Hacker News new | ask | show | jobs
by bb88 1149 days ago
> It's 100% accurate.

No it's not.

The security triad is "something you are", "something you know", and "something you have". Fingerprints are something you are. Usernames are something you claim to be.

The username is the "claim" you are this person. The password is the "proof" you are.

If I'm fingerprinted by any federal agency today (and my fingerprints have been on file with the government since the 90's for a security clearance), then my fingerprints can serve as absolute proof of my identity. This is helpful to me should my identity ever be stolen and I need to show absolute proof of who I am.
3 comments
jrm4 1149 days ago
Good point, you're right. And with e.g. federal agencies, this fine.

But given the relatively high level of laziness, capriciousness, and general failure all around that is "IT security by means of companies who are rarely held accountable," it's good to point out that this is what makes biometrics worse than usernames and should probably mostly be avoided, or at least optional.

link
bb88 1149 days ago
Your points are taken, but I do believe that the "something you are" is better than the "something you know" and "something you have" pieces -- as the knowledge or the thing you have can be stolen.

Sure fingerprints, face scans, and iris scans can be stolen as well. But certain things are really hard to fake, including potentially, scans of faces and an iris scan at the same time -- unless you can somehow graft a new iris and grow a new face.

Put it like this: a dead victim is found naked along the side of the road. Which leg(s) of the security triad can the police use to prove the identity of the victim?

link
jrm4 1149 days ago
If convenience plus precision are your only goals, sure. But this requires probably too much trust in the systems. I'm fine with the FBI having that power and information.

Google, who I don't pay and doesn't owe me much, not so much.

link
withinboredom 1149 days ago
Your fingerprints change over time (mine are different from just five years ago -- as I learned when recently renewing a visa a few weeks ago).
link
lcnPylGDnU4H9OF 1149 days ago
Those are all factors in multi-factor authentication. If a service does not require the "something you are" there's still good security if they require the other two factors. If the only required factor is "something you are" that's bad security.
link
newaccount74 1149 days ago
They all require the "something you have" as well. Pretty much all the face recognition / finger print tech on mobiles is locked to a single device.
link