[bodz]

The "door lock" analogy ignores the biggest flaw with fingerprints: they're forever.

If your door lock is compromised, you can change the key. If someone steals your password, you can change the password. If someone steals your fingerprint, you can never change your fingerprint (same with your face).

The other stuff is dead-on: its a "good enough" security measure for phones. But as a security practitioner, the biggest problem IMO is that Apple using TouchID and FaceID is giving the general public the wrong idea about security. Apple claims that these innovations are "cutting edge" security, and so consumers buy into this and then also use fingerprints to secure things like their bank accounts, work logins, password vaults (this is a big one - someone steals your phone and you use your fingerprint to access your LastPass account, which has all of your passwords in it? And your phone is also your 2FA device? You're screwed.) etc, where they really aren't "good enough" at all.

I've worked at companies where we disabled fingerprint logins on certain devices because highly sensitive info is held on those devices, and fingerprints just aren't secure enough to protect them. Then we get yelled at by people from the company because "Apple says fingerprints are the best for security, why aren't you letting us use them?" It's a pain.

[imron]

> ignores the biggest flaw with fingerprints: they're forever.

The second biggest flaw being your phone is covered in your fingerprints!

[hvidgaard]

It's a sad state. I've heard wealthy and influential investors talk about how they don't think real 2FA is worth anything, because they just want to use their finger for everything. No matter how easy or hard it is to steal, the major problem is that you only have 10 fingers. If all of them gets compromised we still need something else.

[seandougall]

> you can never change your fingerprint

Not quite true from the phone's perspective. Most people have nine backups to fall back on if they really need to.

[coldtea]

>If someone steals your fingerprint, you can never change your fingerprint (same with your face).

Because you expect repeated attacks from the person who stole your fingerprints? Who are you, James Bond?

[booleandilemma]

It doesn't have to be a repeated attack from the same attacker.

Imagine your fingerprint data is leaked to hundreds of hackers.

[coldtea]

And many of those hackers (or even one of them) care enough to (a) steal your phone, (b) fake your fingerprints with a cast or whatever?

Yeah, I'll risk it...

[bodz]

The OPM hack resulted in millions of people's fingerprints and names being hacked, and now are floating out on the internet for anyone to look up.

Individuals who had their fingerprints stolen in that hack can now never use fingerprint readers with any reasonable confidence, since now all a hacker has to do is search that person's name and pull their fingerprint from one of aforementioned databases.

> fake your fingerprints with a cast

Fingerprint scanners like those on phones have been shown to be able to be fooled by using $10 worth of office supplies and some play-dough. It's not like we're talking mastermind levels of intelligence to do this stuff.

Of course, all of this completely ignores the fact that your phone likely already has several copies of your fingerprint already on it since you touched it, so it's not like someone hacking your fingerprints is even necessary. That's an entirely different reason of why fingerprint security is abysmal, though.

[coldcode]

People keep saying fingerprints are all over the internet but I have seen no actual proof (1) how you can steal an iPhone fingerprint record (2) how you can use this data to generate a fake fingerprint sufficient to open the iPhone or even (3) copy a fingerprint off of the outside of the phone and open the iPhone.

[jsjohnst]

1) you don't, but the iphone secure enclave is not what he's talking about. He means fingerprints on the glass.

2) google "touchid hack" there's videos on YouTube.

3) not super likely as usually you'll only find rough partials, but as previous poster mentioned, there has been government hacks that have leaked biometric data.

[stale2002]

Ok, how about this. Imagine if MILLIONS of fingerprints are leaked, in some sort of wide net security break, and now any script kiddie can hack ~50% of phones?

[coldtea]

I imagine it. So? How exactly is this kiddie (or any kiddie) gonna also GET my phone?

(That said I never had a phone lost or stolen. People who tend to have them so might feel differently).

[namelost]

https://www.xkcd.com/538/ applies.

Neither Touch ID nor passwords keep determined intruders out. If someone really wants to know what's on your phone, they will arrest/kidnap you and threaten you with prison/violence.

[bodz]

No security is going to keep "determined" intruders out. But the point is that you should still strive to achieve "good enough" security.

The problem is that while the actual ranking from least secure to most secure is "nothing < touchid/faceid < passcode", Apple's marketing and implementation gives people the false impression that its "nothing < passcode < touchid/faceid", which is bad for security.

[panopticon]

I think "nothing < passcode < touchid/faceid" might be true for a startling number of people. I've seen many people with ridiculously easy passcodes and even funnier Android patterns (e.g., one of my colleagues uses his first initial as his Android unlock pattern, and my mom uses her dog's name as her passcode).

