[45h34jh53k4j]

Dear IshKebab,

We at startup xyz take security seriously. We regret to inform you that on the night of 1st December 2016 our database was compromised. The database contained your name, address and fingerprint data.

Please see a plastic surgeon about resetting your fingerprints at as soon as possible.

Thank you, Startup Xyz

[IshKebab]

Obviously fingerprints can't be used in that situation, buy think about something like your front door lock. You don't need paranoia-level security (you probably have breakable windows anyway) but you want to stop random people who aren't motivated enough to steal your fingerprint from walking in.

Or think about locking your phone. Most people only want to stop their friends and family - they're not going to copy you fingerprint. Even FBI nearly defeated by TouchID. (You're probably thinking that they could have easily bypassed it, but they only had 48 hours to do so.)

[chei0iaV]

There's a little bit of a difference between breaking a window (noise, glass everywhere), and discretely walking in through your front door and out with your jewellery.

[watersb]

I don't understand the qualifier "in that situation": the user cannot determine what the "situation" may be at some point in the future.

I do use the fingerprint reader on my iPhone, and I believe that the fingerprint data is never sent to another device. Ever.

There are real problems to using the iPhone fingerprint with apps, in that the apps tells me it needs to store an encrypted version of my password on iCloud in order to enable fingerprint unlock. The Bad Guys could get my encrypted password and I might never know.

But I wouldn't have to change my fingerprint in that case.

[IshKebab]

In the situation where a website stores your fingerprint.

[BinaryIdiot]

Genuinely surprised to not see this happen yet. I guess it's a good thing Apple and Google are the ones who typically store Fingerprints and not third party apps.

[Ambroos]

Thankfully, nobody stores full fingerprints, just derivations (sort of like a hash). And, when those are stored, they are so far always stored in secure hardware elements. The data is never accessible from within the OS, and never uploaded anywhere.

[tw04]

Who exactly has been storing fingerprints centrally? I know plenty of devices that store them locally, but have not seen one phoning it home.

[Someone]

The EU is planning to. http://europa.eu/rapid/press-release_IP-16-1247_en.htm:

"The proposed system stores alphanumeric and biometric data (a combination of four fingerprints and the facial image). [...] The System is composed of a central database connected to national entry points."

If/when this comes to be, that database will probably be both well-protected and an incredibly tempting attack target.

[tw04]

Governments have been storing biometric data for decades. I was asking which private company has been doing so - as that is what was being alluded to.

*more to the point, the only way I see a government who stores biometric data being an issue WRT security: the government is after you (in which case they're likely getting what they want anyway), or it's a targeted attack from a foreign government (in which case biometric theft is the least of your concerns).

[swatkat]

Few examples: USICS/CBP/DHS (not sure who among them maintains finger print db) in the USA. UIDAI in India.