do is spend like $5 and follow a how-to on a website, I think a lot of people would be willing to make the investment.
If your objective is to sell a stolen iPhone then you still have to know the owners Apple ID and password due to activation lock. Being able to bypass Touch ID isn't going to help you.
Nope. If it's not a hardware lock, it will be bypassed.
Correct me if I'm wrong, but I'm pretty sure Apple's new iOS7 activation lock has not been defeated yet.

Keep in mind that if these criminals can't figure it out by googling it, they will give up and move on. The typical phone thief isn't a security expert with the knowledge to invent a previously unknown exploit.

Well, it's possible that the fence they sell the phones to would be motivated to find an exploit.
But what if the objective isn't to steal the phone but to surreptitiously collect or plant information?

I can think of some examples:

* jealous spouses who want to look at call logs, emails, text histories

* unscrupulous managers looking to see if you've been talking to headhunters, competitors, etc.

* stalker coworkers who are looking for "private selfies"

* frenemies who want to post inflammatory messages using one of your social media accounts

It's not that easy. You've got to get a really good, clean, complete print of the correct finger and avoid damaging it during processing (nontrivial).
What I think he is saying is that because it is now on iPhone, more devices/services/whatever may be likely to use finger prints for auth. This is dangerous because you can't change your fingerprint in the unlikely case someone dupes your print. If more and more things rely on finger prints, the value of duping goes up, right? What happens when your prints are duped once?
"What happens when your prints are duped once?"

Most of us don't live in a James Bond movie.

(1) If someone has my fingerprints they still need my phone to do anything.

(2) Even with my phone there's a good chance it's worthless unless they also have my pin.

(3) Stealing my phone has also become worth much less unless you have my prints and the followthrough to make fake ones and again they'll want my pin in most cases because you only get 5 failed attempts with your fake prints.

(4) All of that takes time, during which I may be able to remote wipe my phone, making the whole exercise worth even less. And it takes money, again lowering potential returns.

It's easy to imagine (numbers pulled out of ass) that a thief could get a few hundred bucks for a 5C (no touch id) but say half that for the more expensive 5S. Maybe that won't hold up for various reasons (hey thieves will work hard to make those stolen 5s's worth more) but the principle behind multi-factor is sound.

or could home 3d printing be used to create fingers with fingerprints?
A default Reprap won't be able to reproduce a fingerprint, but all it would take is increasing the reduction rate of the motors, using a smaller hole at the hot end, and a material that flows better (or increasing the temperature).

It would probably take a few tries, but seems well within a person-sized budget.

What are people going to do when, in the all-too-near future, criminals begin sharing and selling databases of stolen high resolution finger prints?

One theft isn't practical? How about a million? Driven by a never-ending pursuit of monetary gain via crime; with criminals always happy to conquer the latest technology wave. There's absolutely no reason to think that criminals won't amass substantial finger print records just like they do any other intimate information they can get their hands on, from SS numbers to passwords. It's not a question of if, but when this starts becoming common.

All it requires is linking finger prints to something valuable at a mass market scale, and that will drive an unlimited criminal demand for finger prints.

It's not about the iPhone. It's about a consumer shift to finger prints as a primary security feature, and whether that is sane (with the iPhone potentially setting the trend given its cultural status).

I'm not sure I agree. How exactly is anyone (other than the government) supposed to be able to get all these fingerprints? Are you suggesting people are just going to go around and start dusting for prints anywhere they can or what? Maybe fingerprint phishing? (That doesn't even make sense unless we start transmitting actual fingerprint data to servers instead of mostly using it to protect password managers client-side.) The reason identity thieves can get their hands on social security numbers and passwords is because people have to share that information deliberately a lot more often. If you breach the right database, maybe you'll score the jackpot and get the financial details of a few million people, but what database can you breach to get peoples' fingerprints in a format that allows you to create fake fingers to bypass biometrics? Who's going to be keeping high-res copies of fingerprints around, let alone in enough quantity where it might actually pose a risk to a decent proportion of the population?
Let's say criminals manage to build a database of everybody's fingerprint. Now, I steal a phone, and have access to that database. How do I query it?
Based on a partial print from the screen or body of the phone? (It wouldn't work every time, but it might be feasible often enough to be worth trying.)
Call every phone number until the phone you've stolen rings. Then it's a simple reverse directory lookup to get the name of person who owns the phone.
OK, you are a criminal and got 1000 000 fingerprints. You can start collecting them right now, on every surface you have access too. Then what? You will print them all using whatever technology required to fool fingerprint scanner and try one by one? Wouldn't it be just easier to try and lift one off the device itself?

  > It's about a consumer shift to finger prints as a primary
  > security feature
No. It's about shift from zero security (no passcode lock) to some security (fingerprint). Yes it can be fooled but it is effective enough to stop casual attacks. Just like lock on the most doors — no problem for a determined robber but good enough protection from the opportunistic thief.
In the not so distant future, collecting fingerprints will be just a matter of writting malware, and uploading it. No need for labor intensive procedures such as collecting them from real stuff.

Now, in that world, what will criminals use the fake fingerprints for?

The fingerprint databases would probably also include identity information.
You handwave around the fact that obtaining high-res photos of the finger (i.e., lab setting) is not exactly easy. How would you propose this occurs? It's not like this is some widely-licensed implementation - the devices are highly personal/coveted and don't store the image in-device (just hashed representation that can't recreate the print).

The CCC could have used a stray fingerprint (say on a glass or the phone itself) but didn't. I suspect they would have demo'd that if they could have made it work reliably or even at all.

Your slippery slope argument seems faith-based and doesn't answer the big questions I posed above. I don't see Samsung or Moto going fingerprints anytime soon - and if they do, Apple is there with patented tech waiting to sue them if it's at all similar. Widely varying implementations of the same thing with possibly different exploit angles - does that seem like a security epidemic to you?

> How many people are motivated to dupe your fingerprints to get into your iPhone?

I'd suggest that someone would just access the data storage, bypassing the fingerprint mechanism.

This is right. Fingerprint scanning prevents casual snooping in the same way that a PIN or face unlock does. It's lightweight authentication. It can't be used as a hard security feature (e.g. as input to a PBKDF) so it can't provide security against hard attacks like stealing the device and reading the flash.

It's cute. Honestly I don't see what this adds over face unlock which is reasonably mature now and equally yawnworthy IMHO.

