Hacker News new | ask | show | jobs
by alexhornbake 3204 days ago
I think it's a common argument for people who think biometrics are a bad idea for security.

IE. You can change your password, you can't change your thumb/face/biometric (easily).

At best, a fingerprint establishes identity, therefore it has more in common with a username, drivers license, social security number, etc. than it has in common with a password.
2 comments
rothbardrand 3204 days ago
The problem is these people are thinking in terms of absolute security.

Ideally you have a user name, a password, some sort of 2FA and also biometrics.

But the alternative for iPhones was leaving them without even a PIN because entering a 4 digit numeric pin was too much hassle for most people... so Apple lowered the bar and increased security with biometrics.

They are trying to do it again.

If you want ultimate security ,then you can have a very long alphanumeric password, and turn off touchID and faceID

link
pishpash 3204 days ago
Honestly, a biometric used solely on a device in your possession is not that bad. It is not being transmitted or stored remotely, which would be worse. But it would have been better if it were not a biometric that was being left everywhere.
link
freehunter 3204 days ago
>At best, a fingerprint establishes identity

Nope. At best a fingerprint establishes identity in a unique and authoritative manner. My name is an identity, and anyone can say or write my name. My SSN is an identity, and anyone can say or write my SSN. No one else can speak, type, write, or otherwise express my fingerprint. That is far beyond simple "identity".

link
TeMPOraL 3204 days ago
> No one else can speak, type, write, or otherwise express my fingerprint.

Neither can you. You can only show your fingerprint for inspection - and so can anyone else.

And, unlike SSN or even your name, you leak fingerprints (and facial info) everywhere, all the time.

link
freehunter 3203 days ago
>Neither can you.

That's the point. It's not something I know, it's something I am and only I am that thing.

And unlike a password, if you want my fingerprint you have to be physically near me, and if you want to authenticate as me you need my authentication hardware. A Brazilian hacker isn't going to unlock my iPhone without first flying to the US and then locating me in both space and time to gain access to my fingerprint and my phone simultaneously. But with a password, they could easily go to www.gmail.com and type whatever they want from the comfort of their own home.

link
pishpash 3204 days ago
There is no identity without authentication. A fingerprint gives a little bit of weak authentication, in the clear, easily observed, easily forged, and irrevocable -- as bad as it gets.
link