You only get one set of fingerprints. If you use this as a master key, and someone else gets a hold of your fingerprints, you're vulnerable for the rest of your life.
No, that is just not how "secure" works, you need to take into account all the details of the system in question and the threat model. Usually biometrics is not being used alone, there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy. Someone "getting ahold of your [fingerprints|eyeballs|face|internal chip|whatever]" and the physical "token" (smartphone being the most common) amounts to a targeted physical attack, which is a very difficult class to deal with but also not scalable. Don't count on any naive or technical only method to defeat this: passwords may well be worse because in any non-physically secure setting it's far more trivial to shoulder surf a passcode entry then to grab biometrics and seize the token. Furthermore most people are simply unwilling (with good reason) to deal with an appropriately complex passcode in constant usage on the go, so it's a case of biometrics+complex password taking the place of say a 6 digit PIN.
It seems like every single HN thread on biometrics somebody comes in to proclaim for the nth time that "finger prints aren't passwords!!" or something of that nature, as if "something you know/something you have/something you are" haven't long been known and considered as basic building blocks of authentication with various tradeoffs vs different threat scenarios. Your kind of oversimplification is not helpful given that it can actively harm real world security, which requires amongst other things actually working with how actual humans really are and making the right economic tradeoffs.
>I would say biometrics is “usually” used in phones where it’s used completely on its own to unlock them.
So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.
>but that won’t keep someone from going through all of your photos and emails.
Neither will a PIN in a targeted physical attack. The long, good master password can defend against offline attacks (including most particularly backup data stores off of any specific device), serve as a line of defense against lower level modifications, etc. You keep "someone" from going through device data through physical defense of the device, difficulty of time-to-attack vs methods like remote wipes or physical limits, network reqs, perhaps coercion code/auto sensor limits down the road, and on and on. All within the framework of expected cost/benefit, like all security.
>So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.
I'd say that the fingerprint is the single factor to unlock your phone and access all of your data. Sp I'm not sure I understand your point about a physical token. That the phone is a physical token that you need in order to unlock the phone?
I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.
That feels like saying "My house has two factor authentication, one factor is they key and the other is the house." The house isn't a second factor, it's the thing you're getting access to.
>That the phone is a physical token that you need in order to unlock the phone? I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.
No, it's an important (and interesting I think) difference. Compare to many of the systems you deal with otherwise: with most of them the specific physical thing you're using to access the data isn't that (or at all) relevant. With your HN account for example, if the password were known then it doesn't need to be access from one of your devices. Nothing of yours needs to be physically possessed. You could say storage on one of your computer systems would require more physical access, and that might sort of be true (there are gradients in all these things), but from a pure technical perspective general practice has been, even with full disk encryption, that the password is still the root. For software FDE the password is generally going to go through a key stretching algorithm to turn it into something cryptographically usable and add some resistance to brute force of so-so keys as well as time/memory tradeoff attacks (rainbow tables), but it's a deterministic process. If you know the password, the key can be generated, including if the drive was pulled and put into another system or imaged onto some other piece of hardware entirely. Getting access to the data may present challenges depending on where is (local could be harder then an attached drive which might be harder then a LAN volume, or the reverse). But once that data is acquired, knowledge of the password is sufficient.
But with a good smartphone (and starting to be more in computers via HSMs or built-in like Apple's T-series of chips) it'll instead be that the authentication factors go to a blackbox dedicated security chip, and that then handles keys which are entangled with hard burned-in data specific to that device. You cannot pull the storage or image it then unlock it, knowing the user's password is insufficient. For any data using that phone's hardware security as its root, you must go through that specific, physical chip regardless of any knowledge of biometrics or passwords. It is an integral part of the data security in a way that is not yet typical for traditional systems (let alone online). As far as I know all of those systems still have a password as one way to authenticate to them, with biometrics being another, and in principle they could make use of further automatic sensors too as well as do interesting things like require different authentication factors for different operations, or enable powerful anti-coercion features.
Of course, it also means if that chip ever has any trouble or gets lost better hope to have backups because otherwise you're hosed, no recovery is possible even if the physical storage is completely fine and all the encrypted data is right there.
So "what you're getting access to" is the data and operational capability of the phone, but "how you do so" is going through a "separate physical token authenticated by another a 2nd/3rd factor" (the hardware security chip), no different then if you had a USB HSM you plugged into your PC and made it a blackbox requirement for data decryption or certain operations like signing. Just because the connection between the separate token and what you're accessing happens to be direct solder and traces on a motherboard vs USB or PCIe or whatever doesn't mean it's not a separate factor here. And as it's the physical token intermediating even total compromise of the system to be accessed doesn't by itself mean biometrics or passwords leak either.
I used to have stacks of these yellow sticky notes with my password printed on it. I ensured, that whereever I went, I would stick one of them to anything I touched, so I'd have it ready just in case.
Thanks to fingerprint biometrics I can do this now just as well without even having to buy sticky notes.
This seems pretty obvious. Anything static is forageable and hence vulnerable. Bio can add complications (is this fingerprint warm and pulsing?) but ultimately all will be overcome.
The usual approach to spoofing fingerprints is by somehow acquiring a latent fingerprint from a "genuine" user, creating a mold from this latent fingerprint through e.g. [1], and then applying the mold to the fingerprint sensor.
What these authors previously showed is that you can create a "masterprint" on a representation (feature vector) level that "averages" a lot of fingerprints together, creating something that is usually quite close to any individual's fingerprint, and thus is able to fool recognition software quite often.
In practice, this would require an attacker to by-pass the sensor and feature extractor parts of a biometric system, and inject their masterprint feature vectors directly into the biometric comparator (one that compares the current sample, to a template derived from previously enrolled samples). Considering these systems are usually tightly integrated, this is quite a hard attack to do.
What the authors now present is a way to generate "DeepMasterprints". These are actual images that can be used to create molds such as [1], and can be applied to any fingerprint sensor that doesn't have a sufficient Presentation Attack Detection(PAD) mechanism (Hint: supposedly most PADs on smart phones are easy to by-pass, same thing for older fingerprint sensors). For these spoofs attacks, the difficult part was actually getting a high quality print off the genuine user.. but now it turns out this isn't really necessary and you can use a "deepmasterprint" to get a high enough chance of being mistaken for _any_ genuine user.
Hum, about fingerprints as keys to store valuable and personal things. What happens if tomorrow I would suffer a car accident and 'lost' my key? or have a new scar hiding a part of my key? Would be locked out forever?
Or how to explain a machine that will keep asking for my 'real key', the concept of a wasp's sting for example?
Not very secure.