You don't need to burn off your fingertips (and other biometric myths)

For anyone thinking of using fingerprints: There&#x27;s a number of people, especially some older women (due to a lifetime of hand washing dishes) and chemotherapy survivors, who no longer have legible fingerprints. Insisting all users authenticate with legible fingerprints becomes discriminatory.<p>I&#x27;m not saying fingerprints are bad, just that there must be a process to support those that do not have them.

<i>I&#x27;ve lost count of the number of times I&#x27;ve heard someone say, &quot;don&#x27;t use biometrics because you can&#x27;t change your fingerprints&quot;. That&#x27;s an absurd statement... because you can. There are acids, blowtorches, belt sanders and the good old boxcutter, to name but a few approaches</i><p>None of those will change your fingerprints, they&#x27;ll grow back unless you took off so much skin that your fingers are scarred and the prints won&#x27;t grow back. Which doesn&#x27;t really help with the supposed problem that if someone steals your fingerprints, you can&#x27;t easily change them to another pattern.<p><i>My kids, for one. They&#x27;re sneaky little buggers and I could envisage them observing my password as I type it into my PC. I can&#x27;t, however, see them having the sophistication to lift a clean print off a glass, melt down a bunch of gummy bears and create a prosthetic that could fool the fingerprint reader on my PC.</i><p>I think it won&#x27;t be too long until they can dust your fingerprints, take a picture of it, then have it 3d printed on a substrate that will fool a simple fingerprint scanner.

The difference between biometric and password is extremely simple. A password requires your action to provide. A biometric can be taken from you without much force. I may need to torture you or hold you in a cell to get a password, but I can just put the phone to your finger or hold it to your face to get a biometric. (Who can forget Demolition Man?) So the dynamic with the threat actor is very different.<p>[<a href="https:&#x2F;&#x2F;www.universalhub.com&#x2F;2021&#x2F;facing-facts-police-say-thieves-downtown-using" rel="nofollow">https:&#x2F;&#x2F;www.universalhub.com&#x2F;2021&#x2F;facing-facts-police-say-th...</a>]<p>Did I skip over this difference being discussed in the article?

I dismissed this guy a long time ago as a Microsoft (or more precisely, mediocre and big-company biased) shill -- then I read a few of his articles and gained a bit of respect for him.<p>And then I read this and I&#x27;m back to square one. Forest&#x2F;trees man. He just sounds like he&#x27;s trying too hard to hand-wave away serious flaws in biometrics by trying to reassure us &quot;well, it&#x27;s not likely to happen to you personally, so you shouldn&#x27;t worry about it,&quot; which is always always the worst, and perhaps most dangerous privacy argument ever given -- because of its unreasonable effectiveness against the &quot;common man.&quot;<p>Done with this guy, I am.

This article thinks you need to be physically present to steal a fingerprint when OPM stores them on hard drives by the millions that have already been hacked? I’m confused about the conclusions.<p>“It’s okay - you’re not worth hacking enough to worry about weaknesses in biometric security” seems like a better title for the assertions made here.

&gt; We&#x27;ve all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set.<p>Maybe that&#x27;s true or not, but that&#x27;s never been conclusive.<p>What has happened was that after the 3&#x2F;11 attacks in Madrid , an American was suspected because his fingerprint was misidentified, partially because of this reasoning.<p><a href="http:&#x2F;&#x2F;www.latent-prints.com&#x2F;images&#x2F;Final%20OIG%20Executive%20Summarylow.pdf" rel="nofollow">http:&#x2F;&#x2F;www.latent-prints.com&#x2F;images&#x2F;Final%20OIG%20Executive%...</a>

When the biometrics on the client client send the credential for the server for authentication, it&#x27;s going to be serialized somehow. This is the part I&#x27;m worried about. I&#x27;m not so worried about someone lifting my print off a wine glass. Somehow a print (or iris or face or whatever) is encoded into bits and bytes. And that&#x27;s going to be handled by every service I want to authenticate with? I don&#x27;t trust them. Passwords leak all the time from leaky databases. Why wouldn&#x27;t my fingerprints? The only difference is... I can&#x27;t change my prints.

&gt;So, what was required to obtain the print and how does it differ from obtaining a password? […] A knowledge of spy tradecraft, specialist equipment and perhaps most importantly, physical presence.&quot;<p>Physical presence isn&#x27;t needed, a photo is enough. <a href="https:&#x2F;&#x2F;www.dw.com&#x2F;en&#x2F;german-defense-minister-von-der-leyens-fingerprint-copied-by-chaos-computer-club&#x2F;a-18154832" rel="nofollow">https:&#x2F;&#x2F;www.dw.com&#x2F;en&#x2F;german-defense-minister-von-der-leyens...</a><p>And then try to argue it wasn&#x27;t you who unlocked your phone and made the expensive purchase because someone stole your fingerprints.

&gt; <i>I&#x27;ve lost count of the number of times I&#x27;ve heard someone say, &quot;don&#x27;t use biometrics because you can&#x27;t change your fingerprints&quot;. That&#x27;s an absurd statement... because you can. [...] Thing is though, [...] it really provides no benefit whatsoever to those who&#x27;ve had their biometric secrets revealed.</i><p>Why call the statement &quot;absurd&quot; only to essentially agree with it by the end of the paragraph?

