[Spivak]

This meme needs to die. Fingerprints are a perfectly fine authentication factor. They are unique enough and require effort to fake.

Consider a simple fingerprint USB vault which stores your keys:

* Factor 1: You must have physical possession of my vault.

* Factor 2: You must be me or have a convincing fake of my fingerprint.

Before we even think about a password I've already prevented almost all of the attacks I'm likely to ever encounter against my accounts.

* I have made it impossible for someone to casually break into my accounts/device.

* I've created enormous distance between myself and remote attackers.

* I've eliminated password reuse and contained the effect of data breaches to the service that was breached.

* I've made it much more difficult for network operators to carry out MitM attacks since tokens are origin bound and the challenges are real-time with replay protection.

Yes in a forum of nerds you can point out that lifting fingerprints is possible but if everyone switched to this simple U2F device the world would be far far more secure. Passwords optional.

Then if you're worried about a more sophisticated attackers like corporate espionage or governments you can add a password.

[um_ya]

The difference is you leave your password everywhere you go. Doesn't matter how unique it is, if I leave a sticky note with a password everywhere I touch, then it's not very good security.

[robotrout]

Fingerprints are also not that reliable. Some gun safes that use fingerprints are notorious for opening too easily with wrong fingerprints. On the other end of the spectrum, India is struggling with their fingerprint authentication system, as the system fails to recognize the fingerprints on file. [1]

[1] https://scroll.in/article/857274/now-even-the-fingerprints-o...

[imron]

> The difference is you leave your password everywhere you go.

And you can't easily change them.

[r00fus]

If you have something as sophisticated as TouchID, it's actually hard to replicate a valid print. CCC did it in a lab situation (wine glass + latex paint), how is a smear on a tabletop or mug going to be retrievable for a sophisticated scanner?

[mclehman]

If I recall correctly, someone was able to fool TouchID a few years ago using a fake print created purely from pictures of a German government official.

[acdha]

That was impressive but it's still something of an edge case: he used it to register & unlock a phone but did not unlock her phone and it sounds like it required a photograph taken a few feet away at a press conference using a big lens:

https://www.youtube.com/watch?annotation_id=annotation_26842...

I think for most people convenience remains a win over the marginal increase in risk — someone who can get that close to you can also use a hidden camera/drone to watch you enter a password, steal your wallet/bag with two-factor codes, etc.

[r00fus]

Given that YT link ist im Deutsch I'm going to pass on decyphering it.

How does registering and unlocking another phone show that it would work on her phone?

I really don't think TouchID is at all riskier than even a 6-digit passcode. I really still wish Apple allowed multi-factor unlocking though.

[acdha]

That’s the English translation but, yes, recovering a fingerprint which can be used to unlock a test device doesn’t show it can replace the original. It’s prudent to assume that the attacks will get better but I think this really highlights the difference between broad and targeted attacks since so many people are better off with the fingerprint unlock.

[r00fus]

I recall it was not TouchID that was fooled, but Starbug just copied her fingerprint via photos [1].

I don't remember how/if it was demonstrated that the fingerprint was a useful copy in any way (and certainly not on that official's iPhone).

https://www.theguardian.com/technology/2014/dec/30/hacker-fa...

[hughes]

Additionally, phones that have biometric features first require a PIN to be turned on or unlocked after a period of time.

So you really have Factor 3: You must have the password to power on the fingerprint reader.

The fingerprint isn't being used as the password.

[thisacctforreal]

Well, most phones since the 5s yes.

[xorcist]

> require effort to fake

Only because you have to lift and then manufacture them from scratch from glue and silicone and stuff. If someone automated the process it would require little to no effort. In theory it would be possible to manufacture a device that could present any given fingerprint when scanned with a popular scanner. You leave them everywhere, even on the scanner itself.

It is also a limitation of biometrics that you can only use them once. It might make sense for a phone, but after you have given Google your fingerprints, they can in turn use them for other purposes. It's like reusing a password that's also tricky to rotate.

[emlun]

That's the nice thing about webauthn biometrics, though: the biometric data is never sent to the server. The test is done locally, and the server can trust it by verifying a cryptographic attestation of the authenticator's capabilities. And on the flip side, the user can opt in to biometric authentication even if the server does not require or care about it.

[bdhess]

Both of your factors boil down to the physical presence of two things that will usually be in close proximity to each other. Is it really fair to consider that “two-factor”?

Both your fingerprints and the vault can be taken from your person without your consent; a password much less easily.

[UncleMeat]

If somebody has the ability to force me to give up my fingerprints, I am also going to give them my password. Hard to say no to somebody with a gun.

[Sir_Cmpwn]

The adversary under consideration is more likely the courts.

[wbl]

You leave latents all over the place.

[shakna]

I semi-regularly have my fingerprint distorted by cuts and burns to the point where they can't be identified by a scanner.

You can't replace passwords with fingerprints, as you still need a backup to update said system.

[syshum]

> They are unique enough

You know this how? There has not actually been in real studies done, and the FBI and Law Enforcement resist any efforts to do studies on how Unique Fingerprints really are.

It is the bedrock of criminal prosecution many centuries, but they do not want any public analysis into how many people share similar prints..

Print Reading, even by a computer, is more of an art form, a massive guess, than it is a science.

[zaarn]

Fingerprints are IMO fine for reoccurring logins. I set my phone to require my password on first boot but while it's running a fingerprint is good enough.

Same could go for websites. A simple biometric factor like fingerprints is easy and friction free enough to log in users on previously seen devices. My password can then also be much longer and the website can impose stricter rules (longer passwords, no breached passwords, etc.) without increasing user friction that much either since most people will probably only log in from 4 devices at most (desktop, phone, tablet and some library computer)