Rubber fingertips to use with fingerprint-based authentication systems


[Read the post]


It sounded like a good idea, but thieves got mine, and now I have to wear a fake finger over my fake finger over my real finger.


This is why I use a finger joint instead of a fingertip. The ridges on a bent joint are read like a fingerprint and seem to be unique enough that only the one joint on my hand can open my phone, and other people attempting to open my phone have failed.

I don’t leave joint prints all over the place (anywhere that i’ve been able to determine). doesn’t do much for police being able to compel fingerprints, i assume they can also compel joint prints but it’s good enough for my needs.


Only if they know you’re using them, which they didn’t until just now…



That’s why I use a password or a house key.


I’m of two minds on this:

It’s always good to see somebody doing something that reminds us that Biometrics. Are. Not. Authentication. Dumbass.; but it’s depressing because there are enough systems, products, organizations, etc. that completely ignore this that fake-biometric prosthetics are something you could plausibly bring to market for use as a safer alternative in a world that’s decided to move from pretending that your SSN is a super-secret-password and also mandatory everywhere to thinking that about your fingerprints.

Biometrics are good for identification, largely because it’s damned difficult to avoid slipping up at least sometimes and spilling bits of real you into the environment; but they are bad for authentication for the same reason: you leak them constantly and most single-test sensors can be faked without much difficulty(it’d be crazy difficult to go full GATTACA and falsify your biometric signature across a substantial stretch of time and multiple tests conducted at the adversary’s convenience; but it’s quite easy to slip a faked fingerprint onto a fingerprint reader for a one-time quick test that you get to prep ahead for).

It’s especially depressing because we already have good authentication mechanisms if you are willing to require carrying something around with you. Cryptographic certificates stored in a physical token(eg. CAC/PIV smartcards, Yubikey USB dongles, that sort of thing) are similarly easy to switch as desired; pretty inexpensive to implement, and the cert never leaves the chip unless someone physically attacks it so they don’t leak the way fingerprints do.


But what happens after you smoke the joint?


This sounds great until I lose my wallet / fingertips fall out of pocket / get robbed / etc

Still better than registering my one and only fingerprints with big brother, though I suppose I did that when going through airport security…


So, the solution is to create a physical object that can be lost or taken from you? Kind of like having your password written down on a piece of paper. The stupidity of this is mind boggling.

You might find my fingerprints (but not at a Staryucks), but my phone is going to lock down long before you figure out which finger or thumb is required, and in what orientation.


This invention only makes sense if you’re convinced fingerprints are a bad key, and if the corporate world thinks fingerprints are a dynamite key. Both of those are pretty likely, so thank you RISD. We owe you one for the Talking Heads, and now, another one for rubber fingers.


This is why we need to have systems in place where we can have a fail-safe finger that if used, it deletes everything. And a system hardened enough that it is impossible (improbable?) that any tampering would destroy the key that is associated with the biometric reader.

I only have a few things that I need secured to the point that I wouldn’t trust my fingerprint. It is NEARLY good enough for me. However, I’d like the idea that doing this would be russian roulette in case I was coerced. Granted, it if is my phone or my life…I’m giving the correct finger. If it is the gov’t? I’d give the fail-safe every damn time.


Yes, actually, that is the point. If the only form of authentification offered is a fingerprint, then this lets you still use a physical key that you can keep secure, unlike your fingerprints. Many government agencies have your fingerprint on file, especially in China. Add that this is not an expected tool (yet), it does make it harder for someone to hack your device — they will waste their time with your actual fingerprints that they have on record, that you left behind overall, and so on.


The one additional nuisance with fingerprints(though less common than it used to be, at least among developed-world desk jockies) is that fingerprints can be lost or altered beyond recognition unintentionally.

Losing the finger is an obvious but extreme case, scars, burns, abrasion, etc. can be a problem in less dramatic ways. And, unlike in criminal forensics, where the authorities are likely to er on the side of thoroughness and willingness to assume that suspect fingerprints are you; good luck getting random apathetic service providers to burn customer service rep time on your sad story of how you burned your fingerprinting finger and it didn’t heal back quite right.


Physical authentication tokens, while a nuisance, aren’t a bad idea in general: even a password written on a piece of paper can be more complex and less reused than a password you have to remember(terrible idea for shared work environments, schools, etc. obviously); and more sophisticated hardware tokens can use challenge-response techniques so that the ‘password’ never actually leaves the hardware(barring physical attack) which makes surreptitious cloning pretty tricky.

Physical tokens in the form of fake fingerprints are deeply perverse, and not very good physical tokens; but it’s a sad truth that the world has way more fingerprint readers than it does smartcard slots, non-crippled RFID transceivers, etc.


Want to authenticate with something that you can’t lose or that can’t be easily stolen? Implant a chip under your skin. One that uses outside induction power source (like wireless cellphone charging) and does a simple, secure crypto exchange using the key that is flashed into its internal memory before it was inserted into you. Keep it covered with an RF shield when not authenticating, to ensure that no one interacts with it without your consent.

If anything happens, you can extract it and reflash. Or buy a new chip and reflash.


Formally authentication gets broken down into 3 categories. These are commonly described as:

  • Something you have (token)
  • Something you know (password)
  • Something you are (fingerprint)

This just movies the identifier from one category to another. All of them have drawbacks. (Something you have can be lost, something you know can be forgotten, something you are can’t be changed, though this is a clever workaround for that case.) Best to use 2 from different categories.


As I previously mentioned, to break into my phone, you would need my fingerprint (something I am), and the correct finger and orientation (something I know). After just a few tries, it reverts to requiring a password. To many invalid password attempts and it wipes all personal data and does a factory reset.


Great that works for you. I was pointing out how the idea of creating a token to replace the physical identifier wasn’t necessarily “dumb”, as you put it.


Yes they can be. Which is why bioauthentication is a shortcut to deencryption on most devices and not the sole means of getting into them. In fact, I can’t think of a single machine that DOESN’T allow a password to be used as a default when you’ve used your finger – I know on my phone, if it has been rebooted you have to use the passphrase. Same with a lot of other activities upon first use on rebooting – for instance purchases require a password – even if you authenticated in another fashion – at least the first attempt.


It can be lost or stolen. Does the company that manufactures these keep the patterns on file? Can they be hacked? How do we know they’re unique, other than taking their word for it? (When I was a kid, we had Chevy and a Buick made 8 years apart, and the ignition keys were interchangeable.)