I haven't used face unlock but I am going to guess TouchID is much faster and easier. It unlocks almost instantly, you don't have to be in view of the camera, and it doesn't require any extra effort since your finger is already on the home button to wake up the phone.
Face unlock is instant now too. People still remember the slow demo from when ICS came out but it's nothing like that any more.
> I haven't used face unlock

Face unlock is very fast - generally I turn device towards me to start using it and face unlock has unlocked it before I even realise it was locked (less than half a second).

When it fails to recognise you, you can enter a pin/password/pattern. There is a menu option to 'Improve Matches' so it can pick up whatever is different this time. Every release has improved dramatically. After my most recent Android reinstall I recall only ever improving matches once.

It doesn't work in low light which fingerprints will.

The answer is probably no, but does it work if you've got sunglasses on??

I know that Picasa's face detection works even if I am wearing sunglasses... thats the only reason I ask.

If it doesn't work first time with sunglasses then you use the "Improve Matching" to take a pic of you wearing sunglasses. They don't want identical pics of you - they want pics of how you vary. (Same story with facial hair etc)
I've used Face Unlock. It's terrible. It's slow, very inconsistent, doesn't work at all in variety of situations (low light, in pocket) and goofy.
I imagine it wouldn't work very well at all in your pocket. How do you get your face in there anyway?
Can you buy content with Face Unlock?
The point the parent is making is that you shouldn't be able to buy content with a fingerprint.
No, to him Touch ID is the same as Face Unlock and both are just cute lightweight toy features.

He asks: "I don't see what this adds over face unlock."

I answer: "You can use Touch ID to buy things."

Identification via fingerprints is fine, it's the authorization to do something that can be problematic. So, unlocking your phone, not too bad, accessing your bank records, not so good.

If the fingerprint is the identification that is used to then trigger decryption of securely stored data, it's a lot less secure of a mechanism than a fingerprint AND a password.

There was a good recent discussion that fingerprints also do not enjoy the same protection as passwords, as the fingerprint is not a "content of your mind". Here's the wired article on this: http://www.wired.com/opinion/2013/09/the-unexpected-result-o...

It was also discussed at length on HN, but I can't find the thread.

Terminology quibble. _Authentication_ is what's tricky. Authorization is no problem.
Fingerprint authentication is just like a door lock on your house. It's not going to stop a determined criminal (because they can just smash your window), but it's a pretty good way to stop casual attempts at intrusion.

I agree that the touchID shouldn't be used for authentication with everything and I think Apple agrees, which is why they haven't opened it up to 3rd party developers.

Something you have. Something you know. Something you are. The point is to have more than one, not switch one for the other.
You are just repeating a dogma, not explaining why it is not good to think of a fingerprint as a username.
It's not a username. It's a fingerprint.

Usernames are how we indicate an identity to a computer. (Note "an" identity; identities do not one-to-one map to humans.) Identity is what we are trying to establish in the first place; if we simply knew you were authorized to use an identity we wouldn't need auth in the first place. Having a matching fingerprint is evidence that an authorized user is authorized to use that identity. Knowing a username is not. They are not the same thing. Fingerprints are not perfect auth, but they are auth of a sort; usernames aren't auth at all.

>> Having a matching fingerprint is evidence that an authorized user is authorized to use that identity.

Considering that you leave your fingerprint everywhere you touch with your bare hands, is that really true?

There is a reason I chose the word "evidence" and not the word "proof". Yes, it is evidence. No, it is not proof.

Further note that possession of a password ("something you know") is also merely evidence, not proof. Also, "something you have" is not proof either; having a token is merely evidence, not proof. We have no method of proof. If that is the standard you are looking for, then I have some bad news: It is impossible to meet that standard. If we did have a direct method of proof-of-identity, we would not have to talk about evidence. We would simply use the proof.

Yes, it is possible to fool even a three-factor authentication system, with enough work. That's why its important to understand that security is not about absolutes; it's about raising the cost of penetrating the security above the value of the thing being protected. Which is also why fingerprint protection is just fine for rather a lot of iPhone users; what's the payback for cracking a fingerprint scanner, just to get access to a metaphorical Grandma's phone? If you are concerned that the value of what is on your phone exceeds the costs of penetrating the fingerprint scanner, then use more authentication. It's about costs & benefits, not absolutes.

Would someone care to explain how the observation that fingerprints are indeed a form of auth, but usernames are not (often they are fully, intentionally public information!) is false, and therefore the entire premise of the post's title is incorrect, with something other than the downvote button? I'd really like to hear the explanation of how that's not true.

>> what's the payback for cracking a fingerprint scanner, just to get access to a metaphorical Grandma's phone?

Well, if said Grandma is rich and is sharing dirty selfies with someone she doesn't want Grandpa to know about... being able to steal and use that information will probably be worth much more than the value of the phone itself.

By definition, if Grandma's phone contains high-value information, then it contains high value information. In that case, Grandma should take more steps to protect her high value information. Yes, if you just rewrite the premise to the question, the answer changes.

This is some really sloppy thinking you're engaging in here. Rewriting questions to obtain the desired answer is a very dangerous cognitive habit to get into.

#66 on the Evil Overlord list:

My security keypad will actually be a fingerprint scanner. Anyone who watches someone press a sequence of buttons or dusts the pad for fingerprints then subsequently tries to enter by repeating that sequence will trigger the alarm system.

Why not have the sequence remain the password, but also scan fingerprints? If you have the wrong fingerprints (username), the right password still won't work.

http://www.eviloverlord.com/lists/overlord.html

If the scan doesn't leave collectable fingerprints on the keys, it'd work!
If we assume the attacker is going to (be capable/mindful enough to) dust for fingerprints, they're going to get a very small potential keyspace for a passcode.
"fingerprint or pin" means that when the fingerprint scanner doesn't work, you can use the pin to unlock your phone. "fingerprint and pin" means that when the scanner stops working, you are locked out. Apple has obviously decided this is more of a risk/inconvenience than the extra security justifies.
I keep forgetting that this discussion is iPhone-focused. At this point, I'm thinking about other systems too, such as ATM number pads or entry pads for security gate/secure door systems. What if each button on the ATM was also a very fast fingerprint sensor? (What if the ATM had a cleaning device built in?)
Alternatively, fingerprints should be used as 2FA. They're something you have. Supplement it with something you know (or that your encrypted password store knows) and you're golden.
Not quite right. Finger prints are considered "something you are". Always with you, can be impersonated, but can't be changed. Something you have have would be a key or a token, that can be changed if compromised.

Agree with the rest of your comment. Cocktail "something you are" with "something you know" and "something you have" for potent results.

> They're something you have.

