Why fingerprints make lousy authentication tokens

Obligatory xkcd:


Yeah so… Apple has addressed this; they say this is not an optical scanner, does not rely on the top skin layer but rather conductivity of subdermal layers. In other words, they claim that the known vulnerabilities of past fingerprint systems do not apply.

Attack Apple’s claims, argue that they can’t be true, explain how this could be fooled by x or y technique, even just speculate about the as-yet-not-publicly-testable tech that Apple is touting: this could be interesting or useful.

Spread fearmongery bullshit about irrelevant stuff that Apple has claimed does not apply here: not interesting, and not useful.

I’ve seen lots of high-emotion discussion about the TouchID sensor, and almost all of it pretends that Apple hasn’t even attempted to address known vulnerabilities of fingerprint scanner technology. That’s just silly.


“if you’re willing to cut off someone’s fingertip to unlock his phone, you’re probably also willing to torture him into giving up his PIN.”

Sorry, don’t buy that. Torturing a person to extract information can take hours, days. In fact, torture might never produce valuable information. Wasn’t that why we all tried to get Alberto Gonzales executed?

Chopping off a finger though: never fails, takes 30 seconds. And that’s only if there’s a struggle.

Why aren’t alternate passwords more common to dodge coercion? That is, when a cop or a mugger demands that you reveal your PIN, you give him the “safety” PIN which unlocks the phone to innocuous contents (to protect the data,) or the one that unlocks it and silently phones home with its GPS coördinates & video feed and/or unlocks it for a limited time before killing the phone (to devalue the hardware.)

Of course they’ll know this feature exists, but the mugger isn’t going to stick around or kidnap you while he waits to make sure you gave him the real PIN. And if the Man is interested enough to send your phone in to Forensics you’re already in trouble.

Edit: The concerns I’ve heard about the fingerprint sensor aren’t about its efficacy, but the prints being collected and transmitted to the NSA. (I don’t know what they would want with your fingerprints if they already know who and where you are all the time; they’re not dusting crime scenes.)


Second oblig XKCD:


Whoa. There seems to be quite a few people getting worked up about whether this is hackable without ever stopping to consider whether it matters or not. These are not state secrets we’re protecting, and our enemy isn’t a sophisticated intelligence operation. It’s a phone, and the goal is to keep it locked long enough to wipe it.

Everything is hackable, including your pin code. The fingerprint sensor is merely a convenient replacement for your pin code. If you’re protecting state secrets with this feature, you’re doing it wrong.


While we’re at it, can I have a new mother’s maiden name and first school. These ones are compromised.


If you’ve got the guy and the phone secured enough that you could chop off his finger, why not just hold him still and unlock the phone? Save yourself the trouble of cleaning the blood off your clothes and only risk petty theft instead of aggravated assault.


Yep. Yours is the only reply that gets it.

The point is, 50% or so of iPhone users apparently don’t use a pin code at all because it’s too much hassle to keep entering it. Thumbprint ID is quite a lot more secure than nothing, so it’ll increase the overall security of the iPhone population in general quite significantly.

The vast vast majority of thieves don’t want to access your phone anyway, they want to wipe it ASAP to stop you using Find My iPhone on it and to sell it on eBay or locally before the IMEI gets blocked. To that end, I suspect they rarely even notice if it’s got a PIN or not. Quite a bit easier to make money from selling a high end device than there is from rifling through your emails and trying to recover a paypal password or similar.

Activation Lock supposedly solves this second issue so maybe that will change but hopefully both together will just make iPhones less attractive to thieves overall.


Let’s just consider the scenarios a minute…

Pin scenarios: A mugger takes your phone, then with a knife demands to know the pin. Once revealed, runs away with the goods.

Fingerprint scenario: (i) A mugger takes your phone, then hands it back to you to unlock so that it’s possible to change the fingerprint. The mugger then stands there whilst programming the fingerprint reader to respond to a new fingerprint (because it probably requires the original fingerprint as confirmation). Once done, runs away with the goods.
(ii) A mugger takes your phone. Using the same knife chops off the end of your index finger, then runs away with both.

Do people seriously think that digit amputation is not going to happen?

True. Smartphone theft and resale is a huge, huge business now and there need to be better preventative measures built into the hardware itself.

Nearly half of all robberies in San Francisco last year involved smartphones, according to police. source

What’s activation lock?

The Activation Lock ties an iPhone to the Apple ID the user links it to during setup. As long as the Apple ID is linked to the iPhone and Find My iPhone is turned on, no one else can reset the iPhone, even if they plug it into a computer.

On iOS 6, users could plug a locked iPhone into iTunes and reset the device to factory settings. With iOS 7, Activation Lock will show the message above instead of resetting an iPhone.

If the phone is locked or will not reset and the seller tells you that you should take it home and restore, say no thanks and get out of there as it could be a stolen iPhone at worst and an iPhone you can’t use at best.


Yes, for very simple reason:

a) It’s not that easy to amputate a finger with a knife Buy yourself a chicken leg, hold it in your left hand and try amputating with a knife in your right hand.

b) It’s not necessary. The PIN is still there. It has to be still there, as a fallback, because hurting your fingers can render the touch id mechanism ineffective. So any thief is better off with forcing you to disclose your PIN. If he’s smart, he’ll have you touch it in yourself while he records this with Google Glas.

c) Armed robbery gets a higher penalty than armed robbery, does it not?

Of course, you could do the same with a touch id system. (Theoretically, as this is not implemented by Apple.)

Just declare one finger as a dead man’s finger and have the system wipe itself when that one is used. Or have the system recognize that the finger lingers longer than usual and react on that.

Only when there are high stakes and trained or fanatical victims are involved. Even then torturers can and will extract such information.

In this case, the information would be easily verifiable and the torture can stop.

Torture fails when the information is not verifiable and/or the torturers do not really know if they have the right person at all.

Torture does work. That’s one of the reasons for „Need to know“.

1 Like

Good point on still having the pin option.

You do however seem to be giving the mugger a remarkable amount of intelligence. I’d be just as worried about a mugger trying to amputate my finger as succeeding.

I suspect that chopping someone’s finger off will merit a longer stint in gaol than simply threatening the victim, however, I again question just how rational muggers are to begin with.

I think most muggers are rational enough to see that the choice “Give me you stuff or suffer bodily harm“ and “Let me amputate your finger or suffer bodliy harm“ are vastly different and will provoke different outcomes.

This, of course is old news - over 100 years in fact. I won’t post a bigger spoiler than, you can read the story. The Red Thumb Mark at Project Gutenberg

1 Like

We at NO2ID successfully lifted the then-Home Secretary’s fingerprints from a glass she was using to demonstrate precisely this weakness.

1 Like

Alternate PINs have been touted for ages, and as an ex-fraud analyst I’ve dealt with a lot of people who complain about why they don’t exist for debit and credit cards. The short story is that the vast majority of humans are fucking awful under pressure unless they are trained for the specific situation they are in. If someone has a knife on you and is demanding your PIN, the chance you will even remember that your phone is equipped with this technology is minute. This isn’t something you think about every day, probably not even every year. And considering the most common proposed duress PIN is your real PIN reversed, this adds another level of complexity. So you have to:

a) Remember that you have a duress PIN.
b) Recite your PIN, backwards.
c) Do so in a realistic, natural-enough manner to successfully fool the person mugging you (who probably has a lot more experience mugging than you do).

1 Like

If you have to go through bone, a knife is really not the optimal choice. For bigger bones, a pair of bolt cutters or a hacksaw are nice. For smaller ones, a good pair of pruning shears, or a battery powered rotary tool with cutting disk, are really what you want.

1 Like