[naravara]

>If someone steals your fingerprint, you can never change your fingerprint (same with your face).

At what point is stealing a fingerprint, retina print, or face going to be economical enough for the thief that this would be an actual valid concern in 99% of use cases? Both FaceID and TouchID need to read a living person with a pulse in order to authenticate. You can't just take a printout of a fingerprint and drop it in. This is a really heavy lift to try to jack some random person's phone. Unless you're securing State Secrets or occupy rarefied enough heights that you have a Swiss bank account I don't really see anyone bothering.

>and so consumers buy into this and then also use fingerprints to secure things like their bank accounts, work logins, password vaults

Which bank accounts are taking fingerprints? Do you mean people's banking apps on their phones? In order to get to that they would need to steal both your phone AND your fingerprint. If a thief is this enterprising your info. is lost anyway. And again, they would need an extremely high fidelity reading of your fingerprint and the ability to reskin a living finger with it. And they would have to execute all this before you get to an Apple Store or a PC to remotely shut it down.

>Then we get yelled at by people from the company because "Apple says fingerprints are the best for security, why aren't you letting us use them?" It's a pain.

This often happens when someone shoves policy down people's throats without explaining themselves or getting buy-in from their clients. This is a communication skills problem, not an issue with biometrics.

[bodz]

> At what point is stealing a fingerprint, retina print, or face going to be economical enough for the thief that this would be an actual valid concern in 99% of use cases?

For the average person who is just securing their phone that only stores pictures of their cat, this isn't a concern, but that's far less than 99%. For pretty much anyone who is logged into their work email/VPN via their phone, or is using fingerprint scanners to secure their work laptop, this is a very real concern that I have seen exploited a few times in the real world.

> Both FaceID and TouchID need to read a living person with a pulse in order to authenticate.

TBD with FaceID, but with TouchID this isn't the case. You can defeat TouchID with $10 worth of office supplies and some play-dough.

> Which bank accounts are taking fingerprints? Do you mean people's banking apps on their phones? In order to get to that they would need to steal both your phone AND your fingerprint.

Since your phone literally has your fingerprint left on it from when you touched it, this isn't really a difficult task.

And as I mentioned, it's even worse if you're one of the people who uses a password manager on your phone that is also locked with fingerprint. Then, every account you have is now compromised. And even if you're using 2FA, your phone is likely your 2FA device, which the thief also has.

> This often happens when someone shoves policy down people's throats without explaining themselves or getting buy-in from their clients. This is a communication skills problem, not an issue with biometrics.

No, it is undeniably an issue with biometrics (and the way they're treated). Training and awareness (communications) is one of the primary problems that any security implementation will try to tackle, but it's just made more difficult to do that when Apple is pushing falsehoods like "TouchID is the most secure thing ever!" in all of their marketing materials.

[voidmain]

Biometrics can't be rotated. But they also can't be phished. People have been using "biometrics" to recognize people they trust since the beginning of time, and are pretty rarely fooled. They have also been using passwords since the beginning of time, and have been being compromised since the next day, when someone walked into the enemy camp by accosting a patrolling guard and demanding the password.

The most important factor of authentication protecting a mobile device is just possession of the device. Fingerprint or face unlock adds what so far in practice seems to be a decent layer of security. Eventually I expect that it will be improved a lot by greater situational awareness on the part of the device: you won't just have to steal the phone and fool the 3d camera, but do both without ever letting the phone see, hear, or otherwise sense anything suspicious. Which is probably getting into mission impossible territory in most situations.

But even without that, in practice I think your corporate secrets would be considerably better defended by something like face id and device identity than by, say, a password and a regular old 2fa token that are both easily and simultaneously and remotely compromised by sending the target an email from yourcompany-itdept.com asking them to log in.

[bodz]

> Biometrics can't be rotated. But they also can't be phished.

Sure they can. Haven't you ever seen a cop show where the detective tricks the suspect into drinking from a cup of coffee so they can lift the suspect's fingerprint from the cup?

"Hi John, nice to meet you! * shakes hand *" I now have John's fingerprints from where he touched me when he shook my hand.

"Hey John, can you send me a selfie?" I now have a picture of John's face and possibly his iris.

Hell, I bet it won't be long at all until someone finds a way to use the iPhone X's own "TrueDepth" camera to record a 3D scan of the user's face which can then be used to fool FaceID.