And the police have them. And the US government has (flew there twice) them. Isn't the "something you have" in 2FA ideally meant to be something that only you have?

Makes sense. Just like in a PGP web of trust, where that key is your unique identity, so will these fingerprints be. But it's a lot riskier to use them as your passwords (either against the NSA or other dedicated hackers).
This might be true for things that truly need to be secure (bank vaults, super secret government facilities, etc.). Clearly in those cases just relying on a fingerprint that could be compromised by motivated attackers is not enough. But personally (and I imagine this is true for many users) I'm not trying to secure my iPhone from highly motivated and skilled attackers. Those individuals will probably be able to access the data on my iPhone fingerprint or not. Given that, it just is a convenience feature, allowing me to secure my phone from the everyday person trying to pry into my phone and give me access much easier and quicker.
A fingerprint is a perfectly acceptable means of authentication for low security needs (read: most needs). For higher security it serves well as one of multiple authentication layers, e.g. a fingerprint AND a pin code.
All these academic arguments about the security of fingerprints are interesting but completely are detached from the day-to-day use of TouchID.

I've been using it for about a week or so now. It's incredibly convenient. It unlocks my phone almost instantly. It prevents random people near by phone from being unable to unlock it. If a thief got their hands on it, they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.

All in all TouchID basically removes almost the entire burden from the security of having a locked phone. It's actually faster to unlock my phone with TouchID than codeless swipe to unlock, so it's a no-brainer to turn it on. It doesn't matter that the NSA probably has my fingerprints, in practice it prevents most people from getting into my phone in a way that is transparent and easy to use. If the spooks want my data, they can already get it.

s/TouchID/Face Unlock/g and back up about 2 years and you can find all the same things said about Ice Cream Sandwich.

It's a cute feature. It's not going to change the world, sell another billion phones, push other companies out of the market, or save anyone from serious attacks. It's probably a good idea to enable it anyway.

I don't think you can call something a cute feature when it's turned on on most phones and is used to unlock them. I would guess that by far the majority of iPhone 5S's have TouchID enabled. I wouldn't be surprised if it's more than 90%. The feature is just that well executed.
I would be very surprised if it is that high now even with the early adopter skew. Reports say that last year it was around a quarter of smartphone users use passcode locks on their work phone (http://www.welivesecurity.com/2012/02/28/sizing-up-the-byod-...). I imagine 5S rates are higher than that, but 90% would be insanely impressive. When it comes to computer security, as usual, people's apathy is the biggest problem.
Isn't passcode required to get exchange email on iOS?
That's an option set by your IT department. Annoyingly, mine does the same thing. It doesn't have to be that way.
At my work they have allowed the TouchID to be used with our security policy. I just haven't shelled out the money to buy a new phone.
I'm sure opt-in/opt-out is a major factor, too. I don't have a 5S, but I'm pretty sure it's opt-out. I think even after upgrading to iOS7 I had to opt-in again to turn on the numerical pass code.
iOS setup flow basically points the user in the direction of setting it up.
It is more difficult to defeat a touch sensor than face unlock. With face unlock, I just need a photo of the phone's owner.

With a fingerprint unlock, I need to go to at least a little trouble to fake the fingerprint.

Depends on scenario. If you steal a phone from a bag on the subway, you'll never be able to get that photo but can probably lift the print right off the phone itself. So maybe iOS has better-yet-still-mediocre protection against snooping yet inferiorly-mediocre guards against identity theft. Yawn.

In neither case is the phone meaningfully protected against serious attack. Why must we have this argument? It's a cute feature. Use it.

but can probably lift the print right off the phone itself

That doesn't seem to be the case to my knowledge. The evidence from the successful attack is that you need an excellent-quality print from one of the specific fingers that has been programmed into the phone. Some phones probably have that on them, but it appears likely that many do not.

there ll be an app for that.

edit: build an app, get your colleague, significant other etc touch it on any touchscreen phone or get on camera and create a 3d printed finger. 3d printing vs touchid...maybe

I'm pretty sure the GP was talking about the likelihood of a given phone having an appropriate-quality print [1], which does seem low.

But putting that aside, your hypothetical app would -- using the demonstrated method -- 'lift' that excellent quality print, scan it at 2400 dpi, (clean up said print), print it on a transparency at 1200 dpi, mask it onto photosensitive PCB, develop/etch/clean the PCB, spray graphite and apply wood glue to the mold.

It might make for a slightly-more-plausible-than-normal gadget sequence in a Mission Impossible movie, but it's not much of a concern for the target market. [2]

[1] Despite what decades of shows like CSI might lead us to believe, this is not a simple or error-free process. And each mistake irrecoverably destroys the print.

[2] Most of that market doesn't even use a passcode today and many that do are still using surprisingly bad PINs (birthdays/anniversaries/1234)

I find it amazing that when faced with a general question about a "security" feature the median internet tech nerd responds with an attitude of absolute paranoia (c.f. 4096 bit RSA keys, multi-word pass phrase choices, ssh key forwarding pedantry, general NSA tinfoil hatism....)

Except when confronted with an Apple product. Then it's all "Nah bro, relax. No way could you lift a fingerprint from a glossy phone screen". :)

I'll say it for the third time. It's cute feature (like face unlock was before it). Use it and enjoy it. If you honestly think you're buying a serious security mechanism you're simply wrong.

Clever use of the word median to obscure the fact that you're conflating a two different attitudes which likely don't exist in the same person.
It's not at all clear that the absolute paranoiacs and the people saying that it's unlikely that any but a vanishingly small number of regular people will ever have Touch ID hacked are from the same set.

When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms. But if the effort to hack it is hundreds of times more difficult than the possible payoff from hacking it (which appears to be the case for nearly anybody but James Bond), then it acts as a serious security mechanism for that user's context. Literally nobody is going to make a mold of my finger to unlock my iPhone — they'd have to be absolutely insane to think that was worthwhile. So it's a serious security mechanism for me. Would it be a serious security mechanism to cover nuclear launch codes? Of course not.

> When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms.

You have to understand that the practice of cryptography has always had a military basis; the commercial/private use is ancillary.

So, what's "a serious security mechanism?" Presume you're a military commander during active war, whose battle plans are intercepted by an opposing nation. What is the likelihood, given the opposing nation believes your plan will lead to their complete destruction, that they'll be able to break the security in time to execute a counter-operation? A serious security mechanism is anything that reduces that likelihood.

You see two different classes of responses because there's two different use cases.

There's security that geeks advocate for ourselves and our own implementations (often things we only have to set up and maintain infrequently) and then there's security that normals actually use (often things they have to authenticate with several times a day).

