ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Finger Prints Are Not Passwords

    Scheduled Pinned Locked Moved IT Discussion
    androidfailbiometricspasswordsecurity
    125 Posts 9 Posters 59.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      It is the assumption that biometrics are secret that causes such problems. I propose that we make all biometrics public - breaking any assumption of privacy. This might fix these issues. Maybe even make it a crime to use public knowledge of ID as a password.

      The concerns here are not that biometrics are not secure, but that some devices will accept that you "know of" the biometrics, not that you can provide the biometrics themselves. Does that make sense?

      1 Reply Last reply Reply Quote 0
      • nadnerBN
        nadnerB @scottalanmiller
        last edited by

        @scottalanmiller said:

        If you had my fingerprints AND you had my iPhone AND I used fingerprints for iPhone access.... how would you get into my iPhone?

        Sticky tape šŸ˜‰
        Ā 
        Since my thoughts aren't usually considered patters, here's how sticky tape is your undoing. I think you lot call it cello tape but anyhoo.
        ...
        Sticky tape traps your fingerprints (on the sticky sice, duh)

        • stick the sticky side to the sticky side of another bit of sticky tape
          One finger print... taaa daaa

        • Put newly minted finger print on finger print reader and cover with palm of your hand (hand needs to make contact with iPhone and sticky tape). Swipe down if that's what you do with it.

        You are defeated... in theory... šŸ˜„

        scottalanmillerS 1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @nadnerB
          last edited by

          @nadnerB said:

          If you had my fingerprints AND you had my iPhone AND I used fingerprints for iPhone access.... how would you get into my iPhone?

          Sticky tape šŸ˜‰

          How do you transfer the digital signature of my fingerprints onto sticky tape?

          nadnerBN 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Two issues with the common ideas around the issue.

            1. The stolen fingerprints are digital, not physical. So you need some complicated 3D printer mechanism to turn the model of the fingerprint into something that can be leveraged in the physical world. (At least for the situation mentioned in the OP. If you are fearing physical theft of fingerprints, that's a different issue and different concerns.)

            2. The thing that is stolen isn't actually a fingerprint at all. It is a digital signature created from a fingerprint. Think a SHA hash of it. So even if you have it, likely there is no way at all to recreate my actual fingerprint. In order to use it you have to attack the device from which it was stolen, or at least one using the same hash mechanism and salt, and attack it from the position of having already bypassed the fingerprint reader and talking directly to the security mechanism "as if you were the fingerprint reader."

            It requires not only compromising your fingerprint but compromising the device as well. It's an important risk to think about and consider, but it is also important to keep it in context. The issue, in this specific case, is the security mechanism has been compromised, not your fingerprint.

            In the context of passwords, the same type of shim could get a hashed password after it has been entered and theoretically replay that too with the same concerns. But you could not use that to recreate the original password and attack other devices without having the same encryption, same salt and same shim.

            nadnerBN 1 Reply Last reply Reply Quote -1
            • nadnerBN
              nadnerB @scottalanmiller
              last edited by

              @scottalanmiller said:

              @nadnerB said:

              If you had my fingerprints AND you had my iPhone AND I used fingerprints for iPhone access.... how would you get into my iPhone?

              Sticky tape šŸ˜‰

              How do you transfer the digital signature of my fingerprints onto sticky tape?

              Clearly the silliness of my post didn't make it to Spain. šŸ˜›

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • nadnerBN
                nadnerB @scottalanmiller
                last edited by

                @scottalanmiller said:

                Two issues with the common ideas around the issue.

                1. The stolen fingerprints are digital, not physical. So you need some complicated 3D printer mechanism to turn the model of the fingerprint into something that can be leveraged in the physical world. (At least for the situation mentioned in the OP. If you are fearing physical theft of fingerprints, that's a different issue and different concerns.)

                2. The thing that is stolen isn't actually a fingerprint at all. It is a digital signature created from a fingerprint. Think a SHA hash of it. So even if you have it, likely there is no way at all to recreate my actual fingerprint. In order to use it you have to attack the device from which it was stolen, or at least one using the same hash mechanism and salt, and attack it from the position of having already bypassed the fingerprint reader and talking directly to the security mechanism "as if you were the fingerprint reader."