So Touch/FaceID isn't better than a good passcode, but maybe it's better than a crappy passcode.

[bigiain]

And TouchID/FaceID that people use is way better than passcodes they do not because they're a pain in the arse.

I noticed a distinct improvement in the speed of the TouchID unlock going from an iPhone 6 to a 7, which pretty much reduced all friction to me using it. Apple's marketing fluff suggests FaceID will be "twice as fast" as TouchID.

[BenjiWiebe]

I could be wrong, but doesn't a passcode actually encrypt the data (for sure on password manager/banking/etc apps) whereas FaceID/TouchID/<insert biometric here> doesn't? And what about hashing? AFAIK you can't really hash biometrics.

[colejohnson66]

With Touch ID and Face ID, you are required to have a passcode. What's the point of Touch ID if it fails and doesn't have any other way into the phone? As for hashing biometrics, Apple has the Secure Enclave which is for storing the biometrics.

[dvhh]

Isn't there a danger of providing 10 wrong passwords and thus trigger the data deletion builtin ?

[ethnic_throw]

Actually fingerprints are relatively easy, if painful, to change.

Your point stands, of course.

[naravara]

>If someone steals your fingerprint, you can never change your fingerprint (same with your face).

At what point is stealing a fingerprint, retina print, or face going to be economical enough for the thief that this would be an actual valid concern in 99% of use cases? Both FaceID and TouchID need to read a living person with a pulse in order to authenticate. You can't just take a printout of a fingerprint and drop it in. This is a really heavy lift to try to jack some random person's phone. Unless you're securing State Secrets or occupy rarefied enough heights that you have a Swiss bank account I don't really see anyone bothering.

>and so consumers buy into this and then also use fingerprints to secure things like their bank accounts, work logins, password vaults

Which bank accounts are taking fingerprints? Do you mean people's banking apps on their phones? In order to get to that they would need to steal both your phone AND your fingerprint. If a thief is this enterprising your info. is lost anyway. And again, they would need an extremely high fidelity reading of your fingerprint and the ability to reskin a living finger with it. And they would have to execute all this before you get to an Apple Store or a PC to remotely shut it down.

>Then we get yelled at by people from the company because "Apple says fingerprints are the best for security, why aren't you letting us use them?" It's a pain.

This often happens when someone shoves policy down people's throats without explaining themselves or getting buy-in from their clients. This is a communication skills problem, not an issue with biometrics.

[bodz]

> At what point is stealing a fingerprint, retina print, or face going to be economical enough for the thief that this would be an actual valid concern in 99% of use cases?

For the average person who is just securing their phone that only stores pictures of their cat, this isn't a concern, but that's far less than 99%. For pretty much anyone who is logged into their work email/VPN via their phone, or is using fingerprint scanners to secure their work laptop, this is a very real concern that I have seen exploited a few times in the real world.

> Both FaceID and TouchID need to read a living person with a pulse in order to authenticate.

TBD with FaceID, but with TouchID this isn't the case. You can defeat TouchID with $10 worth of office supplies and some play-dough.

> Which bank accounts are taking fingerprints? Do you mean people's banking apps on their phones? In order to get to that they would need to steal both your phone AND your fingerprint.

Since your phone literally has your fingerprint left on it from when you touched it, this isn't really a difficult task.

And as I mentioned, it's even worse if you're one of the people who uses a password manager on your phone that is also locked with fingerprint. Then, every account you have is now compromised. And even if you're using 2FA, your phone is likely your 2FA device, which the thief also has.

> This often happens when someone shoves policy down people's throats without explaining themselves or getting buy-in from their clients. This is a communication skills problem, not an issue with biometrics.

No, it is undeniably an issue with biometrics (and the way they're treated). Training and awareness (communications) is one of the primary problems that any security implementation will try to tackle, but it's just made more difficult to do that when Apple is pushing falsehoods like "TouchID is the most secure thing ever!" in all of their marketing materials.

[voidmain]

Biometrics can't be rotated. But they also can't be phished. People have been using "biometrics" to recognize people they trust since the beginning of time, and are pretty rarely fooled. They have also been using passwords since the beginning of time, and have been being compromised since the next day, when someone walked into the enemy camp by accosting a patrolling guard and demanding the password.

The most important factor of authentication protecting a mobile device is just possession of the device. Fingerprint or face unlock adds what so far in practice seems to be a decent layer of security. Eventually I expect that it will be improved a lot by greater situational awareness on the part of the device: you won't just have to steal the phone and fool the 3d camera, but do both without ever letting the phone see, hear, or otherwise sense anything suspicious. Which is probably getting into mission impossible territory in most situations.