And I must have missed it, if anyone's been arguing this is a serious security mechanism. As far as I've seen, it's been lauded as (not much) better than a passcode, but, primarily, convenient enough to get people to use it instead of nothing, bringing up the relative security of a still-fairly-insecure bunch.

And you may want to re-read the discussion over the faked-print attacks. It isn't about (im)possibility. It's about the time, expertise and equipment involved and the likelihood of success being too expensive to be worthwhile for gaining access to most phones. [1]

And if we're wearing our "serious" security hats, I still don't see any reason to worry too much about print faking, as its core assumption is a skilled attacker who has unfettered physical access to our device, unbeknownst to us and beyond our control. And at that point, the game is already over.

[1] CCC themselves, with ideal source prints, had to significantly complicate their process to generate fakes that worked with a suitable consistency. So even if you think suitable source prints grow on trees, the point of significant skill, equipment, time and resources remains.

Can't someone write an app that stays in the background on their phone and copies fingerprints of people who touch your button?
Under the assumption that the sandbox works, no.
Okay, but if you steal a phone on the subway, why would you even bother unlocking it? Just sell it on ebay as a locked phone. Some bored teenagers will buy them up, unlock them, wipe them and then resell them for a few dollars more.
If Find My iPhone is on, that locked phone is essentially a brick, it cannot be activated even if completely wiped, since its still associated with your Apple ID on the server side.

You need to be able to sign in with the Apple ID to remove the association.

Heh. So you think...

I've already done that service for another, using some auto-unlocking tools. Takes all but 5 seconds, including USB negotiation. And it even gets past sim-locks.

> but can probably lift the print right off the phone itself

What utter unmitigated rubbish. It is extremely unlikely that even a fully qualified CSI would be able to lift a full print from a mobile phone, let alone one that that can be reliably reproduced in the manner CCC described.

On release, people were saying it was unhackable. Molds were made that faked it within a week. You really want to bet that no one will make this work? With a target this high profile?

My 5 year old son was quite literally dusting for fingerprints at the local science museum last weekend. We have some shockingly high fidelity prints of both our thumbs showing all the ridges. And all we had to do was squeeze a piece of plastic. Fingerprints have even less identifying detail than faces. You've been hoodwinked by Apple's marketing, and I'm willing to bet this isn't the first time.

Yup - remember the whole "sub dermal RF fields - so it can't be a fake finger, or your finger can't be cut off - has to have a pulse and be live", from Apple's own marketing?

Yeah, not so much. The fakes didn't even pretend to be live tissue.

It's amazing rant with any Apple story, there you are with an 'expert' opinion followed by a thinly veiled troll. I want to see your 5 year old son lift near perfect prints from a typical iPhone, no deliberate placing of prints mind you. I then want to see you recreate the CCC "hack" with the correct print. It's time to put up or shut up.
Ehh, I haven't crunched the numbers, but that's not necessarily true. Instead of taking a still picture, use video to take a few images and generate a rough 3d image. While I don't think the initial face recognition on Android had it, I believe they (or someone else) did later.

I have no idea how finger print vs facial recognition compare in accuracy, but a decently implemented facial recognition system shouldn't be compromised by a still image.

My Samsung phone has a feature that requires you to blink in order to unlock the phone to ensure that you're not a still photo.

Of course, I don't actually use it because the face recognition is so bad, and nonexistent in the dark.

Apparently that can be defeated with Photoshop.
Or maybe a animated GIF image.
Animated gifs would today work. What if the camera focused on something behind you first and then the face? Would that bypass a 2D method?
On a camera with effectively infinite depth of field? Probably not.
Couldn't the camera even just focus on a face and then the neck as a point of depth? Honestly, all of these quick-check systems have countless flaws.

I'm ready to have a chip in my arm now.

The point is they're both in focus. The camera (lens) isn't able to focus on the face and not the neck.
> With face unlock, I just need a photo of the phone's owner.

face unlock now requires you to blink.

People keep making this analogy but Face Unlock is not being promoted as ever being used for anything but unlocking the phone. Touch ID is the foundation of an entire mobile identity/payment scheme.
Except TouchID, from what I gather, actually works. Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks. I tried face unlock briefly on the Google Nexus I've got and disabled it shortly after when I found that it was unreliable. Poor lighting, too much lighting, a bad hair day, it wasn't even at 80% for successful unlocks.
To be honest, I disabled face unlock the moment my brother unlocked it with his face... Yeah, touch id won't let that happen.
> Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks.

I think that's the key distinction here. In any given authentication scheme it's important not to have false positives (incorrectly identifying a bad guy as you) or false negatives (incorrectly identifying you as a bad guy). In this case false positives break security, false negatives break usability. However, false positives won't outright stop adoption whereas false negatives will.

does touchid have the disadvantage of keeping your friends and family unable to use your phone in cases of emergency? 95% of the time, my phone isnt next to adversaries, but trusted parties. a password or code is transferrable, fingerprint isnt.

edit; not 911emergency, but casual situations of full or dirty hands..

You can add ten fingers, or you can give them your code, or they can dial 911 with a fully locked phone. So no, it's slightly easier for a relative to use in an emergency than a typical locked phone.
Mine when locked has a small touch section labeled 'emergency call'. I assume it goes through to 911 (or relevant number). I'm tempted to press it but it's not an emergency. I assumed most phones had something similar.

Edit: I went to it. I leads to a special dialer. Instead of voicemail the button leads to a special emergency contact (or list). It only shows 4 inputs on top so I am guessing that is the limit so you can't dial anything but emergency services (that are 4 numbers or shorter). Then it goes back to my lock screen.

You can always just use a PIN to unlock. It's probably safe to assume that Apple has thought this through (no need to remind me of the supposed chaos break-in).
Fake unlock was slow and unreliable when it first came out 2 years ago but is pretty darn good nowadays, and just as fast as TouchID. No, it doesn't work in pitch dark or if you're wearing sunglasses. But I'll take "works 90% of the time" over an unlock feature that requires a hardware component that pretty much locks you into 1 form factor.
The problem is that you need to think about this when you unlock your phone. With TouchID you always unlock your phone with your finger.
"With TouchID you always unlock your phone with your finger"

With glove, dirty or too much sweat, I believe it does not work. So, it's not 'always'.

Not to mention, by the time I am looking at the phone, I want it already unlocked. Sometimes I want it unlocked in my pocket (Siri?). TouchID allows me to do that. Face unlock does not.
When it works fast, face unlock can be rather stunning. Occasionally it would catch a glimpse of my face obliquely and unlock before I even got to position it correctly.