                It requires not only compromising your fingerprint but compromising the device as well. It's an important risk to think about and consider, but it is also important to keep it in context. The issue, in this specific case, is the security mechanism has been compromised, not your fingerprint.

                In the context of passwords, the same type of shim could get a hashed password after it has been entered and theoretically replay that too with the same concerns. But you could not use that to recreate the original password and attack other devices without having the same encryption, same salt and same shim.

                I think people are a little paranoid about being framed or tracked by a government/ other body with an extensive fingerprint db. So if the hash is stolen from the device, add a few tablespoons of paranoia and your fingerprints are now a part of the database.

                I don't see how this is any different than having your fingerprint found on public transport l, a glass door or anywhere public when they get dusted at a crime scene

                scottalanmillerS 1 Reply Last reply Reply Quote 1
                • tonyshowoffT
                  tonyshowoff
                  last edited by

                  God, out of all biometrics, I really hate finger print probably the most. There's zero scientific evidence they're unique and the manner of which they're matched is dubious at best and always has been. Hell, there have been people convicted for matching finger prints when they turned out to actually be innocent. Consider also finger prints can slightly change over time or even drastically depending on various environmental factors and a lot of matching is left to human judgement, even after computers match them for crimes.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    @Dashrender said:

                    @scottalanmiller said:

                    @thecreativeone91 said:

                    @scottalanmiller said:

                    @thecreativeone91 said:

                    @scottalanmiller said:

                    @thecreativeone91 said:

                    @scottalanmiller said:

                    Now read that again but replace the word "password" for fingerprint and guess what - the same security vulnerability

                    Passwords can be changed. No big deal.

                    Same deal. You can disable the use of biometrics if you know that they are compromised. The issue here is being able to shim inside the system. Once you can do that, the security game is over. Biometrics, passwords, whatever. Doesn't matter.

                    Yeah you go ahead and cut off your fingers, you can't change your finger prints. Disabling biometerics doesn't fix the stolen/compromised information.

                    How exactly does it not? If you have my fingerprints, how will you access my systems unless you have a shim already between the sensor and the security system that has to trust said sensor?

                    Give me an ACTUAL vulnerability here. I don't see one. I see a fear of identity being stolen, but the actual fear is in people trusting ID when there is no trustworthy sensor.

                    Again, you are assuming the only place these will be used is on a sensor.

                    No, I'm assuming your prints are public. I want an example of what you are concerned about. If you have my prints, you can't use them to access anything, anywhere. Sure, you could, in theory, set up new accounts somewhere and claim to be me, but since my fingerprints don't give you access to anything of mine, you are no different than if we had a password collision. Doesn't impact me in any way.

                    If I have your fingerprints I can't get into your iPhone? then I guess you're not using the sensor on your iPhone, good for you (I'm serious, good for you).

                    If you had my fingerprints AND you had my iPhone AND I used fingerprints for iPhone access.... how would you get into my iPhone? Are you planning to use a really intense 3D printer to print copies of my finger?

                    While theoretically possible, is this practically possible? There are probably far easier ways to break into my iPhone if you had physical access to it like that. Like pulling the storage out of it and brute forcing the encryption. You are talking about a pretty major security effort here, one that breaches the key rule of security - it is harder to crack than the value of the data is. Nothing is impenetrable, that's never the point. The point is to make things practically useless to break into and I think that this clearly qualifies.

                    When the fingerprint technology came to iPhone some group (I forget who now) showed that a print could be lifted (granted this was the toughest part - obtaining a good print) and a fake created pretty easily. The process they showed was much easier than trying to bruteforce the encryption in the phone.

                    Now I'll give you that the effort would probably not be worth it in most cases as the data on said phone would not be worth this effort of less than one day to achieve, but showed that it was clearly possible. The reader in the case of the iPhone makes no attempt to ensure the print is coming from a living being.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @nadnerB
                      last edited by

                      @nadnerB said:

                      @scottalanmiller said:

                      @nadnerB said:

                      If you had my fingerprints AND you had my iPhone AND I used fingerprints for iPhone access.... how would you get into my iPhone?

                      Sticky tape šŸ˜‰

                      How do you transfer the digital signature of my fingerprints onto sticky tape?

                      Clearly the silliness of my post didn't make it to Spain. šŸ˜›

                      A lot of people think that tape of that nature would work.

                      MattSpellerM 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @nadnerB
                        last edited by

                        @nadnerB said:

                        @scottalanmiller said:

                        Two issues with the common ideas around the issue.

