Why fingerprints make lousy authentication tokens

There are major flaws in the section “Does my iPhone store my fingerprint?”. It assumes you can store fingerpint templates like passwords – salt and hash. It doesn’t work that way. Because biometrics never offer perfect matches, you can’t just hash them – you will never get a bit for bit match, which hashing assumes. There are some systems that try to address this (search “biometric encryption”), but they are not in common usage (if Apple used this, they certainly would be advertising it).

Also, this idea that you can’t reconstruct a biometric from the template has been debunked. Search “biometric hill-climbing attack”. But, it doesn’t really matter – the template contains all the discriminating features needed to recognize someone. Having the original image is nearly irrelevant.

1 Like

There’s no question that Touch ID is meant to be a convenience feature, not a serious security feature. Simply, all biometric systems can fail in a variety of ways, and no serious security system would be based only on a single factor biometric system. As Schneier says, adding a guard with a big gun to prevent messing around is very effective.

Also, this is completely true:

The iPhone does not do this.

Full disclosure: I’m the CEO of Bionym, which makes the Nymi. It’s a 3-factor authentication system, and the idea is to build a chain of trust between the user and a wearable device (the wristband), and then the wristband securely communicates identity (not biometric data) to other devices. The biometric is only utilized to secure a short section of chain of trust.

3 Likes

http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

I’m not particularly worried about this vulnerability (if you’re
willing to cut off someone’s fingertip to unlock his phone, you’re
probably also willing to torture him into giving up his PIN)…

But maybe the advantage of PINs and keys over fingertips isn’t that the data or car is more secure - just that when it’s not worth it, you can give them up before you are permanently injured, keeping you more secure.

2 Likes

Obligatory xkcd:

6 Likes

Yeah so… Apple has addressed this; they say this is not an optical scanner, does not rely on the top skin layer but rather conductivity of subdermal layers. In other words, they claim that the known vulnerabilities of past fingerprint systems do not apply.

Attack Apple’s claims, argue that they can’t be true, explain how this could be fooled by x or y technique, even just speculate about the as-yet-not-publicly-testable tech that Apple is touting: this could be interesting or useful.

Spread fearmongery bullshit about irrelevant stuff that Apple has claimed does not apply here: not interesting, and not useful.

I’ve seen lots of high-emotion discussion about the TouchID sensor, and almost all of it pretends that Apple hasn’t even attempted to address known vulnerabilities of fingerprint scanner technology. That’s just silly.

4 Likes

“if you’re willing to cut off someone’s fingertip to unlock his phone, you’re probably also willing to torture him into giving up his PIN.”

Sorry, don’t buy that. Torturing a person to extract information can take hours, days. In fact, torture might never produce valuable information. Wasn’t that why we all tried to get Alberto Gonzales executed?

Chopping off a finger though: never fails, takes 30 seconds. And that’s only if there’s a struggle.

Why aren’t alternate passwords more common to dodge coercion? That is, when a cop or a mugger demands that you reveal your PIN, you give him the “safety” PIN which unlocks the phone to innocuous contents (to protect the data,) or the one that unlocks it and silently phones home with its GPS coördinates & video feed and/or unlocks it for a limited time before killing the phone (to devalue the hardware.)

Of course they’ll know this feature exists, but the mugger isn’t going to stick around or kidnap you while he waits to make sure you gave him the real PIN. And if the Man is interested enough to send your phone in to Forensics you’re already in trouble.

Edit: The concerns I’ve heard about the fingerprint sensor aren’t about its efficacy, but the prints being collected and transmitted to the NSA. (I don’t know what they would want with your fingerprints if they already know who and where you are all the time; they’re not dusting crime scenes.)

4 Likes

Second oblig XKCD:

4 Likes

Whoa. There seems to be quite a few people getting worked up about whether this is hackable without ever stopping to consider whether it matters or not. These are not state secrets we’re protecting, and our enemy isn’t a sophisticated intelligence operation. It’s a phone, and the goal is to keep it locked long enough to wipe it.

Everything is hackable, including your pin code. The fingerprint sensor is merely a convenient replacement for your pin code. If you’re protecting state secrets with this feature, you’re doing it wrong.