However like others, I turned it off because the performance was highly variable, and the failure mode consists of a many-seconds wait which can be extremely infuriating (even embarrassing, as as you stare blankly at your phone for 5 seconds at a party, trying to quickly get someone's number or something).

(comment deleted)
TouchID has some tangible implications for markets where some security is needed and convenience is already compromised. For example, my corporate policy disallows pattern lock and requires I use a pin. This is majorly annoying and is enough for me to consider a different device.

The big enterprise market is an awesome place to get a foothold in - they are not really price-sensitive and hate change. Not that Apple has any problems in that segment, but extra lock-in doesn't hurt.

Where this becomes semi-dangerous is in assuming that now your phone is ironclad and you can store whatever on it totally unprotected. The best route to safety is to make informed decisions based on your own risk-tolerance and not be a lemming.

Certain Japanese cigarette vending machines had photographic age detection algorithms. Japanese children used photos of Bruce Willis to buy cigarettes. Getting a photo of your face would be much simpler than getting your prints.
You touch your iphone's screen to use it, right? Getting a latent print isn't exactly difficult.
Acquiring a high-DPI scan of a fingerprint from someone's phone, printing it to a sheet of plastic with a high-DPI laser printer, then making a copy of the print out of liquid latex doesn't sound easy unless you're in the business of pentesting. Taking a picture of someone (or lifting it from a social network) to access their device does sound relatively easy.

If I was the kind of person who was worried about someone accessing the contents of my phone, I'd simply turn off touch ID and use a long password (or spend less money on a phone that didn't have a feature I wouldn't use).

I've gone down the route of using both a long password and touch ID simply because touch ID works so reliably - I've never had to enter my password. That way someone either needs my long password or a physical copy of my fingerprint to access my device. I'd say that's much better than the 4 digit numerical code I relied on previously - which had been seen by friends and family.

See the problem here is that a compromised fingerprint betrays more resources than the system it was meant to protect.

Your iPhone has a picture of your fingerprint inside of it now. It's just a picture, and it's likely a very good picture at that.

What happens when I swipe your phone for a second or two, plug it into my machine, and download the high-resolution picture of your fingerprint?

Do you use a fingerprint lock at home? If so, I've just broken into your home.

Do you use a fingerprint lock for the datacenter you administer? I've just gained access.

Do you own a registered gun? How'd you like me to commit a murder with your fingerprint on it?

This kind of attack is the missing piece of my argument. When someone figures out how to do this, these issues are going to become very important very quickly.

Let's suppose that Apple introduces a feature that syncs your fingerprint across many devices. How convenient, right? Let's say that means keeping all of your fingerprints on Apple servers. Let's now suppose that, like a credit card database, an attacker is able to obtain a leaked copy of the fingerprint database of every iPhone user. The recent touchid hack shows that fingerprints can be spoofed for high-end scanners. What then?

Sure, this scenario is very unlikely. I'm totally in slippery-slope land here.

But when we choose to turn up the dial on convenience to sacrifice more security, we must be prudent, carefully considering the consequences of our intentional ignorance.

Please don't delude yourself into thinking this is any safer against the typical kind of smartphone theft.

Thieves will offload the phone to someone using software explicitly designed to wipe electronics to be resold.

Whether they are wiping an iphone that happens to have touch ID or not is only relevent towards the resale price once it's wiped.

Clearly Apple marketing works, as it's somehow convinced a member of (I'd hope) a more technical audience that their electronics are somehow safer against thieves.

Uh, no. Of course it's doesn't prevent theft. (Though the new 'wipe the phone in 10 tries' thing may deter it, separate from TouchID, I'm not sure.)

The point is that with TouchID (as opposed to no passcode) the thief will not be able to send porn to my mom or read my text messages before they wipe the phone.

And with iOS7 they're going to have a harder time wiping it because phones are now locked to your Apple account. So they need your Apple account ID and password to wipe it.
(comment deleted)
I wonder how much targeted attacks to recover that go for on the black market? Would the phone thief still make a profit?
An iPhone that is wiped, even in DFU mode, requires the Apple ID and password immediately after it is booted for the first time.

Basically, a stolen iPhone is only worth the sum of its parts so they can be used to repair other phones.

How does this work? I sold my old iphone to amazon. I never reported it "unstolen" or whatever to apple. Amazon paid me $200 for iPhone parts?
It's new in iOS 7. You'll have to explicitly wipe & reset your iPhone before selling it from now on.

So if it works as advertised, stolen iPhones and iPads will only be worth the sum of their parts.

removing that wipe feature would be a nice tidy way to destroy the secondary market for iphones...

did I just predict iOS8?

No.

Apple are perfectly happy with the second hand market for iPhones.

I've just ordered a 5S. It's costing me £709. My iPhone 4S 64Gb is worth about £200 second hand. Even a new 8Gb 4S, the cheapest model available new, is £349.

Anyone interested in my second hand phone was almost certainly never going to spring for a new iPhone.

The market for second hand iPhones does next to nothing to cannibalise the market for new iPhones (which Apple cares about) and strengthens the iOS ecosystem (both by bringing in new customers who might buy apps, music and movies but also keeping customers away from competing platforms).

There's more upside than downside for Apple in second hand iPhones.

Hmm. After upgrading my ipad to iOS 7, I changed my pass code. Which I promptly forgot. I had to reset it from iTunes, on a computer which had never paired with the ipad (in fact I had to download iTunes to do this). When the ipad restarted it asked me for my Apple ID but that seemed to be for the iCloud restore. I think I could have skipped it and had a functioning ipad. But apparently not?
Nope. The Apple ID is necessary to restore in iOS 7.
I'm not protecting my phone, I'm protecting my data. It does a pretty good job of that. Don't think we're somehow deluded for thinking that the data is the more valuable part of the thing.
The most important distinction. Someone who wants your hardware doesn't care about the data, and will wipe the phone (although this is where iOS 7's Activation Lock comes in). And, if they want your data, they will figure that out, too. Touch ID is just a deterrent, same as a password or PIN, just to varying degrees.
I think any reference to improved protection against theft has to do with iOS 7's new feature of requiring an Apple ID even after a wipe.
No one thinks it will deter thieves. It will make it more difficult for thieves to offload the phone (however marginally), and will give you time to use Find My iPhone, wipe it remotely, or brick it before your data gets compromised. As someone who did not use a passcode who recently had a phone stolen, I can tell that this is valuable. Also, why don't people focus on the real convenience - purchases by fingerprint scan.
And I think that's the main problem with it. People think that it's actually a true replacement for a password, even though it's not.
Give me a real world scenario where this distinction matters and affects real outcomes. For real users, not people who are trying to protect themselves from the CIA.
If you use that fingerprint code, any thief that steals your phone and wants your data will have it. It offers no protection at all.

