[throwawayReply]

Fingerprints are usernames, not passwords (2013): http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...

edit: The original headline before being changed, "Web standard brings password-free sign-ins to virtually any site", and contained a paragraph espousing fingerprints in place of passwords.

[Spivak]

This meme needs to die. Fingerprints are a perfectly fine authentication factor. They are unique enough and require effort to fake.

Consider a simple fingerprint USB vault which stores your keys:

* Factor 1: You must have physical possession of my vault.

* Factor 2: You must be me or have a convincing fake of my fingerprint.

Before we even think about a password I've already prevented almost all of the attacks I'm likely to ever encounter against my accounts.

* I have made it impossible for someone to casually break into my accounts/device.

* I've created enormous distance between myself and remote attackers.

* I've eliminated password reuse and contained the effect of data breaches to the service that was breached.

* I've made it much more difficult for network operators to carry out MitM attacks since tokens are origin bound and the challenges are real-time with replay protection.

Yes in a forum of nerds you can point out that lifting fingerprints is possible but if everyone switched to this simple U2F device the world would be far far more secure. Passwords optional.

Then if you're worried about a more sophisticated attackers like corporate espionage or governments you can add a password.

[um_ya]

The difference is you leave your password everywhere you go. Doesn't matter how unique it is, if I leave a sticky note with a password everywhere I touch, then it's not very good security.

[robotrout]

Fingerprints are also not that reliable. Some gun safes that use fingerprints are notorious for opening too easily with wrong fingerprints. On the other end of the spectrum, India is struggling with their fingerprint authentication system, as the system fails to recognize the fingerprints on file. [1]

[1] https://scroll.in/article/857274/now-even-the-fingerprints-o...

[imron]

> The difference is you leave your password everywhere you go.

And you can't easily change them.

[r00fus]

If you have something as sophisticated as TouchID, it's actually hard to replicate a valid print. CCC did it in a lab situation (wine glass + latex paint), how is a smear on a tabletop or mug going to be retrievable for a sophisticated scanner?

[mclehman]

If I recall correctly, someone was able to fool TouchID a few years ago using a fake print created purely from pictures of a German government official.

[acdha]

That was impressive but it's still something of an edge case: he used it to register & unlock a phone but did not unlock her phone and it sounds like it required a photograph taken a few feet away at a press conference using a big lens:

https://www.youtube.com/watch?annotation_id=annotation_26842...

I think for most people convenience remains a win over the marginal increase in risk — someone who can get that close to you can also use a hidden camera/drone to watch you enter a password, steal your wallet/bag with two-factor codes, etc.

[r00fus]

Given that YT link ist im Deutsch I'm going to pass on decyphering it.

How does registering and unlocking another phone show that it would work on her phone?

I really don't think TouchID is at all riskier than even a 6-digit passcode. I really still wish Apple allowed multi-factor unlocking though.

[r00fus]

I recall it was not TouchID that was fooled, but Starbug just copied her fingerprint via photos [1].

I don't remember how/if it was demonstrated that the fingerprint was a useful copy in any way (and certainly not on that official's iPhone).

https://www.theguardian.com/technology/2014/dec/30/hacker-fa...

[hughes]

Additionally, phones that have biometric features first require a PIN to be turned on or unlocked after a period of time.

So you really have Factor 3: You must have the password to power on the fingerprint reader.

The fingerprint isn't being used as the password.

[thisacctforreal]

Well, most phones since the 5s yes.

[xorcist]

> require effort to fake

Only because you have to lift and then manufacture them from scratch from glue and silicone and stuff. If someone automated the process it would require little to no effort. In theory it would be possible to manufacture a device that could present any given fingerprint when scanned with a popular scanner. You leave them everywhere, even on the scanner itself.

It is also a limitation of biometrics that you can only use them once. It might make sense for a phone, but after you have given Google your fingerprints, they can in turn use them for other purposes. It's like reusing a password that's also tricky to rotate.

[emlun]

That's the nice thing about webauthn biometrics, though: the biometric data is never sent to the server. The test is done locally, and the server can trust it by verifying a cryptographic attestation of the authenticator's capabilities. And on the flip side, the user can opt in to biometric authentication even if the server does not require or care about it.

[bdhess]

Both of your factors boil down to the physical presence of two things that will usually be in close proximity to each other. Is it really fair to consider that “two-factor”?

Both your fingerprints and the vault can be taken from your person without your consent; a password much less easily.

[UncleMeat]

If somebody has the ability to force me to give up my fingerprints, I am also going to give them my password. Hard to say no to somebody with a gun.

[Sir_Cmpwn]

The adversary under consideration is more likely the courts.

[wbl]

You leave latents all over the place.

[shakna]

I semi-regularly have my fingerprint distorted by cuts and burns to the point where they can't be identified by a scanner.

You can't replace passwords with fingerprints, as you still need a backup to update said system.

[syshum]

> They are unique enough

You know this how? There has not actually been in real studies done, and the FBI and Law Enforcement resist any efforts to do studies on how Unique Fingerprints really are.

It is the bedrock of criminal prosecution many centuries, but they do not want any public analysis into how many people share similar prints..

Print Reading, even by a computer, is more of an art form, a massive guess, than it is a science.

[zaarn]

Fingerprints are IMO fine for reoccurring logins. I set my phone to require my password on first boot but while it's running a fingerprint is good enough.

