Your Unhashable Fingerprints Secure Nothing

Fingerprint ID sounds super-cyber-state-of-the-art, but really it’s just meat. Quite primitive. Here’s a great article from Elliot Williams on Hackaday about why fingerprints, however snazzy they may sound, are already outdated as security.

Your pull quote:

Passwords are supposed to be secret, like the name of your childhood pet. In contrast, you carry your fingers around with you out in the open nearly everywhere you go. Passwords also need to be revocable. In the case that your password does get revealed, it’s great to be able to simply pick another one. You don’t want to have to revoke your fingers. Finally, and this is the kicker, you want your password to be hashable, in order to protect the password database itself from theft.

And an excellent quote from the 2600 group on Fedbook:

Jason Barbier Ive said it once, Ill say it some more, BIOMETRICS ARE NOT PASSWORDS. Your fingerprint, retina, nose print, whatever flavor of the month of using your body to identify you is your username. In an ideal security picture you would use a username or fingerprint to tell the computer who you are, then a passprase and some sort of one time token to verify that you are who you say you are.

Amen.

Source: Your Unhashable Fingerprints Secure Nothing

Advertisements


Categories: Hackers

2 replies

  1. Biometrics could end up pleasing criminals.

    Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

    In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

    Like

Trackbacks

  1. Your Unhashable Fingerprints Secure Nothing | Forensic News

Well, tell us what you think!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: