[therobot24]

As someone who actively researches biometric authentication, when I hear/read someone saying that biometrics are "usernames" and not "passwords", I automatically think they fundamentally misunderstand what a biometric is.

A biometric is both a 'username' and a 'password' - for instance, when you access your computer/device/whatnot you type in your username and your password to identify to the system that you are requesting access (on mobile the account is implied). When using a biometric, the system will have a stored template (similar to a password) that it associates to the system user account, and in ideal situations you (the user) do not need to do anything other than be present to access the system resources. It's a difference between identification and verification. Do you go to your friends each time they ask you something and say "are you so and so?", or have you already identified who they are? Based on the video it seems that MS is starting to understand this difference. Check out the video at ~2:35. He sits down at the login screen, and it just opens the desktop. For consumer applications this is really the goal of any biometric system.

Now spoofing and biometric template data being stolen are still real problems. Unfortunately, spoofing is not a very hot topic in the biometric field (usually conferences only have a relatively small percentage of papers on the subject), but given more consumer applications I'm hoping more funding will start to head that way. Concerning biometric template data, no you can't change it in it's most raw format, your fingerprint is static..that's what so great about it. However, there are methods such as key-binding where the template is itself encrypted with a private key. This however leads to more passwords... In any case, it's unfortunately up to companies like MS to start paving the way to successful implementations - if the data breaches we hear about almost monthly (Uber, Target, etc) are any indication, your password is just as at risk as your fingerprint.

[mejari]

"A biometric is both a 'username' and a 'password' "

This is true, but usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.

"our password is just as at risk as your fingerprint."

Also true, but what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face. With existing password infrastructures after a breach the infrastructure can be upgraded to prevent that breach, then the users can be told to change their passwords, then that vulnerability is closed. Once a person's biometric data is stolen (or just taken from the hundreds of sources of our biometric data we leave around daily in the form of pictures and fingerprints) that's it, you can't close whatever breach they used to get in and then move on, because the user can't change their "password" to one that has not been compromised. That account is forever breached.

Biometrics violate several of the requirements for something that can be used as authentication, which is why they are great as identifiers, but terrible as authenticators.

[therobot24]

> usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.

Yea i see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.

> what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face.

I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.

[fweespeech]

> Yea I see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.

Any sensor accurate enough to perform biometrics is simultaneously accurate enough to create a spoof capable of fooling the authentication sensor. The only way to avoid this requires an active activity, at which case you've just duplicated the password [e.g. the act of typing is identical to the act of sufficient action to make it virtually impossible to duplicate] which has better known security characteristics.

> I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.

A single breach and you cannot rely on biometric data for life is the reason this is only safe to use as a "username" and not a password. You won't be able to significantly change your biometrics w/o breaking other identification issues.

Biometrics are only valid as a username or secondary authentication factor.

[therobot24]

>The only way to avoid this requires an active activity, at which case you've just duplicated the password [e.g. the act of typing is identical to the act of sufficient action to make it virtually impossible to duplicate] which has better known security characteristics.

Only way is active activity? Or just the only way you can think of?

>A single breach and you cannot rely on biometric data for life is the reason this is only safe to use as a "username" and not a password. You won't be able to significantly change your biometrics w/o breaking other identification issues.

You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.

>Biometrics are only valid as a username or secondary authentication factor

It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.

[mejari]

>You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.

Well, is that an unreasonable assumption? With passwords knowing what one person's password used to be or even knowing one hash of their current password tells you nothing about a different hash of their current password. With biometric data points presumably if they get accurate and detailed enough (which you already admit they would have to do to be a valid authentication mechanism) you can extrapolate. Faces are known quantities. Knowing how 999 points of your face are arranged does give you data about how other points on your face are likely to be arranged. We already have modelling software capable of this, so it doesn't seem unreasonable that such methods may be improved if facial recognition gains traction. At the very least it brings down the solution space to a much smaller size the more data points are used, which is the opposite of what happens when more data points (characters) are used in alpha-numeric passwords.

>It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.

I would agree. Especially opinions like how others "clearly know little about the topic".

But is it as frustrating as someone explaining their reasoning for their statement and then you ignoring that reasoning to discuss their closing statement as the entire argument?

[therobot24]

> Well, is that an unreasonable assumption? With passwords knowing what one person's password used to be or even knowing one hash of their current password tells you nothing about a different hash of their current password.

Yea it is, this is very different from a password, even though it's being used in a similar way. Lets take fingerprints as an example - algorithm A uses minutiae points, and algorithm B does a simple normalized cross correlation between the two images. While this is a toy example, you can see there is a clear difference in what is being stored or even hashed.

> At the very least it brings down the solution space to a much smaller size the more data points are used, which is the opposite of what happens when more data points (characters) are used in alpha-numeric passwords.

No, it doesn't. You'd have better luck using a facebook profile picture printed on an old inkjet than you would trying to use a specific template as the 'solution space' of what other templates may be.

> But is it as frustrating as someone explaining their reasoning for their statement and then you ignoring that reasoning to discuss their closing statement as the entire argument?

