[andrewfong]

I hope that PINs and such always remain alternatives to biometrics. My usual concern -- if the locally stored biometric data is compromised (malware, poor crypto, etc.), I need a way to "change my password", which isn't really possible for something like facial recognition. Likewise, I'm curious if there's a fallback authentication method for people who lose a finger, get their faces deformed, etc.

That said, the whole device-based authentication piece seems useful. A Windows 10 computer is now one factor in a 2FA scheme and the OS (and at least one of its browsers) gets to be directly integrated into Microsoft's SSO scheme.

[CaveTech]

You don't need to only worry about your device being compromised, your biometric credentials are being leaked by your mere existence.

Before long, I can imagine someone being able to build facial models capable of fooling recognition systems using only a few source images. Your finger prints are everywhere. Iris would be a bit harder, for now, but potentially possible with an image of high enough resolution.

[thomasz]

Fingerprint and iris scanners have been compromised with nothing more than a high resolution image https://www.youtube.com/watch?v=vVivA0eoNGM

[spyder]

Yes, and the next step would be kinect-like 3D scanning and "video magnification" for pulse detection ( http://people.csail.mit.edu/mrub/vidmag/ ), but these too could be compromised with some effort.

That's why these should be used only as a replacement for usernames and not for passwords.

[Hobietime]

They have long range iris identification. It stands to reason that soon that will also be enough to gather a replica without the target knowing.

https://www.cylab.cmu.edu/research/projects/2012/long-range-...

In fact my research lab recently received a donation of high power telescopes after being used for testing extremely long range iris identification technology. I'm not sure if the project was scrapped or if they are planning on continuing development.

[nly]

Biometrics have more in common with usernames than passwords.

[TheLoneWolfling]

You can change usernames at will.

A lot harder with biometrics.

[vezzy-fnord]

Wouldn't it be more equivalent to a UUID, or am I neglecting something?

[mejari]

Same thing, really, in this context. The biometrics are what uniquely identify someone (username, UUID, whatever). The password is what provides authorization. The problem is biometrics are being treated as both the identifier and the authorization.

[AustinDizzy]

On the same note, while I think the technology is cool, I think there should (and will) always be an alternative for the traditional PIN/password. One prime reason why you'd want a password-only entry is because LEOs (law enforcement officers) can force you to swipe your thumb, look into an iris scanner, look at a camera for face unlock, etc. but they cannot force you to type in your password.

[therobot24]

You should check out biometric key-binding, basically you take a biometric and a password to build a template that can only authenticate the user if both are present.

> Likewise, I'm curious if there's a fallback authentication method for people who lose a finger, get their faces deformed, etc.

Deformation is a very real challenge for biometrics, but there is also a lot of active research in the area.

[cssmoo]

An old one but this is more of a worry:

http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

Plus it's pretty difficult to reissue a biometric ID if it is compromised.

[jotm]

Or if your device manufacturer decides it's time to store that data on their cloud and forces you to use their proprietary security tools. Good times.