[mejari]

"A biometric is both a 'username' and a 'password' "

This is true, but usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.

"our password is just as at risk as your fingerprint."

Also true, but what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face. With existing password infrastructures after a breach the infrastructure can be upgraded to prevent that breach, then the users can be told to change their passwords, then that vulnerability is closed. Once a person's biometric data is stolen (or just taken from the hundreds of sources of our biometric data we leave around daily in the form of pictures and fingerprints) that's it, you can't close whatever breach they used to get in and then move on, because the user can't change their "password" to one that has not been compromised. That account is forever breached.

Biometrics violate several of the requirements for something that can be used as authentication, which is why they are great as identifiers, but terrible as authenticators.

[therobot24]

> usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.

Yea i see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.

> what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face.

I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.

[fweespeech]

> Yea I see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.

Any sensor accurate enough to perform biometrics is simultaneously accurate enough to create a spoof capable of fooling the authentication sensor. The only way to avoid this requires an active activity, at which case you've just duplicated the password [e.g. the act of typing is identical to the act of sufficient action to make it virtually impossible to duplicate] which has better known security characteristics.

> I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.

A single breach and you cannot rely on biometric data for life is the reason this is only safe to use as a "username" and not a password. You won't be able to significantly change your biometrics w/o breaking other identification issues.

Biometrics are only valid as a username or secondary authentication factor.

[therobot24]

>The only way to avoid this requires an active activity, at which case you've just duplicated the password [e.g. the act of typing is identical to the act of sufficient action to make it virtually impossible to duplicate] which has better known security characteristics.

Only way is active activity? Or just the only way you can think of?

>A single breach and you cannot rely on biometric data for life is the reason this is only safe to use as a "username" and not a password. You won't be able to significantly change your biometrics w/o breaking other identification issues.

You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.

>Biometrics are only valid as a username or secondary authentication factor

It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.

[mejari]

>You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.

Well, is that an unreasonable assumption? With passwords knowing what one person's password used to be or even knowing one hash of their current password tells you nothing about a different hash of their current password. With biometric data points presumably if they get accurate and detailed enough (which you already admit they would have to do to be a valid authentication mechanism) you can extrapolate. Faces are known quantities. Knowing how 999 points of your face are arranged does give you data about how other points on your face are likely to be arranged. We already have modelling software capable of this, so it doesn't seem unreasonable that such methods may be improved if facial recognition gains traction. At the very least it brings down the solution space to a much smaller size the more data points are used, which is the opposite of what happens when more data points (characters) are used in alpha-numeric passwords.

>It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.

I would agree. Especially opinions like how others "clearly know little about the topic".

But is it as frustrating as someone explaining their reasoning for their statement and then you ignoring that reasoning to discuss their closing statement as the entire argument?

[therobot24]

> Well, is that an unreasonable assumption? With passwords knowing what one person's password used to be or even knowing one hash of their current password tells you nothing about a different hash of their current password.

Yea it is, this is very different from a password, even though it's being used in a similar way. Lets take fingerprints as an example - algorithm A uses minutiae points, and algorithm B does a simple normalized cross correlation between the two images. While this is a toy example, you can see there is a clear difference in what is being stored or even hashed.

> At the very least it brings down the solution space to a much smaller size the more data points are used, which is the opposite of what happens when more data points (characters) are used in alpha-numeric passwords.

No, it doesn't. You'd have better luck using a facebook profile picture printed on an old inkjet than you would trying to use a specific template as the 'solution space' of what other templates may be.

> But is it as frustrating as someone explaining their reasoning for their statement and then you ignoring that reasoning to discuss their closing statement as the entire argument?

I admit that it wasn't the classiest way to respond, and i apologize for it (i'm not going to delete it though, i wrote it and i won't run from it), but the same arguments keep coming up over and over again, and it's very clear that the users making these statements not reading any previous replies so i wasn't going to waste my time going over all the points again and again.

[fweespeech]

> Only way is active activity? Or just the only way you can think of?

https://www.defcon.org/images/defcon-13/dc13-presentations/D...

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10....

> For eliminating type 2 attacks, where a previously intercepted biometric is replayed, Ratha et al. [9] proposed a challenge/response based system. A pseudo-random challenge is presented to the sensor by a secure transaction server. At that time, the sensor acquires the current biometric signal and computes the response corresponding to the challenge (for example, pixel values at locations indicated in the challenge). The acquired signal and the corresponding response are sent to the transaction server where the response is checked against the received signal for consistency. An inconsistency reveals the possibility of the resubmission attack.

Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...

> You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.

The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.

> It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.

How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?

[therobot24]

> https://www.defcon.org/images/defcon-13/dc13-presentations/D....

Slide 44 has a long list of things other than active movement on the user end. Video liveness tests are effective, but there are more methods available than just activity, contrast to your previous statement.

> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10..... > Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...

When did i discredit replay attacks? It seems like you're setting up a straw man. You said the "only way to avoid this requires an active activity, at which case you've just duplicated the password". I refuted saying there's more than one, and you actually found a source that confirms that.

> The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.

I didn't claim you can't. The paper you linked (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10....) applies a relay attack to a known system.

  "we propose a system that can attack a minutia-based fingerprint matcher"

In this case, the attack algorithm is building an optimization to determine a viable template - using some prior information of what type of template is acceptable (how it's stored, the features being used to build it, etc.) In real life, this type of information is not readily available, and at best, an attacker is going to be just guessing.

> makes me seriously question your claims of authority on the subject matter.

I honestly don't care what you think, but questioning my credentials is your right.

> How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?

When did i ever state that an additional challenge wasn't needed? You're setting up another straw man instead of actually backing up your claims.

Many of my posts mention biometric key-binding as a good alternative to a pure biometric system. In a large scale operation i would never suggest or imply that a pure biometric is good enough - you should really read the rest of the thread. However, what MS implemented here is probably good for the average user.

[narrator]

The perfect use case for biometrics is identifying people who don't want to be identified specifically because they can't change their "password". For example, prisoners, fugitives, enemy combatants, people trying to use software they are not licensed to use or listen to music they have not properly licensed.

In the future the bottom 64 bits of your ipv6 address will be a unique biometric identifier that all licensed internet devices must collect and send with each and every packet.

[therobot24]

A government grade application does just this - look at the NIST competitions, they focus on verification scenarios (one to one matching) which span over large datasets.

Appending a biometric id to your ipv6 address seems a bit redundant and unnecessary - you don't need to authenticate to the internet...why not encode more hardware or location information?