[junker101]

I think you may also be misconstruing the point. Saying that fingerprints aren't passwords is _not_ the same as saying a fingerprint shouldn't be required to unlock a phone. (as with most web logins, its userid + password. But shouldn't be one or the other)

The key point though is that security tokens must be changeable/revocable and and bio-metric data is not-so-much.

[giovannibajo1]

Please describe the threat model in which fingerprint is insecure because it can't be revoked. Without threat model, evaluation of "security" is useless

[tniswong]

When you walk around in your daily life, do you write your password down on everything you touch? Why not?

[dpark]

How is this strawman even a little bit relevant to the question posed? You don't write your password down on everything you touch even though it is revocable.

[jschwartzi]

That's the point. You do leave fingerprints on things you touch. Fingerprints that can be copied.

[dpark]

It doesn't answer the question. Passwords can be revoked and you still don't want to leave them everywhere. Need for revocability has nothing to do with maintaining the "secret" and everything to do with mitigating the impact of a compromise.

If a password is leaked, you need to revoke it in order to mitigate the potential damage. If a fingerprint is leaked, do you need to do the same? No, because the security of the fingerprint is not tied to its secrecy. Fingerprints are not secret. They are just hard to reproduce.

Trying to equate fingerprints to passwords or usernames will inevitably result in absurd comparisons because fingerprints are neither of these things. They are an entirely different type of entity.

Fun fact: fingerprint access to banking info on your phone constitutes two factor authentication. Factor one is the fingerprint (something you are). Factor two is the phone containing the already-authenticated app (something you have). Arguably this is a more secure way to access your bank than the typical one factor username+password you would use online.

[vatotemking]

What do you mean by "passwords can be revoked"? I only have one fingerprint and unlike usernames, it cannot be changed. Once an attacker gets hold of my fingerprint i can no longer use it. (This is an honest question btw).

[Tagbert]

at least on iOS, the fingerprint works in conjunction with a password. You must enter your password and then, for a limited period of time, you can use your fingerprint for access. The fingerprint is used to generate something more like a session key. If you change your password, the fingerprint no longer gives you access, you have to reauthenticate with the password before the fingerprint will work again.

[brownbat]

> [Fingerprints] are just hard to reproduce.

I think this is the key point. If fingerprints were like public-key authentication mechanisms, they'd be fantastic. If it was mathematically impossible or even just very difficult to fake them just by intercepting previous authentications, that would be incredibly useful.

That's not the case though.

They're easily reproduced in moments using putty[0] or play-doh[1]. Or duplicated using household materials, even from a fingerprint collected from the targeted iOS device itself.[2] Some teams have found difficulty using some of these methods against a MS fingerprint scanner, but still found success using a toy wax kit from Crayola.[3]

But the general point about revocation is this: you should imagine, whenever designing a security system, "what's my fallback when this fails?" Biometrics can fail for lots of reasons, not only due to adversaries.[4] You need to have some idea of how to recover from those failures beyond just insisting that those failures don't happen or are unlikely.

Revocation is a handy fallback in those situations for a lot of systems. It's so common that people probably wrongfully assume it's the only way to recover. Fingerprints can't offer revocation, but they may have other fallbacks. Maybe you have a guard checking photo IDs if a scanner doesn't work for entry to a facility.

Scanners for devices might need to simply fail to require usernames and passwords for some users after they've been compromised. That could still offer convenience for other users, but over time, fewer and fewer users would get that benefit.

Or maybe fingerprints are just not designed to be that secure, and maybe that's ok. Anyone can get through the standard household locks in seconds with about 30 minutes max of research on youtube. They're not perfect security and not intended to be, they just put a small barrier (mostly social) to prevent the most nuisance level entries.[5]

[0] http://www.puttyworld.com/thinputdeffi.html

[1] https://secure.marketwatch.com/story/this-company-hacked-an-...

[2] http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren.en

[3] http://www2.washjeff.edu/users/ahollandminkley/Biometric/ind...

[4] See Yager and Dunstone on the Biometric Menagerie for an interesting classification system for the wide variety of failure cases you have to tune any biometric system against.

[5] If you want more about this philosophy / interpretation of locks and security, or even if you don't, there are fewer better ways to spend an hour than by listening to the brilliant Schuyler Towne at RVAsec on the history and social function of locks and lock-making. No seriously, it's amazing. https://www.youtube.com/watch?v=3nROJz_UNQY

EDIT: moderated my views in the last two paras, sorry for any whiplash.

[brownbat]

Here's the situation: adversaries are using a set of compromised credentials to fraudulently access a system.

The next step is revocation and reissuing credentials.

You cannot revoke someone's fingerprints. Or at least they'll probably object once you fire up the blowtorch.

Are you familiar with the biometric menagerie? http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4...

Sorry that's gated, but tl;dr, there are marginal cases in biometric systems where some individual's data doesn't work well, or messes with the recognition/exclusion of others.