Hacker News new | ask | show | jobs
by feld 4106 days ago
This was demoed to my employer when Microsoft came through a month ago. I was not impressed -- biometrics are a username, not a password.

edit: the article does not cover using your voice. I'm 99% sure they demoed to us the ability to use a custom phrase to authenticate with your voice as well.
1 comments
Someone1234 4106 days ago
> biometrics are a username, not a password.

Can you clarify what you mean by that. People like to parrot it, but few if any will explain why they feel that way.

If you simply mean that you don't find it secure enough, wouldn't that really depend on the use-case? For example, what may not be secure enough to log into a DC, may be secure enough to let the secretary log into their computer which just has access to address books and calendars. It is all relative.

Some biometric systems are fairly secure, like fingerprints. The cost and skill required to extract and reproduce a fingerprint so it is scannable make it a non-trivial affair. While the security services and a dedicated adversary could, for 80%+ of normal computer users it is a non-threat.

Android's face unlock may have been trivially beaten but it reads like Microsoft are using multi-level photography (i.e. both IR for under-the-skin and visible light for on-the-skin) to extract a layered model of a person's face and head which could (maybe) prove harder to bypass with just a photograph.

link
LoSboccacc 4106 days ago
Simply put, for good authentication you want a token which is secret and easily changed.

Biometric data are not secret (face, fingerprints, voice) nor can be changed.

That means they are easy to forge and hard to revoke when compromised, and at most they can be useful as identification, like your email, and not as password.

I wonder why none thought of biometric identification with an hardware token which plays a one time tone outside audible spectrum. That would be incredibly convenient for users and still quite resilient. Just throw in side channel auth like phone message for unknown position or devices and of you go.

link
neohaven 4106 days ago
Biometrics is identification, not authentication.

It identifies who you are talking to, which is not the same as confirming who you are talking to (verifying authenticity of identity.)

link
mynameisvlad 4106 days ago
An iris scan does not identify who you are talking to. A fingerprint scan does not either. These are unique to an individual, if they were the person who set them up, then it is, in 99% of cases, a unique element to a person that can be used to authenticate them.

That's a whole of a lot better than a password, which can be shared by multiple people.

link