Hacker News new | ask | show | jobs
by GuB-42 883 days ago
You are already putting copies of your fingerprints everywhere, by just touching stuff.

Fingerprints, like all biometrics are not a secret like a password. The point is to assess your physical presence. When used with a phone, your fingerprints are not securing your data, the phone, as a physical device does ("something you have"). The fingerprint is a second factor ("something you are"), a way to make sure the device is in your hands and not someone else's hand.

Security depends on the sensor device. That is, how good it is a making a difference between your actual, live finger and something else.

If you are worried about the security of your phone fingerprint sensor, use a password. Your fingerprint itself is already available to anyone who cares.
3 comments
cassianoleal 883 days ago
I don't buy this.

Fingerprints and other biometrics can be used as both/either "something you are" and "something you have", if we're using the MFA terminology.

With that in mind, a system that required 2 biometrics for access might be as good as a system that requires 2 factors in other forms.

If someone steals my fingerprint from a glass in a bar, it's unlikely they also have a model of my face or a print of my retina, or some other biometric. Or if they do, it's likely they were motivated enough to also know my password/PIN/whatever.

Putting the tech aspects aside, a biometric is identification and authentication rolled into one: you're both saying who you are and proving it at the same time.

link
tiberious726 883 days ago
This is simply untrue, and anyone who follows this advice will fail a NIST audit: https://csrc.nist.gov/glossary/term/multi_factor_authenticat....

All three factors have different security properties. The big downside of biometric factors is that they can't be replaced when compromised. You can't play language games and say "oh, I technically /have/ fingerprints" and pretend that changes their security properties.

link
rakoo 883 days ago
> The fingerprint is a second factor ("something you are"), a way to make sure the device is in your hands and not someone else's hand.

> Your fingerprint itself is already available to anyone who cares.

In that case your fingerprint can't prove you're here then

link
Daviey 883 days ago
And this is why multiple factors are essential. It does indicate that you've had proximity to the credentials.

Ie, if I replicated your fingerprints from a drink glass in a bar, I'd likely not know your name (username) or password, which would be the first factor.

Equally if I got your credentials from a dark web leak, I'd not know your biometrics, which would be your second factor.

It isn't foolproof, but it is certainly significantly more secure than just making your password more complex.

That said, I do prefer fingerprints being an identifier (or username) rather than a credential, but as part of an MFA process I feel it adds value.

link
throwawayqqq11 883 days ago
> something you have

Like passkeys, which also cannot reach the secrecy of passwords.

link