[voidmain]

They can't be phished because they aren't secrets. Yes, if you think of a biometric as a password it is an awful password. But it isn't; its primary source of security is the difficulty of presentation. You should not rely on the secrecy of your biometrics.

You probably don't worry very much that your loved ones have been replaced by impostors, and the reason is not that their appearance is secret! It's just that fooling your face, voice and other "biometrics" without making you suspicious would be, depending on the situation, somewhere between technologically impossible and way more expensive than it would be worth.

A secure biometric is one for which spoofing the sensor is as difficult or expensive as compromising the device hardware some other way. I agree with you that touch ID doesn't quite meet this standard, largely because device hardware has gotten much more tamper resistant in recent years! Hopefully face ID will be better. I can easily remember when it seemed absurd that normal consumer devices would ever have a chance of resisting compromise by a sophisticated adversary that had the device in their possession!

[bodz]

> They can't be phished because they aren't secrets.

And here lies the problem. Apple treats them as if they are.

"Your fingerprint is one of the best passwords in the world" - Apple during the keynote when they introduced TouchID[1]

"Your face is now your secure password" - Apple during yesterday's keynote introducing FaceID[2]

1: https://youtu.be/X5zt1V7H88I?t=227

2: https://youtu.be/K4wEI5zhHB0?t=109

[voidmain]

I wouldn't have put it that way, but the claim Apple is making (in baby talk) is that these are good authenticators, not that they are good secrets. I don't think the average person in their audience has a strong reason to understand the difference. If people were used to biometrics and you tried to get them using passwords, then it would be critical to explain the difference (if you tell the wrong person your password, it loses all its security!)

The mistakes you can make by misunderstanding biometrics seem like more of a problem for system designers, who hopefully don't get their whole understanding of security from Apple keynotes.

[wmccullough]

Can you please cite sources where Apple marketed TouchId this way? At most Apple was trying to get people to secure their own phones to start with.

[bodz]

Unfortunately I can't find any archives of Apple's website advertising TouchID when it first came out, but as I remember it was touted as "revolutionary, most secure way to protect your phone", etc. Below[1] is the keynote from 2013 when it was announced. At one point the speaker says "Your fingerprint is one of the best passwords in the world." He also says stuff like "this is the most advanced technology ever in an iPhone", refers to TouchID as "very high level of security", etc.

The FaceID marketing is the same. The iPhone X advertisement released today[2] says "your face is now your secure password". The website says "Face ID is so secure you can use it with Apple Pay". During the keynote today they actually even said up until FaceID, TouchID "was the gold standard". About FaceID they said "FaceID is the future of how we will unlock smartphones".

You'll note that nowhere in any of it's materials or even in the deep recesses of it's website does Apple acknowledge that even though Face/TouchID is great, it's still not as good as a strong passcode. The closest they come is during the key note they acknowledge "nothing is perfect, not even biometric", but you'll notice that even this statement subtly tries to imply that biometrics is the highest security available ("not even biometrics").

1: https://youtu.be/X5zt1V7H88I?t=227 2: https://youtu.be/K4wEI5zhHB0

[naravara]

>For pretty much anyone who is logged into their work email/VPN via their phone, or is using fingerprint scanners to secure their work laptop, this is a very real concern that I have seen exploited a few times in the real world.

You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops. If it's that important, use a biometric print AND a PIN. Easy enough no? At least way easier than requiring an absurd password requirement that people wind up writing into a post-it-note anyway.

>You can defeat TouchID with $10 worth of office supplies and some play-dough.

And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

>Since your phone literally has your fingerprint left on it from when you touched it, this isn't really a difficult task.

This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern? And what do you think they're going to do when there is a face-scanner or retina scanner? I suppose they could just clone you, wait however many years for the clone to mature, and then use it.

> it's even worse if you're one of the people who uses a password manager on your phone that is also locked with fingerprint.

Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock. Not everything needs the level of security of my bank-account, and when ever service a person interacts with wants to pretend they're a bank or credit card then it makes people take their bank or credit card's information less seriously than they need to out of sheer fatigue.

Security should be about fostering secure behaviors and culture in your users, not just ramming the most technically secure set of rules at people regardless of the context. That just makes people behave in insecure ways, like what you're talking about, because you haven't bought them into the importance of the big picture.