                        1. The stolen fingerprints are digital, not physical. So you need some complicated 3D printer mechanism to turn the model of the fingerprint into something that can be leveraged in the physical world. (At least for the situation mentioned in the OP. If you are fearing physical theft of fingerprints, that's a different issue and different concerns.)

                        2. The thing that is stolen isn't actually a fingerprint at all. It is a digital signature created from a fingerprint. Think a SHA hash of it. So even if you have it, likely there is no way at all to recreate my actual fingerprint. In order to use it you have to attack the device from which it was stolen, or at least one using the same hash mechanism and salt, and attack it from the position of having already bypassed the fingerprint reader and talking directly to the security mechanism "as if you were the fingerprint reader."

                        It requires not only compromising your fingerprint but compromising the device as well. It's an important risk to think about and consider, but it is also important to keep it in context. The issue, in this specific case, is the security mechanism has been compromised, not your fingerprint.

                        In the context of passwords, the same type of shim could get a hashed password after it has been entered and theoretically replay that too with the same concerns. But you could not use that to recreate the original password and attack other devices without having the same encryption, same salt and same shim.

                        I think people are a little paranoid about being framed or tracked by a government/ other body with an extensive fingerprint db. So if the hash is stolen from the device, add a few tablespoons of paranoia and your fingerprints are now a part of the database.

                        I don't see how this is any different than having your fingerprint found on public transport l, a glass door or anywhere public when they get dusted at a crime scene

                        Exactly. The government has my fingerprints from SO many places. Some of them official. I've worked for the state, for the fed, for the military, for banking that worked for the gov't, for foreign governments... some of which require those fingerprints up front. Some just could gather then if they wanted them. I've had to go through police and FBI checks. My wife had to do similar for teaching. The gov't has my fingerprints, no question there.

                        1 Reply Last reply Reply Quote 0
                        • MattSpellerM
                          MattSpeller @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          A lot of people think that tape of that nature would work.

                          It's been shown to work with many different techniques against many different types of finger print scanner.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            @scottalanmiller said:

                            @Dashrender said:

                            @scottalanmiller said:

                            @thecreativeone91 said:

                            @scottalanmiller said:

                            @thecreativeone91 said:

                            @scottalanmiller said:

                            @thecreativeone91 said:

                            @scottalanmiller said:

                            Now read that again but replace the word "password" for fingerprint and guess what - the same security vulnerability

                            Passwords can be changed. No big deal.

                            Same deal. You can disable the use of biometrics if you know that they are compromised. The issue here is being able to shim inside the system. Once you can do that, the security game is over. Biometrics, passwords, whatever. Doesn't matter.

                            Yeah you go ahead and cut off your fingers, you can't change your finger prints. Disabling biometerics doesn't fix the stolen/compromised information.

                            How exactly does it not? If you have my fingerprints, how will you access my systems unless you have a shim already between the sensor and the security system that has to trust said sensor?

                            Give me an ACTUAL vulnerability here. I don't see one. I see a fear of identity being stolen, but the actual fear is in people trusting ID when there is no trustworthy sensor.

                            Again, you are assuming the only place these will be used is on a sensor.

                            No, I'm assuming your prints are public. I want an example of what you are concerned about. If you have my prints, you can't use them to access anything, anywhere. Sure, you could, in theory, set up new accounts somewhere and claim to be me, but since my fingerprints don't give you access to anything of mine, you are no different than if we had a password collision. Doesn't impact me in any way.

                            If I have your fingerprints I can't get into your iPhone? then I guess you're not using the sensor on your iPhone, good for you (I'm serious, good for you).

                            If you had my fingerprints AND you had my iPhone AND I used fingerprints for iPhone access.... how would you get into my iPhone? Are you planning to use a really intense 3D printer to print copies of my finger?

                            While theoretically possible, is this practically possible? There are probably far easier ways to break into my iPhone if you had physical access to it like that. Like pulling the storage out of it and brute forcing the encryption. You are talking about a pretty major security effort here, one that breaches the key rule of security - it is harder to crack than the value of the data is. Nothing is impenetrable, that's never the point. The point is to make things practically useless to break into and I think that this clearly qualifies.