Now, if you arguee that no thief will ever want your data (and you'd be probably right), it doesn't matter if you lock your phone or not, and it won't matter how you do that. In this case, locking schemes are completely useless.

(Now, I'd be content with a fingerprint reader that recognizes a finger - any finger - and unlocks the phone. It's enough protection if my pocket can't defeat it. Unlocking only by specific fingerprints looks like a pain, nobody else will be able to unlock my phone? Thanks, but I'll pass that.)

You have your phone in your pocket, I want to access your data.

With touch unlock, all I need is my buddy to hold you for 3 seconds while I twist your arm and unlock the phone.

With passcode unlock, getting the password out of you will take some more effort.

Oh, and in this scenario, I can be a thief, or a police officer, or a borders agent, or an abusive husband, or many other things :)

> With passcode unlock, getting the password out of you will take some more effort.

Given that there are two people, capable of violence, against the phone owner I'm not sure that getting the password is going to be that much trouble.

Forcing someone to put their finger on a phone is a matter of seconds. No matter how you put it, getting a password is harder and lengthier.
Getting a password requires consent, even if it's under duress. Getting your finger doesn't require you to agree with anything.
As a side note, I'd be worried that anyone can wipe my phone if they get their hands on it for a minute.
That's a option that you get to disable.
An ideology of "Its good enough to thwart 99.9% of the population, therefore its good enough for me." is a very harmful ideology to have when it comes to security because you do nothing to deter mass adoption of the insecure technology.

While an individual person might not be at that great of risk because the amount of crackers willing to exploit touchID is limited to a minute demographic of people, the real harm comes when many iphone owners who share your ideology start using touchID instead of the more secure locking features their phones provide just because its more convenient.

Consider what happens when there are 100,000,000 million insecure phones out in the world. To a motivated cracker/spy/terrorist this is a huge ocean of potential suckers/victims vulnerable to exploitation. While most of these people aren't worth targeting, 1000-10,000 people might be.

This is why rejecting broken security technology is a cause everybody should rally behind. Even if you are never a victim of a black hat, you may very well suffer indirect consequences from the exploitation of somebody else.

Does this go for the locks on your front door as well? As in "nobody should have front door locks that aren't 100% secure even against eg. terrorists"?
If such a lock existed (it doesn't, AFAIK), I would certainly want it on my door. I would still seriously consider it even if it was dramatically more expensive than a regular lock. Just because there are trade offs in security doesn't mean that anyone should be content with the state of the art and not push for improvements, or push against regressions. I'm not sure myself, but people see TouchID as a regression.
I think your response raises an issue of perspective. Are we focusing on fingerprint technology from a user's point of view - or are we considering its implications over many years?

This reminds me of certain U.S. Supreme Court decisions. As someone who's interested in constitutional law, I often find myself defending things that seem trivial and nitpicky. Why does it matter if the police enter one drug dealer's home without a proper warrant? Who cares if we restrict someone's speech, considering that the person was, say, a racist whose ideas were ignorant and offensive?

Of course, the content in this analogy is very different. I'm not comparing fingerprint scanners to crimes. But the logic is very similar: when judging law and technology, respectively, it's important to consider how seemingly small decisions serve as a precedents for bigger trends.

If fingerprint scanners become a common replacement for passwords, and the author's argument is correct, the scanners may dramatically change our security and expectations of privacy.

Consider the thorny issues of courts forcing people to turn over passwords to decrypt phones to implicate themselves. Typically, it's a constitution tarpit as you should not be forced to implicate yourself.

However, your fingerprint is a username in that case because it is all over the place. The police already have it. Don't be fooled, there are certainly kits being sold to law enforcement to dupe TouchID. You're data is less protected from those that you'd probably prefer not have easy access to it now.

This is a disadvantage only when you are on trial. That's a pretty extreme contingency, and I think most people who aren't internet privacy advocates wouldn't be particularly worried about their phones, of all things, after they've been arrested and indicted.

Outside the HN bubble, this is an acceptable tradeoff. People who are concerned can continue to use passwords.

>Outside the HN bubble, this is an acceptable tradeoff.

I'm glad you have been deemed worthy enough to make that decision for the rest of the population that doesn't understand the implications of what they are getting into.

Outside technological bubbles, people don't understand the implications of technology in regards to security and privacy. You're speaking about "tradeoffs" however people don't understand the tradeoff and will think fingerprinting is secure, because look, Apple is doing it.

Therefore it is up to us to make the right choices. That we aren't doing it, choosing instead to defend flawed technological improvements and the companies doing it, is very regrettable.

> This is a disadvantage only when you are on trial. That's a pretty extreme contingency

No dude, that's not the only thing that can happen and it's in no way extreme. Many people do go on trial for trivial things (because shit, in the US at least, suing people is a way of life) and your laptop or phone contains your most secret conversations and desires, being the ultimate incrimination tool, a digital fingerprint of your own mind.

And you don't have to be on any trial. You don't even have to be a suspect in an investigation. It can happen and has happened for laptops or phones to be seized for inspection during routine filters, like by the airport security.

Also, in the US you may live under the rule of the law. What about countries where oligarchies rule, countries where corruption is the norm? What about countries like Rusia, China, India or Brazil?

Just today I read about a story about this traffic cop from my own country that had the bad inspiration of doing his job by fining his own boss for ignoring a red light and exceeding the speed limits. He was later accused of all sort of bullshit and had to fight it in a court of law for 2 years before he was exonerated.

And technology evolves and our devices are gradually becoming our stored memory. What do you think these corrupt officials or organized crime syndicates could do with your own mind, 10 years from now? A lot dude ;-)

Also, configurable after a few hours it can ask the password anyway. A trial and being compelled to place your finger on the phone goes way beyond that. Or if they're going to beat you over the head with a metal pile regardless to unlock then the difference between a passcode or your fingerprint becomes meaningless.
That's too black and white. Is there nothing that you would give your life for? There is nothing worth dying for? Maybe you should think less of convienience and more about living a life worth living.
It's easy to say that now while you're not on trial. What happens if the day comes where you are on trial, for something you may or may not be guilty of and what you have on your phone could potentially incriminate you, corroborating false accusations? We see it all the time, information is translated out of context and used in ways it was never supposed to be interpreted. It happens all over the media, it happens in smear campaigns in politics, it happens any time someone wants to get ahead of you on the promotional ladder. It's too late to come back after the fact and say "Well shit, I guess I should have considered the implications of that technology being used against me when I considered it just as a convenience." Sure, it's convenient. I get that, we all do. But if you don't consider the price of that convenience up front, you can't come back and complain that it was used against you afterwards.
Not just on trial; on trial with incriminating information that's exclusively available on your iPhone and stored unencrypted without any additional passcode or password protection.
> a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.