Same could go for websites. A simple biometric factor like fingerprints is easy and friction free enough to log in users on previously seen devices. My password can then also be much longer and the website can impose stricter rules (longer passwords, no breached passwords, etc.) without increasing user friction that much either since most people will probably only log in from 4 devices at most (desktop, phone, tablet and some library computer)

[Ajedi32]

The fingerprint is just to authenticate to your local device. So an attacker with access to your fingerprint can't get at your account without also having your phone (which stores the private key _actually_ used for remote authentication in secure, tamper-resistant hardware).

[nodesocket]

Forgive me ignorance, but wouldn't backends needs to store a "hash" of your fingerprint to validate? This essentially means a single giant password.

[throwawayReply]

1. A fingerprint is something you cannot change, cannot revoke if leaked and cannot be unique across different sites.

2. A fingerprint hash isn't a cryptographic hash because you need to be able to match to nearby matches. A small variation in input needs to have a small variation in the hash so a distance function can be applied.

Those are terrible properties for a password.

[dspillett]

> A fingerprint is something you cannot change

Many builders/carpenters/etc will tell you this is not true. People who work in abrasive environments sometimes without proper protection often temporarily have no fingerprints as they are "warn off".

Many injuries can effectively modify or remove the too, at least temporarily.

This makes them bad usernames as well as bad passwords.

[gfo]

> People who work in abrasive environments sometimes without proper protection often temporarily have no fingerprints as they are "warn off".

Do they come back in the same form as they previously were?

[marzell]

Either way, this is a terrible argument toward good security. "Oh, someone got a copy of your fingerprint? No problem! There's a belt sander right over there!"

[underbluewaters]

This is a sore point with the new iphones for me. It happens at least once a week with routine hobby-farm work. I'm really looking forward to getting faceid.

[Tharkun]

Interesting. I wonder if anyone has studied what it would take to render fingerprints useless? Like N minutes/day of sanding with Y grit sandpaper?

Additionally, I was under the impression that some fingerprint readers looked at the blood vessels rather than the actual prints. Not sure how that would be affected by abrasion. Perhaps this is a misunderstanding on my end.

[cpeterso]

An example that can affect many people: my iPhone can't read my fingerprint when I'm sweating at the gym.

[andrewstuart2]

IMO, you don't even need any arguments beyond #1. Your fingerprint can't be changed and it's public information. You leave traces/copies of it everywhere you go. Just because it's more difficult to read now doesn't mean that technology won't make lifting and reusing your oily prints trivial someday.

Would you create a rubber stamp of your passwords, slather it with oil, and then go around stamping it on everything you own and everywhere you go?

[ng-user]

This is the current case with SSN's in North America. A unique identifier being treated as a password cannot act as a password.

[paulcole]

But you have 10 of them (20 counting toes). Why can't you just cycle through them as needed?

[paulie_a]

"Press your toe here" has to be some of the worst ux ever

[estebank]

I see that you haven't used git.

[todd8]

You can just keep your socks on to protect your login toeprint when not in use.

[volkk]

furthermore, you can combine your fingers/toes in specific unique combinations. it's foolproof

[neolefty]

I like it. Two factors in one! Even allows panic passwords.

[eafkuor]

And let's not forget that some people don't have fingerprints

[emlun]

No, in webauthn they don't, because the biometric data is never sent to the server. The test is done locally, and the server can trust it (if it cares) by verifying a cryptographic attestation of the authenticator's capabilities. All that's sent to the server is a public key and a private key signature.

[specialist]

How do two parties mutually verify, authenticate each other online?

I'm struggling to remember the protocol from a sci-fi novel where two secret agents who (separately) had their minds transferred to new meat sacks reconnected in a new (hostile) environment.

I think it had three parts: What you have, what you know, what you are.

[u801e]

> How do two parties mutually verify, authenticate each other online?

We verify the server's identity though it's public certificate that's signed by a certificate authority. The server can verify the client's identity via a public client certificate that's signed by an authority the server trusts. It's already possible to do this over a TLS connection.

[specialist]

Sorry, I wasn't being clear.

If the finger print is what you are, and password is what you know, then what is the "what you have"?

Mostly I'm curious if that sci-fi books' "three factor auth" scheme (because I don't know what else to call it) is a feasible model.

[u801e]

> If the finger print is what you are, and password is what you know, then what is the "what you have"?

One possible form of "three factor auth" would be to use a passphrase for the private key, the client certificate to connect with the server over TLS, and a username/password login at the application level.

The certificate/certificate fingerprint is what you have, the password and passphrase are two things that you know. I don't know what would fit under the "what you are" category though (unless you're considering some sort of biometric based method).

[tialaramex]

Two humans who know each other can use the Socialist Millionaire's Protocol, this does some fancy mathematics to prove they were both thinking of the same number (for Bill and Ted this would be "69, dude") and of course we can encode any answer e.g. "Sarah", "Washington", "Lakers Game Six" as a large number trivially. The SMP would be weak if you could iterate it many times, but it's for humans, after "Ted" guesses 4, 19, and 22, Bill will stop asking and assume it's not Ted at the far end.

A machine can obtain Certificates from a CA which show the CA validated its identity, and use Public Key Cryptography to prove this is its certificate. This is how HTTPS works when you connect to a remote web site, but it can be mutually authenticated too, that's just not how web browsers use it.