I disagree with you in principle, just because the phone is the only avenue that has so far made use of fingerprint biometric data doesn’t mean it won’t be used more in the future. (It seems to be used here for paystubs, so it is possibly getting more reach currently). Looking at it from a tightening of cybersecurity perspective it would make sense if people thought to add it as a second factor.
“The building isn’t on fire currently so there’s no need to move the gas can away from the fireplace.” Isn’t a compelling argument.
This argument seems especially dated in retrospect. Since Apple introduced Touch ID in 2013, I can't recall even one single case of criminals or law enforcement using biometrics to access someone's iPhone. Same for any other phone manufacturer.
The scary part of that trend is that biometrics should not be replacing passwords. User ID, fine, but finger prints are something you have, not something you know.
Absolutely. The potential for mass (and covert) gathering of sensitive
data via smartphones is astonishing. If an attacker has control of
your phone they can now trivially get your voice, face and iris scan
to clone. And now your fingerprints.
Smartphone security is not going to get better any time in the next
decade.
All of which lends weight to my argument that biometrics as access
control is the single most ignorant idea in the history of computing.
I am genuinely hard pressed to think of anything dumber.
> The biggest remaining one is still that fingerprint locked information is not protected under the fifth amendment in the US.
Fortunately, that's not a threat vector that is a real concern for most people. If it is for you, then yes -- solely protecting access through biometrics is probably inadequate.
It sounds like a lot of effort to steal and replicate my fingerprint. Conversely I find my fingerprint a lot more usable to unlock than a biometric like a face ID.
I'm willing to trade a little convenience for security, with the caveat it sounds like a good idea to power down electronics when they're out of your sight.
i.e.: Everyone seems to be focusing on whether it's a security risk to use fingerprints for authentication, but there's been very little discussion of the implications of combining a positive biometric auth with reliable location data.
> The truth is though that everyone is using biometrics to log into their device which controls everything from emails, to password managers and 2FA codes. Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
No, because the device is only using that to protect local storage and anything which leaves the device is using strong keys which can be rotated. If they don't have the device, the fingerprint doesn't matter. If they do have the device (and are within the timeout period, etc.), it's like any other credential compromise: you get a replacement, rotate passwords, etc. but the replay value is sharply capped because at no point is a network service depending on the component which can't be changed.
(If you have an attacker who gets a scan of your fingerprint/face and keeps stealing phones you need a restraining order; that's reasonably outside of the threat model for consumer devices)
This is also important since there's a subset of users who won't be able to use biometrics for some reason and the decoupled approach avoids making it impossible for them to use.
I've really embraced biometrics now that I understand that they're effective for certain use-cases when properly implemented.
For example, the primary threat model for my mobile device is a combination of shoulder-surfing and theft, because I ride a lot of public transit. So it's way more secure for me to touch the fingerprint sensor rather than constantly peck in my password while I'm being observed. A common criminal or homeless dude who steals/finds my phone won't know my password because I'm not revealing it, and they're unlikely to have access to my finger or its print.
If my threat model were different, say law enforcement/TSA confiscation or something, I might be more worried about walking around with fingerprint auth enabled. So if I head to the airport or enter some other high-risk area, I might consider disabling that, removing the sdcard and/or SIM card temporarily.
Biometrics as a way for my personal device to recognize my physical presence is mature tech, and useful for consumers in ways that passwords aren't.
You acknowledge that biometrics have some issues they don't solve. Not being easy to steal is one of them. The problem is that you leave your fingerprint all over the place, including all over your phone, there are likely multiple pictures of you publicly available that can be used to construct a model to fool Face ID etc. Most biometrics only provide really minimal security, and the ones that provide anything more don't provide much and are inconvenient.
I use my fingerprint to prevent people casually browsing my phone if I leave it on the table while I pee, but I wouldn't rely on it for more than that, and neither should other people.
You need something else (a key, password or something) to secure most things as well as just your fingerprint.
The problem I see with this isn't having to carry your phone around everywhere - its the biometric system itself.
Biometric systems are much less usable than passwords. Users often fail them by doing things like putting their fingers in the wrong place on the sensor or by not looking directly into the camera.
I think probably that users will need to be somewhat trained in order for this to work well. Probably the hackers will train themselves too.
Stealing fingerprints from someone at a bar? Not so farfetched.
I admit that I am pretty ignorant to the really technical aspects of security but it seems that using authentication data for anything other than authentication is poor practice. I can understand the desire to use facial stuff to make interesting technology but I would prefer knowing that it is only used for the purpose of unlocking my device and nothing else. It seems fingerprints are less interesting for other apps so there wasn't the same motivation to share it.
Am I being an alarmist or is it reasonable to be concerned about this?
If you are ever expecting to be in a situation where a) you have incriminating evidence on you phone, and b) have reason to believe the police will likely try and get access to it at some unpredictable time in the future, I think you'd just be wise to not use biometrics at all.
I get that all of this is valid in theory, but has there been even one single case of a thief, criminal or law enforcement organization actually using biometric data to unlock a phone?
Obviously past events are no guarantee of future, but still — most advisories like this frankly come across as fearmongering.
You are missing the point - it would be an upgrade, if it wasn't coupled with the proliferation of random apps scanning faces and fingerprints and people randomly giving out their biometrics to anyone. It won't take long before script kiddies will crawl the internet using the latest biometric leak just checking which other services the victims used.
> Even if a third party has my biometric fingerprint details, can I rely on how physical access to my phone is necessary to bypass the fingerprint lock
Two points to make:
First, I don't know about Android, but certainly on iPhone, the fingerprint data is stored in the Secure Enclave and the biometric reader on the phone establishes a secure communications channel (unique session key) with the Secure Enclave. So remote attacks are unfeasable unless you've managed to extract the underlying shared key from the Secure Enclave.[1]
Second, the definition of what is "stored". There are a number of different approaches to storing biometric data, and most if not all "modern" methods will store an algorithmic derivation of some sort rather than actual raw measurement data. Hence if the government is using algorithm A and your phone is using algorithm B, then in all likelyhood there is no viable way to transpose between the two.
Third, generally good OPSEC suggests to disable the biometric login to your phone anyway and rely on a password. That way, for example, someone can't just hit you on the head to render you unconcious and hold your finger to the sensor. (They would have to force the password out of you whilst you were concious, per XKCD[2] ;-)
My larger point was about all of the data, not biometrics specifically. Great, your fingerprint never left the device. Everything else does, which is probably way more personal data than just a fingerprint. Your fingerprint really does me no good unless I want to try to frame you for a crime, or want to get into your specific device or other thing that requires biometrics (maybe your work). Your data, I can make use of a lot of if I were criminally inclined. Your credit card numbers, your ssn, your investment accounts, your pics for making false ID's, passwords, or any other data that has ever flowed from your device. You'd have to be pretty sophisticated to be able to make use of someones fingerprints, while basically anyone could use your credit card number. Which is more valuable and larger vector for exploit?
> Some argue that users without biometric authentication will be flagged suspicious and pressured to hand over biometric data
The distinction is about the usage of modern technologies, not handing over biometric data. There will come a time where you will need to use a device with a Secure Enclave or a TPM. That device will keep biometric data on device. You will not hand in the data, you will have to use the feature.
“The building isn’t on fire currently so there’s no need to move the gas can away from the fireplace.” Isn’t a compelling argument.
reply