But even without that, in practice I think your corporate secrets would be considerably better defended by something like face id and device identity than by, say, a password and a regular old 2fa token that are both easily and simultaneously and remotely compromised by sending the target an email from yourcompany-itdept.com asking them to log in.

[bodz]

> Biometrics can't be rotated. But they also can't be phished.

Sure they can. Haven't you ever seen a cop show where the detective tricks the suspect into drinking from a cup of coffee so they can lift the suspect's fingerprint from the cup?

"Hi John, nice to meet you! * shakes hand *" I now have John's fingerprints from where he touched me when he shook my hand.

"Hey John, can you send me a selfie?" I now have a picture of John's face and possibly his iris.

Hell, I bet it won't be long at all until someone finds a way to use the iPhone X's own "TrueDepth" camera to record a 3D scan of the user's face which can then be used to fool FaceID.

[voidmain]

They can't be phished because they aren't secrets. Yes, if you think of a biometric as a password it is an awful password. But it isn't; its primary source of security is the difficulty of presentation. You should not rely on the secrecy of your biometrics.

You probably don't worry very much that your loved ones have been replaced by impostors, and the reason is not that their appearance is secret! It's just that fooling your face, voice and other "biometrics" without making you suspicious would be, depending on the situation, somewhere between technologically impossible and way more expensive than it would be worth.

A secure biometric is one for which spoofing the sensor is as difficult or expensive as compromising the device hardware some other way. I agree with you that touch ID doesn't quite meet this standard, largely because device hardware has gotten much more tamper resistant in recent years! Hopefully face ID will be better. I can easily remember when it seemed absurd that normal consumer devices would ever have a chance of resisting compromise by a sophisticated adversary that had the device in their possession!

[bodz]

> They can't be phished because they aren't secrets.

And here lies the problem. Apple treats them as if they are.

"Your fingerprint is one of the best passwords in the world" - Apple during the keynote when they introduced TouchID[1]

"Your face is now your secure password" - Apple during yesterday's keynote introducing FaceID[2]

1: https://youtu.be/X5zt1V7H88I?t=227

2: https://youtu.be/K4wEI5zhHB0?t=109

[wmccullough]

Can you please cite sources where Apple marketed TouchId this way? At most Apple was trying to get people to secure their own phones to start with.

[bodz]

Unfortunately I can't find any archives of Apple's website advertising TouchID when it first came out, but as I remember it was touted as "revolutionary, most secure way to protect your phone", etc. Below[1] is the keynote from 2013 when it was announced. At one point the speaker says "Your fingerprint is one of the best passwords in the world." He also says stuff like "this is the most advanced technology ever in an iPhone", refers to TouchID as "very high level of security", etc.

The FaceID marketing is the same. The iPhone X advertisement released today[2] says "your face is now your secure password". The website says "Face ID is so secure you can use it with Apple Pay". During the keynote today they actually even said up until FaceID, TouchID "was the gold standard". About FaceID they said "FaceID is the future of how we will unlock smartphones".

You'll note that nowhere in any of it's materials or even in the deep recesses of it's website does Apple acknowledge that even though Face/TouchID is great, it's still not as good as a strong passcode. The closest they come is during the key note they acknowledge "nothing is perfect, not even biometric", but you'll notice that even this statement subtly tries to imply that biometrics is the highest security available ("not even biometrics").

1: https://youtu.be/X5zt1V7H88I?t=227 2: https://youtu.be/K4wEI5zhHB0

[naravara]

>For pretty much anyone who is logged into their work email/VPN via their phone, or is using fingerprint scanners to secure their work laptop, this is a very real concern that I have seen exploited a few times in the real world.

You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops. If it's that important, use a biometric print AND a PIN. Easy enough no? At least way easier than requiring an absurd password requirement that people wind up writing into a post-it-note anyway.

>You can defeat TouchID with $10 worth of office supplies and some play-dough.

And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

>Since your phone literally has your fingerprint left on it from when you touched it, this isn't really a difficult task.

This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern? And what do you think they're going to do when there is a face-scanner or retina scanner? I suppose they could just clone you, wait however many years for the clone to mature, and then use it.

> it's even worse if you're one of the people who uses a password manager on your phone that is also locked with fingerprint.

Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock. Not everything needs the level of security of my bank-account, and when ever service a person interacts with wants to pretend they're a bank or credit card then it makes people take their bank or credit card's information less seriously than they need to out of sheer fatigue.

