[dpark]

It doesn't answer the question. Passwords can be revoked and you still don't want to leave them everywhere. Need for revocability has nothing to do with maintaining the "secret" and everything to do with mitigating the impact of a compromise.

If a password is leaked, you need to revoke it in order to mitigate the potential damage. If a fingerprint is leaked, do you need to do the same? No, because the security of the fingerprint is not tied to its secrecy. Fingerprints are not secret. They are just hard to reproduce.

Trying to equate fingerprints to passwords or usernames will inevitably result in absurd comparisons because fingerprints are neither of these things. They are an entirely different type of entity.

Fun fact: fingerprint access to banking info on your phone constitutes two factor authentication. Factor one is the fingerprint (something you are). Factor two is the phone containing the already-authenticated app (something you have). Arguably this is a more secure way to access your bank than the typical one factor username+password you would use online.

[vatotemking]

What do you mean by "passwords can be revoked"? I only have one fingerprint and unlike usernames, it cannot be changed. Once an attacker gets hold of my fingerprint i can no longer use it. (This is an honest question btw).

[dpark]

A changed password is revoked. You revoke the old password when you create a new one. So passwords support revocation whereas fingerprints do not. The question posed above is whether the inability to revoke (or change) a fingerprint matters.

[Tagbert]

at least on iOS, the fingerprint works in conjunction with a password. You must enter your password and then, for a limited period of time, you can use your fingerprint for access. The fingerprint is used to generate something more like a session key. If you change your password, the fingerprint no longer gives you access, you have to reauthenticate with the password before the fingerprint will work again.

[brownbat]

> [Fingerprints] are just hard to reproduce.

I think this is the key point. If fingerprints were like public-key authentication mechanisms, they'd be fantastic. If it was mathematically impossible or even just very difficult to fake them just by intercepting previous authentications, that would be incredibly useful.

That's not the case though.

They're easily reproduced in moments using putty[0] or play-doh[1]. Or duplicated using household materials, even from a fingerprint collected from the targeted iOS device itself.[2] Some teams have found difficulty using some of these methods against a MS fingerprint scanner, but still found success using a toy wax kit from Crayola.[3]

But the general point about revocation is this: you should imagine, whenever designing a security system, "what's my fallback when this fails?" Biometrics can fail for lots of reasons, not only due to adversaries.[4] You need to have some idea of how to recover from those failures beyond just insisting that those failures don't happen or are unlikely.

Revocation is a handy fallback in those situations for a lot of systems. It's so common that people probably wrongfully assume it's the only way to recover. Fingerprints can't offer revocation, but they may have other fallbacks. Maybe you have a guard checking photo IDs if a scanner doesn't work for entry to a facility.

Scanners for devices might need to simply fail to require usernames and passwords for some users after they've been compromised. That could still offer convenience for other users, but over time, fewer and fewer users would get that benefit.

Or maybe fingerprints are just not designed to be that secure, and maybe that's ok. Anyone can get through the standard household locks in seconds with about 30 minutes max of research on youtube. They're not perfect security and not intended to be, they just put a small barrier (mostly social) to prevent the most nuisance level entries.[5]

[0] http://www.puttyworld.com/thinputdeffi.html

[1] https://secure.marketwatch.com/story/this-company-hacked-an-...

[2] http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren.en

[3] http://www2.washjeff.edu/users/ahollandminkley/Biometric/ind...

[4] See Yager and Dunstone on the Biometric Menagerie for an interesting classification system for the wide variety of failure cases you have to tune any biometric system against.

[5] If you want more about this philosophy / interpretation of locks and security, or even if you don't, there are fewer better ways to spend an hour than by listening to the brilliant Schuyler Towne at RVAsec on the history and social function of locks and lock-making. No seriously, it's amazing. https://www.youtube.com/watch?v=3nROJz_UNQY

EDIT: moderated my views in the last two paras, sorry for any whiplash.

[dpark]

So there are two things I would like to address. First, fingerprints do not need to be cryptographically secure to be sufficient for a great many purposes. As you noted, a house lock can be picked in seconds by someone with moderate skill and yet they are sufficient for physical security on most cases.

Second, and more important, we need to stop pretending that passwords actually work well when we have these sorts of conversations. The reality is that most people reuse the same passwords everywhere and when they are forced to use secure/unique passwords they cope by doing things like writing them down on sticky notes attached to their monitors. The reality is that most people are probably using a compromised password for their bank access because they used the same password on a dozen sites that have been compromised. When we compare fingerprint security to passwords, we need to stop comparing it to the mythical unique passphrase because essentially no one is using that.

I'll also point out that copying someone's fingerprint when they cooperate by taking a clay mold is quite different from lifting a fingerprint off, e.g., a glass. But nonetheless, I do not dispute that it is quite feasible to clone fingerprints.