[rkrisztian]

What I missed from the article is the usual: biometric authentication is not secure.

https://www.youtube.com/watch?v=tJw2Kf1khlA

(Yes, I'm linking YouTube because unlike popular belief, some channels are actually informative, or some make it easy for us to understand the content.)

I would never use my fingerprint for authentication, because it's a flawed concept. The problem is, that your fingerprint is not a password. It's more like a username. That's because you leave your fingerprint everywhere, it's practically public information. The same can be told about your face.

[didibus]

Biometrics are like identification yes. It checks that it's you. Now knowing that it's you, it retrieves a password stored on-device and uses the password for auth.

The auth is using a password still. The password is just indexed on your face or fingerprint ID and only locally, on-device.

That means the attacker would need the device to ever get at the password in the first place. Then they'd need to be able to break into the device. The latter you can argue is easy or hard, depending on perspective, but they'd need both your faceprint or fingerprint, and a reliable way to replicate it that can fool the reader.

If your fingerprint or faceprint leaks to the world. The attacker would still need your physical device, and would still need to find a way to fool the physical reader with a replica of your faceprint or fingerprint.

In that sense, it's more secure than a password.

[hn_throwaway_99]

That YouTube video is bad, if not outright wrong.

First of all, like the other commenter said, these days biometrics are rarely used as a key itself (which is how they are often portrayed in old movies). Instead, they are used as a method to gain access to the key. This is quite literally the case with some biometric Yubikeys - the key is the Yubikey, but to get it to work it needs your biometrics. Are you saying it would be better to have a key with no access control at all? Or one with a passcode (just watch the linked WSJ article from TFA - the guy was able to steal data from phones with passcodes, but biometrics would have made that attack vector much more difficult). Phones work pretty much the same way, perhaps the downside being that people often don't consider their phones as something that needs the same level of guarding as an actual key.

And just as importantly, what these kinds of YouTube videos often miss is the old adage "I don't need to outrun the bear - I just need to outrun you." That is, unless you are a particularly high-value target (and you would know if you are), any security that makes you much more difficult to hack than the person using Princess123 as their password means thieves give up and go to the easier target first.

[llbbdd]

It's a bit of an aside but your disclaimer intrigued me - YouTube is extraordinarily useful and the popular belief is that it is, I'm not sure at all it's anywhere near a popular belief otherwise. It's like defending a television recommendation to watch How It's Made on the basis that there are also less informative shows broadcast on the same medium.

[frollogaston]

So if I give you my fingerprint on a cup, can you get into my phone?