[deelowe]

Let's ignore the part about biometrics being faked since this seems to be a point of contention.

Isn't it a fair argument that secret keys should be mutable by the user? In the future, some unforeseen event COULD occur which compromises or otherwise renders the particular biometric unusable. Now what?

[CyberRage]

But they are... Firstly, with how it works. even if you use the same finger to generate hundreds of keys, they should all be different because we are using noise\randomness within the algorithm itself. different sensors will generate different outputs and therefore it is pointless to worry about the key used stolen.

I think what you want is secret keys completely detached from the user. we have that as well with hardware tokens.

[stjohnswarts]

Once they have a way to fake your biometric though they have it for forever, that's the point. With a password you have a way to provide a key only known to you and while it can be faked, it can also be reset, you can't reset your fingerprint without surgery

[CyberRage]

I don't get the point... If someone steals your fingerprint, he stole your fingerprint.

As I explained you can't get the fingerprint from the device\key, it is simply not there.

This isn't the problem of the implementation\technology if someone stole your fingerprint. it didn't lead to your biometrics compromised

What's easier to do? stealing someone's fingerprint or cracking\guessing their password.

Definitely the latter.

[nybble41]

> What's easier to do? stealing someone's fingerprint or cracking\guessing their password.

> Definitely the latter.

You sure about that? A properly generated (i.e. random) password won't be cracked or guessed in any reasonable amount of time, whereas a model of your fingerprint(s) can be lifted from any object you've touched and used to create a silicone mold capable of fooling many fingerprint readers. And you only have 10 of them at best; once all your fingerprints are known to potential attackers that's it; you can't use fingerprint authentication any more for the rest of your life.

[CyberRage]

Really? can you back this up? I can. I work in the cyber industry for a decade now. I've seen the data, I've seen attempt to bypass both. Biometrics are by far better for the vast vast majority of people.

Do you even listen to what you're describing here? trailing someone, trying to extract fingerprints? this isn't a Jame Bond movie.

Cyber attacks are common because they are completely digital\anonymous by nature.

Secondly, humans can't remember\generate truly secure passwords, unique for every account they own. they usually rely on a tool like a password manager.

PM are definitely better than weak passwords but are actually weaker than biometrics. they are a central point of failure and have been attacked in the past.

For the average Joe, biometrics are more secure since he is not using such tool anyways.

[nybble41]

> this isn't a Jame Bond movie.

It doesn't take James Bond to lift some fingerprints off a surface. Anyone with physical proximity and a little practice can manage that much. People have managed to fool fingerprint readers with Gummi Bears before, much less specially-designed equipment. It's a practical attack, unlike attempting to brute-force a truly random 10-character password from a 78-character alphabet (uppercase, lowercase, digits, and half of the 32 symbols on a PC-104 keyboard).

> Secondly, humans can't remember\generate truly secure passwords, unique for every account they own. they usually rely on a tool like a password manager.

Which is perfectly fine. You aren't going to break their password manager either. The weak point is the users who aren't using password managers, because they try to get by with less-than-random passwords which are susceptible to cracking. Or biometrics, which aren't secret at all.

[CyberRage]

Let me follow up and say. why do people go nuts over biometrics?

Password based biometrics is the last place I would look at for biometric compromise.

We leave biometric traces everywhere, all the time. do you cover your face and wear gloves in public? hmmmm...