Apple's new Fingerprint Sensor

<i>But on my iphone? 1password has had to integrate it’s own browser on it’s iOS app that i need to use if I want a simple way to login to all my sites.</i><p>Please edit the post, this is just ghastly.<p>I would love something like this. I hate signing into apps (mobile banking, in particular, is a pain). It&#x27;ll end up being up to app developers to integrate the new fingerprint APIs though, and I bet you my bank still decides that their stupid username, password, 3 random letters from a &#x27;memorable word&#x27; scheme is more secure.

If Apple&#x27;s hardware implementation is as good as my two year old Motorola Atrix, their customers will love the fingerprint reader. But I, for one, would never entrust all my passwords to Apple&#x27;s closed source software, especially given their record in the area of software quality control.

Almost ten years ago I bought a Logitech keyboard with a fingerprint reader. People were saying that fingerprint readers would be the end of passwords. The keyboard came with a nice piece of software that automatically entered passwords on websites upon a verified fingerprint.<p>It didn&#x27;t happen. I would attribute it to two main frustrations: the readers only worked inconsistently due to particulate build up, and would occasionally have false positives. I think false positives are an inherent risk with fingerprint readers and in any case are not suitable for security as lifting a fingerprint from someone unwittingly is easy.<p>See the Mythbusters episode on stealing a thumbprint: <a href="http://www.youtube.com/watch?v=3Hji3kp_i9k" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=3Hji3kp_i9k</a>

Fingerprints are great as a security token, but they should not replace passwords completely. Together with a PIN they will be useful.<p>&quot;Led by Stephanie Schuckers, an associate professor of electrical and computer engineering at Potsdam, N.Y.-based Clarkson University, the researchers tested 66 Play-Doh copies of real fingerprints of 11 different people. The fake fingerprints were verified as the real deal 90 percent of the time.&quot;<p><a href="http://www.informationweek.com/biometric-readers-fooled-with-fake-finge/175001741" rel="nofollow">http:&#x2F;&#x2F;www.informationweek.com&#x2F;biometric-readers-fooled-with...</a>

I think prior to release lots of people will lean towards dreaming about fingerprint recognition being built into the glass touchscreen, but I do not think the tech is miniaturized enough yet. I looked into this a while ago and all I could find were a handful of Polish researchers using ultrasound technology which required ultrasound guns around the edges of the glass which reflect the beams off the fingerprint:<p><a href="http://www.optel.pl/article/english/article.htm" rel="nofollow">http:&#x2F;&#x2F;www.optel.pl&#x2F;article&#x2F;english&#x2F;article.htm</a>

In 1997 I got my first job at the local Safeway.<p>To sign on and off, I would enter my 6 digit employee number into a pin pad, then scan my right index finger.<p>It worked about 99% of the time, and mostly only failed because I worked in the meat dept. and often my hands would be extremely hot and wet from soap &amp; hot water, or frozen and numb from handling meat all day. Then I would just use my left index finger.<p>It worked great in 1997, I see no reason it can&#x27;t in 2013.

I don&#x27;t think it&#x27;s a good idea to use fingerprint as a way to authenticate. Fingerprint is not private data. By &quot;private&quot;, I mean as private as a private GPG key. Any fingerprint is able to read a fingerprint as long as you put your finger on it. When there&#x27;re more fingerprint powered applications, it&#x27;s gonna be really easy to steal credentials.<p>You may use a passphrase. But that would be as secure as using a passphrase alone.<p>Fingerprint is the public key. The private key would be your hand + your physical presence. However, since fingerprint itself is public, you can&#x27;t rely on fingerprint to identify physical presence.<p>Unless, you make fingerprint private enough. For example, permanently attach something on to your finger. Instead of providing your fingerprint to third-party application, it generates a key pair based on your fingerprint, and use these keys for authentication.

I wonder if Apple&#x27;s data shows that most people don&#x27;t use passcode locks?

While fingerprints might work as a proof of identity, they should not be a replacement for passwords. Identity is who you are, passwords are authentication, and they are better when kept separate. Besides I cannot look at this issue without being paranoid: Apple is one of the companies that comply with the PRISM program. By putting your fingerprints in their products, you are just giving away more data for survelliance and creating a security &quot;issue&quot; rather than solution. Do we really need this?

I genuinely wonder if with the increase in fingerprint biometrics we will see an increase in crimes resulting in missing fingers?

The more layers of security, the better. A while back, I expressed delight at the potential scenario of using NFC as a layer of security using proximity as a parameter.<p>I&#x27;m sure Apple are aware that storing the &quot;plaintext&quot; equivalent of a finger print would defeat the entire purpose.

There seems to be a lot of focus on replacement of keylock. The wonderful thing about the fingerprint reader is that it effectively enables both the username and password and makes for a much simpler path to supporting multiple users in future iOS releases&#x2F;devices.

The thing about biometric security that always makes me uneasy: when your &quot;password&quot; is compromised, you can&#x27;t reset your fingerprints.

But but iPhone is not he only device I access many sites from. What if I need to sign into the website from my PC and need to use firefox or IE for that?