Why fingerprints make lousy authentication tokens

This, of course is old news - over 100 years in fact. I won’t post a bigger spoiler than, you can read the story. The Red Thumb Mark at Project Gutenberg

1 Like

We at NO2ID successfully lifted the then-Home Secretary’s fingerprints from a glass she was using to demonstrate precisely this weakness.

1 Like

Alternate PINs have been touted for ages, and as an ex-fraud analyst I’ve dealt with a lot of people who complain about why they don’t exist for debit and credit cards. The short story is that the vast majority of humans are fucking awful under pressure unless they are trained for the specific situation they are in. If someone has a knife on you and is demanding your PIN, the chance you will even remember that your phone is equipped with this technology is minute. This isn’t something you think about every day, probably not even every year. And considering the most common proposed duress PIN is your real PIN reversed, this adds another level of complexity. So you have to:

a) Remember that you have a duress PIN.
b) Recite your PIN, backwards.
c) Do so in a realistic, natural-enough manner to successfully fool the person mugging you (who probably has a lot more experience mugging than you do).

1 Like

If you have to go through bone, a knife is really not the optimal choice. For bigger bones, a pair of bolt cutters or a hacksaw are nice. For smaller ones, a good pair of pruning shears, or a battery powered rotary tool with cutting disk, are really what you want.

1 Like

Yes, so the thief now has either have to have three hands for all that hardware or a partner in crime. Because he’ll need a „real“ weapon to subdue the victim so he can amputate. Easier to simply shoot the victim beforehand.

Yes, but this is Cory we’re talking about. Any chance to slag Apple, even with poorly-researched and incomplete data, and he’s all over it.

2 Likes

Did you? The article doesn’t claim success.

Also, what weakness? When the CCC pulled that stunt earlier in 2008, it was mostly about the claim that a fingerprint was as public as showing your face.

If a biometric system can be fooled by a picture, it’s not high grade. If a biometric system can assert that what it measures is alive its perfectly reasonable to use it.

Ah, but someone who uses a knife to extort that information from me is very likely a mugger. He can have that phone for all I care. He just wants to sell it. It’s a smart idea to wipe it remotely, of course, and him accessing family pictures and having access to email leaves a bad feeling, but again: He just wants to sell the hardware.

A policeman, otoh, might want to harrass you, delete conversations, videos, etc you made during a demo or when you watched an arrest. They can get nasty, but in most Western jurisdictions you are pretty safe from torture and subjected to less stress, if you know your rights.

If you are somewhere where the police can and will torture you, you shouldn’t do anything that relies on having time to lock and wipe a device. Have nothing incriminating on the phone, don’t store passwords, stream everything you record and delete it locally right away and so on.

2 Likes

Fine over-analysis of this non-issue by the crew here. Good work everyone.

Meanwhile, petty opportunistic thieves lives are a little less profitable today because Apple.

I’m more concerned that my fingerprints are being stored on a device that I don’t trust to keep such data secure. Also, that device is connected to the internet. If my fingerprints are lifted from that database and used elsewhere, I can’t just change my password. I’m stuck.

1 Like

And that is what I feel is a good point: the security of the phone is augmented by the fact that it is a physical thing you keep on you, so you can have other ways to secure it from abuse. The fingerprint can be considered a fast, low-security thing like the PIN to keep your friends from looking through your mail and messages whilst you are off to the loo.

I think Apple has made the right choice in making it only usable for unlocking the device and never transmitting it. I don’t think it should be used to authenticate the online accounts, but perhaps to allow the device to authenticate that it is allowed to send the stored password. The fingerprint scanner is in this case just a sudo command shortcut, you could say.

http://www.politics.co.uk/news/2008/11/07/no2id-steal-home-secretary-s-fingerprint

There we go. That’s what I was looking for. Apologies for the multiple links.

Oh, I’m wholly uninterested in the question as a practical attack(though, if you really need a ‘third hand’ you could try kicking the subject a few times, that tends to make people much more malleable), just wanted to note that there’s a reason why amputating a chicken leg with just a knife isn’t going to work very well.

Well, to be fair, so’s a dude with a gun outside any door. Perfect example of security tradeoffs, that. It is possible to make anywhere quite secure, but it will cost tens of thousands at least per security device (dude with gun) per annum.
Of course you need a source of reliable henchmen, but that’s logistics. I’m your consultant, not your service provider…

Does this mean there’s not gonna be 3d printed cannibal snacks? I am disappoint.

1 Like

Obviously a better biometric security scan would be a digital colonoscopy…however I feel the TSA would have access to too many peoples information at that point… Such a double edge sword.

2 Likes

Look, I love Cory, but he needs to quit spreading FUD about this.

3 Likes

To reiterate the more intelligent comments here, the Touch ID is about a quick, fast way to do a simple, not super secure authentication. It’s analogous to having a TV remote. You can get up and change the channel by hand. When’s the last time you did that? Putting in security of any kind is vs. none is a big jump. My company agonizes about using passwords vs. PINs on a mobile device, and if Apple releases an API to get to the Touch ID at some point, it will definitely go in the mix of authentication techniques.

You need to stop watching so much TV. If someone so much as raises a credible fist to 99.999999% of the population, that PIN will be forthcoming.

2 Likes

It sounds like you’re still describing a biometric door lock with a trusted path - visual face recognition. If the guard recognizes your face as one of those allowed access, they let you in.

But that doesn’t scale well. If the population that has to be allowed or denied access is large, the access rules complex (these people can get in at certain times of day; these ones only if they’re accompanied by one of these other people; these ones only if they have a work order…), and both are subject to fairly frequent changes, then the guard doesn’t stand a chance of keeping up.

If instead of a biometric door lock, there was a plain pin and tumbler lock, and the guard is just there to stop people from pulling out lockpicks, the security is much reduced, for example - if an attcker can get hold of a key for half an hour, they can run down to a key cutting place. Then when they arrive at the door, they just pull out their keyring, and the guard has no way of knowing whether they should or should not have that key.

1 Like