5 Likes

While we’re at it, can I have a new mother’s maiden name and first school. These ones are compromised.

4 Likes

If you’ve got the guy and the phone secured enough that you could chop off his finger, why not just hold him still and unlock the phone? Save yourself the trouble of cleaning the blood off your clothes and only risk petty theft instead of aggravated assault.

4 Likes

Yep. Yours is the only reply that gets it.

The point is, 50% or so of iPhone users apparently don’t use a pin code at all because it’s too much hassle to keep entering it. Thumbprint ID is quite a lot more secure than nothing, so it’ll increase the overall security of the iPhone population in general quite significantly.

The vast vast majority of thieves don’t want to access your phone anyway, they want to wipe it ASAP to stop you using Find My iPhone on it and to sell it on eBay or locally before the IMEI gets blocked. To that end, I suspect they rarely even notice if it’s got a PIN or not. Quite a bit easier to make money from selling a high end device than there is from rifling through your emails and trying to recover a paypal password or similar.

Activation Lock supposedly solves this second issue so maybe that will change but hopefully both together will just make iPhones less attractive to thieves overall.

5 Likes

Let’s just consider the scenarios a minute…

Pin scenarios: A mugger takes your phone, then with a knife demands to know the pin. Once revealed, runs away with the goods.

Fingerprint scenario: (i) A mugger takes your phone, then hands it back to you to unlock so that it’s possible to change the fingerprint. The mugger then stands there whilst programming the fingerprint reader to respond to a new fingerprint (because it probably requires the original fingerprint as confirmation). Once done, runs away with the goods.
or
(ii) A mugger takes your phone. Using the same knife chops off the end of your index finger, then runs away with both.

Do people seriously think that digit amputation is not going to happen?

True. Smartphone theft and resale is a huge, huge business now and there need to be better preventative measures built into the hardware itself.

Nearly half of all robberies in San Francisco last year involved smartphones, according to police. source

What’s activation lock?

The Activation Lock ties an iPhone to the Apple ID the user links it to during setup. As long as the Apple ID is linked to the iPhone and Find My iPhone is turned on, no one else can reset the iPhone, even if they plug it into a computer.

On iOS 6, users could plug a locked iPhone into iTunes and reset the device to factory settings. With iOS 7, Activation Lock will show the message above instead of resetting an iPhone.

If the phone is locked or will not reset and the seller tells you that you should take it home and restore, say no thanks and get out of there as it could be a stolen iPhone at worst and an iPhone you can’t use at best.

2 Likes

Yes, for very simple reason:

a) It’s not that easy to amputate a finger with a knife Buy yourself a chicken leg, hold it in your left hand and try amputating with a knife in your right hand.

b) It’s not necessary. The PIN is still there. It has to be still there, as a fallback, because hurting your fingers can render the touch id mechanism ineffective. So any thief is better off with forcing you to disclose your PIN. If he’s smart, he’ll have you touch it in yourself while he records this with Google Glas.

c) Armed robbery gets a higher penalty than armed robbery, does it not?

Of course, you could do the same with a touch id system. (Theoretically, as this is not implemented by Apple.)

Just declare one finger as a dead man’s finger and have the system wipe itself when that one is used. Or have the system recognize that the finger lingers longer than usual and react on that.

Only when there are high stakes and trained or fanatical victims are involved. Even then torturers can and will extract such information.

In this case, the information would be easily verifiable and the torture can stop.

Torture fails when the information is not verifiable and/or the torturers do not really know if they have the right person at all.

Torture does work. That’s one of the reasons for „Need to know“.

1 Like

Good point on still having the pin option.

You do however seem to be giving the mugger a remarkable amount of intelligence. I’d be just as worried about a mugger trying to amputate my finger as succeeding.

I suspect that chopping someone’s finger off will merit a longer stint in gaol than simply threatening the victim, however, I again question just how rational muggers are to begin with.

I think most muggers are rational enough to see that the choice “Give me you stuff or suffer bodily harm“ and “Let me amputate your finger or suffer bodliy harm“ are vastly different and will provoke different outcomes.