Are you saying that random people can pick up your phone when you go to the bathroom, touch the home button 3 times, and then enter "1111" 10 times, and wipe your phone? Is there some protection against this?

Protection against what ? That is the desired behaviour of most people. And if it isn't then you can simple disable the behaviour.

It's not like you will lose data since it is backed up to iCloud.

I think you misunderstood. The person entering bogus passwords is not a thief, but an otherwise trusted prankster. For example, a brother.
This has always been available as a setting on iOS and it is not the default. Most companies though will install a profile which enables this to a custom value of retry attempts if you add the company email (typically exchange ) account to your phone
> Protection against what ?

Um, protection against random people wiping your phone maybe?

How do you expect the phone to distinguish between "password entered 10 times incorrectly by asshole" and "password entered 10 times incorrectly by thief"?

If this is a problem with your circle of friends: find new friends, or disable this feature.

Even without TouchID, iirc on previous iPhone models entering an invalid password 10 times would trigger a wipe. So not a new threat -- just balancing maintaining the confidentiality of your data with the DOS risk.
It starts throttling attempts before going full lockdown. But, yeah, don't leave assholes alone with your phone.
There's some aphorism about "assholes" and children which my brain thinks fits here but that same brain won't recall what it is.

Anyhow, my initial thought was, perhaps not an asshole but a child? I could see a child playing with the phone and wiping it in quite short time. But other commenters pointed out it's not the default and there's cloud back-up it doesn't seem a major problem.

The attempts go up quickly. First try, wait a minute. Then 5, then 10, then 30 mins, then an hour, 3 hours, a day, a week etc.
My friend's 12-month old baby reset the unlock code on her mother's phone and they ended up having to wipe it completely in order to recover.
This is completely unrelated, but why do people say "12 months", "18 months", and "24 months" rather than 1 year, 1.5 years, and 2 years? I don't get it. I'd understand if they're younger than a year old (eg "My son is seven months old!"), but not once the age can be expressed in years.
Babies grow fast, so there can be a fairly large difference between twelve months and fourteen months, or fourteen months and eighteen months. You can't express those values well in decimal format, so you can't discuss milestones and development in decimal format. My experience is that people usually switch over to years once the child is older than two.
It's a really neat question, and as a new-ish parent I've given it some thought. In fact, there's even another layer to it: shortly after birth, people tend to count in weeks rather than months.

My guess at an answer is that human beings are more comfortable thinking about numbers that are small integers (between 1 and 20 or so?), and that (roughly speaking) we often want to be able to give a bit more precision than you'd get from just "1" vs. "2".[1]

So for baby growth, parents will talk about how many days old their child is for the first week or so, and then use "weeks" for the first few months, and then use "months" until they're around 2 years old. (There's also a real sense in which the pace of child development seems to progress on a sort of log scale: change is very rapid at first, but gradually slows down. The use of different age units seems to roughly parallel that.)

As an aside, this same human preference is presumably also why the English developed different units for (say) inches, feet, and miles rather than using one of those units for everything. [Side note: is there any common English unit between yards and miles? I grew up using "blocks", which is handy, but that's pretty city-specific.]

[1] By "precision" I'm thinking more or less about "relative uncertainty". If you assume that an integer value is accurate to within +/- 0.5, then the percent uncertainty on 1 or 2 is so large as to make the information almost useless, while the implied uncertainty on a big number like 50 is probably smaller than is justified for most contexts.

Chains & rods are what first sprang to mind, but I don't think they were ever common. The definition of 'furlong' from http://physics.info/system-english/ makes it seem like it could have been in common usage:

  Literally, the length of a furrow. A sensible length for
  farmers that later evolved into the acre, which is discussed
  later in this section. A standard furrow is 220 yards long
  or ⅛ mile
Google's ngram tool makes it seem like it was never a contender with the yard, mile, or league.
Furlongs still are in common usage in certain applications. Horse racing, particularly.
Blocks is a good one, although it's not a formal unit, I generally tend to associate it with about a 1/10 of a mile.
Because there's a lot of difference in development even from month to month, so the extra resolution is needed.
Because numbers like the following are less clear:

- 1.0833 years old: 13 months

- 1.4166 years old: 17 months

- 1.8333 years old: 22 months

So, is it easier to use years on the clean decimals and months whenever it gets hairy, or to just settle on months?

I've read the other replies and my answer is pretty different. I think this has to do with a fact that up until 24 months many toddler-targeted things are spoken of in such fashion:

- Clothes are sized in months 0-3, 3-6 etc.. - During doctor visits you discuss developmental milestones expressed in months.

Etc. You get used to it, since at that age the development of a child is extremely condensed and years simply don't provide enough resolution.

Well, you do have to explicitly turn that option on. It's in no means a default.

If you use the iPhone Configuration Utility, you can even reduce the attempts down 2 before it wipes itself.

I guess it's useful in circumstances where the data on the phone is more valuable than the phone itself.

That is no different than the current situation - enter the PIN code in wrong enough times and phone locks down. There's just an additional (print reader) barrier in the way
> And if they fail to enter my code 10 times, the phone is wiped.

You must not have kids, because that statement scares the shit out of me.

This is a good point. But imagine this attitude is adopted and becomes commonplace. People WILL start becoming lax, and people who should not be storing critical information on their phones, or who don't realize that its critical ARE going to lose their phones and they ARE going to get cracked.

I guess the question at that point is, is a 4-digit code better or worse? I'm not fielding that one...

Uhhh, what?

    Of course, there are civil liberties at issue as well, since Apple could
    potentially share the information collected with governments.
    http://truthseekerdaily.com/2013/09/exclusive-apple-admits-iphone-5s-fingerprint-database-to-be-shared-with-nsa/
This link has many of the hallmarks of bullshit, but it still spooks me.
Link references a satire site. Disappointed to see it's still got legs.
Frankly I just ignore the bullshit-scented links and don't even bother getting spooked; usually if it's real, it will show up again in a less-suspicious place, and I'll pay attention to it then.