>it's just made more difficult to do that when Apple is pushing falsehoods like "TouchID is the most secure thing ever!" in all of their marketing materials.

I don't understand how you derived THAT from this: >Much of our digital lives is stored on our Apple devices, <b>and we recommend that you always use a passcode or password to help protect this important information and your privacy. Using Touch ID on your iPhone, iPad, and MacBook Pro is an easy way to use your fingerprint instead of a password for many common operations.</b>

[bodz]

> You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops.

No, I'm not. TouchID is the most popular implementation, and because it's present on every iPhone (which is the most common device to be a work phone, and thus also connected to work email and work networks), and because TouchID is also insecure, thus arises the problem.

> If it's that important, use a biometric print AND a PIN.

This is not possible on the iPhone, and wouldn't solve the problem anyway: consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck and they can't use fingerprint locks (or have to use fingerprint + something else) if they also use their phone for work stuff.

> And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

What? No, you don't. You're just making stuff up now. You can steal someone's fingerprint by simply having access to something they touched, and then you can duplicate it with $10 worth of office supplies.

> This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern?

Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

> Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock.

You miss the point. This wouldn't solve the issue at all, and would actually worsen it. Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

> I don't understand how you derived THAT from this:

I "derived" it from years of experience working as a cybersecurity consultant where at every company someone complains that "Apple says it's secure, so you must be wrong". Watch the keynote. Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

[naravara]

>(which is the most common device to be a work phone, and thus also connected to work email and work networks)

So your VPN isn't adding any extra layer of auth? This doesn't seem like a TouchID problem. . .

This is also a security design problem. You shouldn't be transmitting sensitive information via e-mail. If I want sensitive data stored in your e-mail, I'd start with a phishing attack long before I decide that physically jacking your phone and coming up with a complicated finger-print stealing process is the way to go.

>This is not possible on the iPhone,

To unlock the phone. You can add addition layers after the iPhone auths all you want.

>consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck

Heh. If your clients trust Apple's marketing more than their own IT people this again speaks to me of a severe communication problem among the IT people.

>You can steal someone's fingerprint by simply having access to something they touched

Not with high enough resolution to reliably fool TouchID in few enough attempts to keep it from passcode locking you out. You're fixation on worst-case scenarios where your adversaries benefit from multiple passes of blind luck doesn't make for great or realistic risk-assessment.

>Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

And you're not monitoring for suspicious activity or any additional access control on a data source that has all that sensitive information? You're just letting people mosey on into it with just their phones without so much as a warning flag going up somewhere?

>Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

This is both highly simplistic and wrong. For one thing, passwords are also inherently insecure, especially when people write them on sticky notes and put them under their monitors. Secondly, not all accounts need maximal security. Not all activities within an account need to give people access to the maximal extent of their privileges. Insisting on going all out on every single thing people try to do fosters insecure habits and insecure system design. You're making the problem worse.

>Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

None of which is false for the use cases they're talking about. You're talking about access to sensitive PII, which Apple did not tell you to gate behind TouchID. I also have years of experience in Infosec and setting the record straight on things takes all of 30 seconds of explanation and taking the time to understand their business context. All it takes is to not treat your clients with contempt.

[skewart]

> Unless you're securing State Secrets or occupy rarefied enough heights that you have a Swiss bank account I don't really see anyone bothering.

You're vastly underestimating how valuable access to a person's phone can be. It's not just about quickly wiring money or stealing state secrets but also about building blocks for social engineering campaigns, ad/app fraud, extorsion and all sorts of different things.

And the petty thief who steals your phone doesn't need to have the tools to spoof the biometrics. There just needs to be some criminal organization that does and that's willing to pay petty thieves for stolen phones.

[naravara]

>And the petty thief who steals your phone doesn't need to have the tools to spoof the biometrics. There just needs to be some criminal organization that does and that's willing to pay petty thieves for stolen phones.

And have a pipeline that can buy and move stolen phones fast enough to crack them before the owners can remotely wipe them.

Amazon would kill for that kind of logistical capacity.

[jakelazaroff]

I get that all of this is valid in theory, but has there been even one single case of a thief, criminal or law enforcement organization actually using biometric data to unlock a phone?

Obviously past events are no guarantee of future, but still — most advisories like this frankly come across as fearmongering.