Mostly off-topic, but what do you do when Android forces you to type your password again for &quot;additional security&quot; and you&#x27;re in front of a bunch of people you can&#x27;t practically hide your phone from? Do security-conscious folks disable it somehow (and if so, how)? It happens when you least expect it which makes it actually worse than just a plain password in that respect.

I think my favourite Usenix paper is appropriate here:<p>&quot;Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT.&quot; -- <a href="https:&#x2F;&#x2F;www.usenix.org&#x2F;system&#x2F;files&#x2F;1401_08-12_mickens.pdf" rel="nofollow">https:&#x2F;&#x2F;www.usenix.org&#x2F;system&#x2F;files&#x2F;1401_08-12_mickens.pdf</a><p>Good passwords and biometrics help if your adversary is not-Mossad.<p>Anybody who thinks biometrics or encryption or anything short of &quot;Magical amulets? Fake your own death, move into a submarine?&quot; is going to protect them again a nation state level adversary is kidding themselves.

It&#x27;s worth noting are some countries out there collecting innocent citizens&#x27; fingerprints at the time of common operations such as obtaining a drivers&#x27; license (presumably to match them later early on). Does a citizen even have any protection against these practices, perhaps with hard to notice prosthetics?

Using biometrics is far riskier than passwords at short physical distances. Meaning, if you&#x27;re in the room with your assailant (alive, sleeping, or dead) then your bio-password is in plain sight. In fact, only your head and&#x2F;or fingers need be present.

This is a bit of a strawman, I&#x27;d say. I&#x27;ve never been concerned about someone utilizing MI-6 resources to construct a fake duplicate of my prints.<p>I&#x27;m worried about someone using my hand while I&#x27;m unconscious, or by physically forcing me to do so.

Use a password manager and sufficiently high entropy passwords and you are fine for now. You can&#x27;t brute force them and because you can&#x27;t remember them, you won&#x27;t be typing them manually or do any of the other things that make passwords a problem.<p>Bio-metrics are convenient though. I use them with my password manager. For things where it matters, use multi factor authentication. Long term, multi will have to be more than 2. The more factors, the harder it is to break through. For example, I use a separate tool to store my 2FA secrets than my password manager (which can do this). That&#x27;s almost (not quite) an extra factor. You might call it 2.5FA

&gt; <i>And when you do unlock your biometric-enabled device, you can do so in front of people whom you wouldn&#x27;t want to know your PIN. You can be on public transport, standing in a queue or even sitting down at your biometric-enabled PC with a friend and authenticate without disclosing an easily reusable secret.</i><p>YES! Both Android and iOS insist we re-type our password at random times when using biometrics, and of course &quot;random time&quot; is always the worst possible time (in the subway, on a plane, etc.)<p>I don&#x27;t understand this. Why force me to type a password at the risk of divulging it? What&#x27;s the point of this?

The slides showing passcode adoption going from about half to 90% with Touch ID&#x27;s addition are fascinating, and an aspect I hadn&#x27;t considered. Anyone know if the research there is publicly available?

Someone stealing your fingerprints may be more difficult than stealing your password, but you can change your password.<p>The essay mentions this as an absurd argument, but then completely fails to explain why it&#x27;s an absurd argument.<p>He does make a strong case for the use of biometric authentication with the group of people who aren&#x27;t willing or able to spend any energy on security, but he didn&#x27;t make the case for why people who are so willing and able should use it.

Man I&#x27;m not not worried so much about malicious state or corporate actors getting my biometrics. I&#x27;m worried about the incompetent ones (which is all of them). Those are the guys who collect biometric data, store it, and then lose it. Like my social once my face is out there I can&#x27;t get it back. I know that nobody is going to make a copy of my beautiful face to get access to my iphone, but more about the future when biometrics are used to let us into -- for instance -- a cloud provider&#x27;s platform[0]. At that point there&#x27;s no physical device to bypass it&#x27;s just a question of sending the right bits to a server. Then my biometrics are defeated and I won&#x27;t be able to reset them.<p>(edit: wrong link)<p>[0] <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=YJg02ivYzSs" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=YJg02ivYzSs</a>

The arguments are built on hyperbole. People who are concerned are compared with people burning off their fingerprints and anti-vaxxers. For passwords, it&#x27;s possible for &quot;any kid anywhere in the world with an internet connection to grab troves of them with ease.&quot;

Chinese Woman Surgically Switches Fingerprints To Evade Japanese Immigration Officers<p><a href="https:&#x2F;&#x2F;www.popsci.com&#x2F;technology&#x2F;article&#x2F;2009-12&#x2F;chinese-woman-surgically-switches-fingerprints-evade-japanese-immigation-officers&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.popsci.com&#x2F;technology&#x2F;article&#x2F;2009-12&#x2F;chinese-wo...</a><p>&gt; &quot;Use biometrics. It incentivises people to secure more things, it&#x27;s resilient to all sorts of risks passwords are not and as an added bonus, it makes your digital life a whole lot easier&quot;<p>The articles conclusion sums up IT well, people being clever talking about the problems with biometrics are the problem.

Security is an illusion we must maintain for our mental health.