                            When the fingerprint technology came to iPhone some group (I forget who now) showed that a print could be lifted (granted this was the toughest part - obtaining a good print) and a fake created pretty easily. The process they showed was much easier than trying to bruteforce the encryption in the phone.

                            Now I'll give you that the effort would probably not be worth it in most cases as the data on said phone would not be worth this effort of less than one day to achieve, but showed that it was clearly possible. The reader in the case of the iPhone makes no attempt to ensure the print is coming from a living being.

                            Now this makes far more sense, but I have to point out is completely unlike what the OP article is about, which is a digital shim method. Yes, absolutely, we can lift physical prints and sensors that don't do any verification are going to allow you to fake the biometrics pretty easily. This is a dramatically more "real" fear. Especially as lifting the print FROM the iPhone is unnecessary. Get it from a glass, door handle, police database, etc.

                            This is a much more real fear and one that exists with or without the iPhone. The only risk on an iPhone (or Android or whatever) is that someone wants to get into the device so much that they would do this. If that is the case, you need to rethink what you are using your iPhone for šŸ™‚

                            All the fear of how people might use fingerprints beyond your device itself exists with or without the use of fingerprints as an unlocking mechanism.

                            This is also why the fingerprint is a DEVICE level unlock. You can have some pretty serious security on individual apps if you need it. Like Good Mail provides.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              All the fear of how people might use fingerprints beyond your device itself exists with or without the use of fingerprints as an unlocking mechanism.

                              This was my whole point, but you're right I became disconnected from the OP.

                              Fingerprints are to easy to fake and really provide no level of verification without at least one additional factor.

                              scottalanmillerS 1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said:

                                Fingerprints are to easy to fake and really provide no level of verification without at least one additional factor.

                                Yes, fingerprints are easy to fake IF you don't trust the sensor. If you can trust the sensor (meaning that you know a human is really being tested, there isn't something fake being used, it's a real person, etc.) then they are extremely hard to fake. While possible, I'm not aware of any technology to bypass a trusted sensor. Only a blind one that doesn't fully verify what is being used. The iPhone sensor, or even pulling prints from a crime scene, is untrusted - there is no verification or attempt at verification that a real person was there or that a finger was used to make the prints, it is just a verification that you know the print in question, not that it is yours.

                                Although, to be fair, that's all that a passcode is too, for the most part. Now one is "public" and part of an ID and one is not, but in many cases the result is the same. When a passcode is just a four digit number, it is almost trivial to capture and replay. And there is no concept of verification making it that much more dangerous.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender
                                  last edited by

                                  Very true, and most commercial sensors today are untrusted.

                                  I know MS is working on technology for logging into computers (they claim that it will be part of Windows 10) that will verify that you're a real person, etc - though from what I've heard about the connectx technology - two different people walk into the room.. the XBOX think they are the same person - I'm not sure how much I trust at this point either.

                                  MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 1
                                  • MattSpellerM
                                    MattSpeller @Dashrender
                                    last edited by

                                    @Dashrender I'm not sure how much I want a cached digital "signature" of my person to be floating around either (voice, face, etc)

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      Very true, and most commercial sensors today are untrusted.

                                      I know MS is working on technology for logging into computers (they claim that it will be part of Windows 10) that will verify that you're a real person, etc - though from what I've heard about the connectx technology - two different people walk into the room.. the XBOX think they are the same person - I'm not sure how much I trust at this point either.

                                      Granted. No one seems to care about verifying anything about the reality of what is being read. But if we cared, fingerprints aren't perfect but pretty reliable.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @MattSpeller
                                        last edited by

                                        @MattSpeller said:

                                        @Dashrender I'm not sure how much I want a cached digital "signature" of my person to be floating around either (voice, face, etc)

                                        And now Apple has started using your heartbeat to bio-recognize you too!

                                        MattSpellerM DashrenderD 2 Replies Last reply Reply Quote 1
                                        • MattSpellerM
                                          MattSpeller @scottalanmiller
                                          last edited by

                                          @scottalanmiller Fortunately my defences against that are hardened. I have a deep allergic reaction to fruity brands.

                                          DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @MattSpeller
                                            last edited by

                                            @MattSpeller said:

                                            @scottalanmiller Fortunately my defences against that are hardened. I have a deep allergic reaction to fruity brands.

                                            LOL - I follow this allergy too..

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 7 / 7
                                            • First post
                                              Last post