Security should be about fostering secure behaviors and culture in your users, not just ramming the most technically secure set of rules at people regardless of the context. That just makes people behave in insecure ways, like what you're talking about, because you haven't bought them into the importance of the big picture.

>it's just made more difficult to do that when Apple is pushing falsehoods like "TouchID is the most secure thing ever!" in all of their marketing materials.

I don't understand how you derived THAT from this: >Much of our digital lives is stored on our Apple devices, <b>and we recommend that you always use a passcode or password to help protect this important information and your privacy. Using Touch ID on your iPhone, iPad, and MacBook Pro is an easy way to use your fingerprint instead of a password for many common operations.</b>

[bodz]

> You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops.

No, I'm not. TouchID is the most popular implementation, and because it's present on every iPhone (which is the most common device to be a work phone, and thus also connected to work email and work networks), and because TouchID is also insecure, thus arises the problem.

> If it's that important, use a biometric print AND a PIN.

This is not possible on the iPhone, and wouldn't solve the problem anyway: consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck and they can't use fingerprint locks (or have to use fingerprint + something else) if they also use their phone for work stuff.

> And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

What? No, you don't. You're just making stuff up now. You can steal someone's fingerprint by simply having access to something they touched, and then you can duplicate it with $10 worth of office supplies.

> This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern?

Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

> Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock.

You miss the point. This wouldn't solve the issue at all, and would actually worsen it. Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

> I don't understand how you derived THAT from this:

I "derived" it from years of experience working as a cybersecurity consultant where at every company someone complains that "Apple says it's secure, so you must be wrong". Watch the keynote. Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

[naravara]

>(which is the most common device to be a work phone, and thus also connected to work email and work networks)

So your VPN isn't adding any extra layer of auth? This doesn't seem like a TouchID problem. . .

This is also a security design problem. You shouldn't be transmitting sensitive information via e-mail. If I want sensitive data stored in your e-mail, I'd start with a phishing attack long before I decide that physically jacking your phone and coming up with a complicated finger-print stealing process is the way to go.

>This is not possible on the iPhone,

To unlock the phone. You can add addition layers after the iPhone auths all you want.

>consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck

Heh. If your clients trust Apple's marketing more than their own IT people this again speaks to me of a severe communication problem among the IT people.

>You can steal someone's fingerprint by simply having access to something they touched

Not with high enough resolution to reliably fool TouchID in few enough attempts to keep it from passcode locking you out. You're fixation on worst-case scenarios where your adversaries benefit from multiple passes of blind luck doesn't make for great or realistic risk-assessment.

>Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

And you're not monitoring for suspicious activity or any additional access control on a data source that has all that sensitive information? You're just letting people mosey on into it with just their phones without so much as a warning flag going up somewhere?

>Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

This is both highly simplistic and wrong. For one thing, passwords are also inherently insecure, especially when people write them on sticky notes and put them under their monitors. Secondly, not all accounts need maximal security. Not all activities within an account need to give people access to the maximal extent of their privileges. Insisting on going all out on every single thing people try to do fosters insecure habits and insecure system design. You're making the problem worse.

>Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

None of which is false for the use cases they're talking about. You're talking about access to sensitive PII, which Apple did not tell you to gate behind TouchID. I also have years of experience in Infosec and setting the record straight on things takes all of 30 seconds of explanation and taking the time to understand their business context. All it takes is to not treat your clients with contempt.

[skewart]

> Unless you're securing State Secrets or occupy rarefied enough heights that you have a Swiss bank account I don't really see anyone bothering.

You're vastly underestimating how valuable access to a person's phone can be. It's not just about quickly wiring money or stealing state secrets but also about building blocks for social engineering campaigns, ad/app fraud, extorsion and all sorts of different things.

And the petty thief who steals your phone doesn't need to have the tools to spoof the biometrics. There just needs to be some criminal organization that does and that's willing to pay petty thieves for stolen phones.

[naravara]

>And the petty thief who steals your phone doesn't need to have the tools to spoof the biometrics. There just needs to be some criminal organization that does and that's willing to pay petty thieves for stolen phones.

And have a pipeline that can buy and move stolen phones fast enough to crack them before the owners can remotely wipe them.

Amazon would kill for that kind of logistical capacity.

[jakelazaroff]

I get that all of this is valid in theory, but has there been even one single case of a thief, criminal or law enforcement organization actually using biometric data to unlock a phone?

Obviously past events are no guarantee of future, but still — most advisories like this frankly come across as fearmongering.