It may be an imperfect filter, but just you can't waste your time giving credence to an article on "www.gunsgunsguns.com" about why civilians need automatic weapons, or every other crackpot link.

One issue here is that there is no way to give out unique username/password pairs to each service.

If apple uses this, and google follows, and facebook, twitter, linkedin, my paypal and CoolAppForYorFone(TM) and everything else, then if CoolAppForYourFone(TM) scans my fingerprints, then they have access to everything on all other accounts which use this info.

Once it becomes common, then on street corners, salespeople will ask your opinion on things, "Hi! We're doing a survey this week for Vodaphone - just a quick question - do you think people with android phones or iPhones have sex more often?" and ask you to give a fingerprint to sign it. And most people will.

Or "Hi! We're giving away 20 euros free credit today at PhonesForYou! Just place your finger on the scanner here, and tell us your phone number and we'll send it through!"

We're already trackable enough, why make it easier for scammers with scanners?

"Once your fingerprint is compromised how do you change it?"

This is the central question for all biometrics for me and I believe one of the hardest problems to solve. There are many people who believe they are solving this by using ever more intricate biometric identifiers, thus increasing the bar to reproduce them beyond what they believe currently feasible. But I'm yet to see that central question addressed.

What happens when you lose control of a biometric key?

https://news.ycombinator.com/item?id=6478343

> they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.

I don't use it, but it seems there's a fallback password after __ failed attemps.

I don't mean to say "what happens if you lose a finger" rather, what happens when your biometric key has been compromised. You can only move on to so many unique body parts before you're out of key changes.
I don't mean to say "what happens if you lose a finger" rather, what happens when your biometric key has been compromised. You can only move on to so many unique body parts before you're out of key changes.
Flagging due to him pointing to an obviously fake story to support his position.
Maybe you should say what story he's pointing to that's obviously fake?

I'm sure you mean the "Apple is sharing fingerprints with the NSA" link...

Well, I've never heard anywhere that Apple was sharing the fingerprints with the NSA. As far as I know, nobody said that... It's just the obvious* default assumption.

And the matter of default assumptions is that you need evidence that they are false. Apple denying it is no evidence. But yeah, the point about the microphone and camera stands.

* And it is obvious, no point is arguing against that. When everybody makes the same assumptin the first time they have a new piece of data, the assumption is obvious.

"As far as I know, nobody said that"

The OP linked to an article which said that, which sourced from the article referenced by the link to the rebuttal I posted.

"And it is obvious, no point is arguing against that."

No, it's really not obvious. Apple made very specific claims about the functionality of their product. Unless you can prove those claims wrong, you're just spreading a conspiracy theory.

Not essential to the main thesis of the article, but still: "But let's just say you're okay with Apple sharing your fingerprints with the NSA, as I've already told you, they're not private at all."

Ok, they are not private but I'd still not willingly put them on anything controlled by an US corporation. Govt sending their agents to collect my fingerprints from glasses? Not feasible, too costly. Agency asking Apple to fetch the fingerprints willingly provided by the population "just in case"? Maybe not today and not tomorrow but in a few years? I wouldn't bet on them not doing it. And once there you're just one false positive away from some serious shit happening to you.

As others have joked: Imagine how much people would freak out if Apple devices had a microphone or a camera capable of recording you surreptitiously!

If you're worried that Apple will roll over for the NSA, and that the NSA will, at some point, be out to get you, the quantity of information they could gather through backdoors on your phone is so astounding that it's hard to understand why hashed fingerprint feature analysis would be the last straw.

To be clear - it's not about the scenario where NSA is already out to get me. Obviously in this case the cost of getting my fingerprints the traditional way doesn't matter anymore. It's the scenario in which NSA gets interested in me because a) I made it easy for them to mass-harvest my fingerprints and b) they happen to get a false match on a terrorists' ashtray or whatever. I'm not convinced that the (hypothetically mass-harvested) material from the camera and microphone has comparable potential for such a false match.
A lot of people have already given their fingerprints to the US Govt - children whose parents enrolled them in "kid safety" programs, teachers, anyone that ever applied for a position of public trust or any kind of background search, people that have applied for concealed carry permits...

The US Govt probably has 3-4 sets of my fingerprints in various data stores across several agencies...and I'm no one special.

This article is missing its own point. Username+password combinations are nothing but an identification means. Fingerprints solve the same purpose.

The issue this article should be trying to shed light on is one of inadequate fingerprint scanners, not that fingerprints themselves are compromised. Make a scanner that requires epidermal prints, and go from there.

A phone screen unlock is not like passwords as used elsewhere. It has to be short; otherwise it is impractical. We know that short passwords don't have much entropy. We also know that we can examine the grease on the screen and make a good guess as to what the password is.

If we consider phone unlocking mechanisms to be in a different "not fully secure, but at least practical" category, then I think it's perfectly acceptable to use a fingerprint as an unlock.

Mitigation is possible too. For example, the phone could lock out and require a proper password if it detects tampering (which, AIUI from other comments, the iPhone does).

Fundamentally, a username and password are parts of the same thing - a collection of information (often a string of text) that you need to get access to something. The 'username' is usually just the part of that isn't necessarily hidden.

Part of the problem is that Apple's iOS has no username, just a password. Thus, one of the differences with a fingerprint 'password' that I haven't seen much discussed is that it would make him harder to share that tablet with his wife, since they can share one four-digit passcode, but not (as far as I know) two different fingerprints. The fingerprint makes it much harder for the popular family use cases between letting one person in and letting everyone in.

Edit: OK, cool, my comment is invalid.

You can setup multiple fingerprints (from multiple people) that can be used to open the phone.
Realistically 1) most people don't use a PIN code, 2) those that do use their birthday MMDD or DDMM.

If you think someone where you work/live might have to tools to lift your fingerprint from a beer bottle or spacebar, you probably have more serious problems than the contents of your iPhone.

I'm sure security nuts will put their iPhone in a shielded box with a coded lock on it, in addition to using (and painfully entering on each unlock) a high entropy passphrase that's as long as possible.

More power to them.

TouchID is a good enough to prevent my daughters from seeing the naughty texts I send to my wife (none of your business either), and that's more or less the level of security TouchID is designed for.

"Fingerprints are usernames" <-- that is an excellent insight.
All security is based on either something you know, something you have, something you are, or a combination of the three.

- A username is something you know.

- A password is something you know.

- A pinpad is something you have.

- A finger print is something you have.

- A finger print is something you are.
You can copy finger prints rather easily, they are something you have.