Firstly I see all biometrics as a <i>username</i> not a password.<p>I assert I am lifeisstillgood - and I enter my shared secret so that pg can make a reasonable assumption that the person he originally told the secret too has not shared it and therefore is at the other end if the transaction.<p>The problem with fingerprint recognition is it is a zero-factor authentication. What we have here is a very long username with say 44 bits of entropy(#). No matter how long that username, it's not a secret. I wonder around leaving it everywhere - just like "lifeisstillgood".<p>Without a shared secret, a username is not a sufficient security device - it's just what I am asserting - zero factor authentication is a problem.<p>(#) now this is an interesting issue. Fingerprints have been assumed to be 100% unique amoung humans. But with DNA fingerprinting came a confidence level, and now forensic scientists are resisting assigning confidence levels to fingerprints mostly I think for the apocalypse of having to review 30 years of convictions then made unsafe.
I'm glad someone is talking about this. If you set a passcode, iOS encrypts your data with a key derived, in part, from your passcode and a per-device salt; Apple claims that even with access to the device, a nine digit passcode would take 2.5 years to brute force. [1]<p>A fingerprint is only useful for authentication, not key derivation, which makes it effectively useless in protecting your secrets from a determined attacker. As it stands today, my data is encrypted with a key that isn't stored on my device. Unless Apple has developed some kind of fingerprint-based key derivation algorithm, that can't be the case for the hapless user who replaces his passcode with a fingerprint scan.<p>I fear that the innovation announced today is going to make people and their data less safe, not more.<p>[1]: <a href="http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf" rel="nofollow">http://images.apple.com/iphone/business/docs/iOS_Security_Oc...</a>
I would make the following points.<p>1) Not accounting for salting and variations of hashes, one can have at most 19 resets of core biometric assuming the normal number of fingers and toes.<p>2) Biometric fingerprinting merely proves that you have the digit. No proof if said digit is attached to human (see Hollywood blockbuster!).<p>3) Susceptibility to coercion. It's much harder to refuse to swipe your finger (willingly or otherwise) at the border than to refuse to give up a password.
>Third party must have access to raw data<p>Is there a reason that fingerprints can't be stored as hashes instead of the raw data? It would presumably involve re-enrolling if the fingerprint comparison algorithm gets changed, but how often does that happen?