I admit that it wasn't the classiest way to respond, and i apologize for it (i'm not going to delete it though, i wrote it and i won't run from it), but the same arguments keep coming up over and over again, and it's very clear that the users making these statements not reading any previous replies so i wasn't going to waste my time going over all the points again and again.

[fweespeech]

> Only way is active activity? Or just the only way you can think of?

https://www.defcon.org/images/defcon-13/dc13-presentations/D...

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10....

> For eliminating type 2 attacks, where a previously intercepted biometric is replayed, Ratha et al. [9] proposed a challenge/response based system. A pseudo-random challenge is presented to the sensor by a secure transaction server. At that time, the sensor acquires the current biometric signal and computes the response corresponding to the challenge (for example, pixel values at locations indicated in the challenge). The acquired signal and the corresponding response are sent to the transaction server where the response is checked against the received signal for consistency. An inconsistency reveals the possibility of the resubmission attack.

Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...

> You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.

The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.

> It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.

How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?

[therobot24]

> https://www.defcon.org/images/defcon-13/dc13-presentations/D....

Slide 44 has a long list of things other than active movement on the user end. Video liveness tests are effective, but there are more methods available than just activity, contrast to your previous statement.

> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10..... > Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...

When did i discredit replay attacks? It seems like you're setting up a straw man. You said the "only way to avoid this requires an active activity, at which case you've just duplicated the password". I refuted saying there's more than one, and you actually found a source that confirms that.

> The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.

I didn't claim you can't. The paper you linked (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10....) applies a relay attack to a known system.

  "we propose a system that can attack a minutia-based fingerprint matcher"

In this case, the attack algorithm is building an optimization to determine a viable template - using some prior information of what type of template is acceptable (how it's stored, the features being used to build it, etc.) In real life, this type of information is not readily available, and at best, an attacker is going to be just guessing.

> makes me seriously question your claims of authority on the subject matter.

I honestly don't care what you think, but questioning my credentials is your right.

> How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?

When did i ever state that an additional challenge wasn't needed? You're setting up another straw man instead of actually backing up your claims.

Many of my posts mention biometric key-binding as a good alternative to a pure biometric system. In a large scale operation i would never suggest or imply that a pure biometric is good enough - you should really read the rest of the thread. However, what MS implemented here is probably good for the average user.

[narrator]

The perfect use case for biometrics is identifying people who don't want to be identified specifically because they can't change their "password". For example, prisoners, fugitives, enemy combatants, people trying to use software they are not licensed to use or listen to music they have not properly licensed.

In the future the bottom 64 bits of your ipv6 address will be a unique biometric identifier that all licensed internet devices must collect and send with each and every packet.

[therobot24]

A government grade application does just this - look at the NIST competitions, they focus on verification scenarios (one to one matching) which span over large datasets.

Appending a biometric id to your ipv6 address seems a bit redundant and unnecessary - you don't need to authenticate to the internet...why not encode more hardware or location information?

[hurin]

> if the data breaches we hear about almost monthly (Uber, Target, etc) are any indication, your password is just as at risk as your fingerprint.

Two things - let's assume these companies follow best practices and both the fingerprints, biometric details and passwords are all hashed. Still:

a) Unlike a password your biometric data is publicly obtainable.

b) You cannot change your biometric data after it's been compromised.

> As someone who actively researches biometric authentication,

If you are an expert in the field - I think you are doing people an active disservice by telling them the security is just as good.

Finally I think typing passwords just isn't that hard - everyone is used to it by now. I maybe odd in this - but its hard for me to see the greater degree of convenience as a huge breakthrough (even without the security implications).

[therobot24]

> security is just as good

Read the post, i never discuss the security or merit of a biometric versus a standard user/pass login. I only discuss the advantages/disadvantages and goals of each system. If you inferred a recommendation for one or the other then you misunderstood.

> Finally I think typing passwords just isn't that hard - everyone is used to it by now. I maybe odd in this

I completely agree. However, when you see people go to their 'secret drawer' and open up their password book to login to X, then you realize it's a fundamentally broken system (just as using a raw biometric is).

[dsugarman]

there are 2 main reasons why you wouldn't want this as a password, 1: you leave a biometric footprint everywhere you go, 2: once compromised, you can't reset your biometric profile. In situations where you would want it to automatically authenticate you, it's likely for a system you wouldn't have had password protected in the first place ex. your xbox.

[therobot24]

> 1: you leave a biometric footprint everywhere you go,

Latent fingerprints, high resolution video, facebook profiles...all examples of how i can pick up someone's biometric. This is not an unknown problem.

> 2: once compromised, you can't reset your biometric profile.

Clearly. Just based on the definition you can draw that conclusion - a unique, unchanging trait that is used to separate the user from a group.

Common and justified criticisms that people think are just the 'silver bullet' of why a biometric should never be implemented. I've posted replies to these a few times. Feel free to check them out.

Either way, the difference between a corporate login system, and me logging into my laptop is huge. MS implementing a biometric for a consumer laptop is fitting given the current state of the field. Use it or don't, no one is forcing you.