- Biometrics are public, unlike passwords. Biometric data can usually be gathered from a person, often discreetly, by cameras or whatever other sensors are used for authentication, and replayed with sufficient effort to fool the same sensors.
- Biometrics are not revokable, unlike passwords. If you give your biometric data to someone and they mishandle it, it's compromised for life.
- Biometrics cannot be uniquified for different authenticators, which is like using the same password for every service-- terribly insecure.
- Biometrics pose secondary privacy concerns, because they inherently destroy anonymity.
Because in most people’s threat models, it’s still a win.
Biometrics do three things:
- It greatly reduces the friction of “showing” who you are.
- It moves the mechanism into an “off-main-CPU” chip, while the main CPU just sees limited APIs, and strong crypto which can be rekeyed. You can’t rekey your bio-signature, but this architecture is better in a number of ways.
- It creates a non-digital interaction as part of the auth flow.
I personally subscribe to somewhere between “not a wrench” and “not Mossad” security: most things I’ll tell anyone who will hit me with a $20 wrench, and I’m definitely not in the business of trying to stop Mossad reading my papers.
From that perspective, my security doesn’t need to be better than biometric on almost anything, because that’s good enough to make a wrench (or a warrant) a cheaper option — so I don’t care there are exotic attacks like copying my vein pattern, printing a fake hand, and touching things.
It also stops my main concern from the government: warrantless mass-surveillance. There’s a scaling limit on using fake vein prints to break into things. And the non-digital step forces an actual interaction.
Frequent, low-friction requests also allows for minimizing credential caching and for non-digital requests for confirmation before proceeding. This helps a lot against malware and escalation attacks.
Note: every power cycle and few days, as well as “major” actions, I have to use an actual password — I mind this less precisely because I don’t have to use it as often. So the biometrics are also only a low credential auth when the device is already authenticated through a better mechanism. Is this perfect? No. But again, it’s a numbers game.
So in most people’s usage, biometrics are a huge solution to a tricky set of trade offs, while even in the really secure setting that you’re worried about fake hands, it remains a useful part of multi-factor because fake hands are complicated to make and deploy.
> It creates a non-digital interaction as part of the auth flow.
Well, that's not correct. You may have an analogical sensor somewhere to collect the data, but all the data, communication and storage is still digital. You can always bypass the data collection.
You would have to physically interact with the device to change how the circuit operated, or else the only way for the CPU to access the cryptographic data is by allowing a different specialized circuit to unlock a value based on analog input.
You can’t meaningfully “bypass” that digitally, unless you already know the secret. So if the auth flow depends on that secret, it can’t bypass the analog sensor feeding in the values to unlock it.
The bypasses we see are where you can, eg, attach a debug cable to feed in values without going through the sensor (which is a non-digital interaction). Or bugs in correctly implementing the logic, eg, the crypto chip accidentally exposes information.
It’s much the same protection a yubikey left in the side of your laptop provides: someone physically at the device pushed a button, with a cryptographic witness that’s hard to fake.
>Biometric data can usually be gathered from a person, often discreetly
Not only that, but merely authenticating a user into the system will always produce a full duplicate of their secret.
So unless all terminals have the same clearance level, any compromised terminal allows for escalation. Since the number of biometric markers is limited, you are bound to have overlap, hence this ridiculous race towards more exotic and extreme biometrics like "vein auth".
Not all, but some do. It is actually every shade of grey with respect to what you try to secure. If it is you cat pictures you probably are fine with just a fingerprint scanner on your phone.
Want to secure your passwords and accounts, I would at minimum amend that with a proper passphrase or at least a N-digit pin (with N bigger if needed). And also get a proper scanner as most cheap things are notoriously bad.
Though it also depends on the attack vector as most biometric 'abuse' is done by people around you and not strangers. In which again; a passphrase is a simple solution.
Because of the convenience, and because Apple and Google have managed to convince users that it is safe enough for them.
Most people only encounter biometrics on their smartphone, where it prevents unwanted access by others, and acts as a master-password. Most people feel that they are never going to be the target of anyone capable of bypassing the biometric security of their device, and are more then happy to make their fingerprint or face the key to their castle.
They also don't really have any alternative. Entering passwords is a chore on those devices, and the PIN or swipe pattern is way too easy to observe by a would-be adversary (which often includes family members or others near to the owner who want to explore (saucy) photos taken and texts sent).
About the SWIPE pattern: on Android 8.1 I can completely hide it.
You don't see the dots, you don't see the drawn lines, you don't the pattern in case of error. The only thing that I still cannot hide is the vibration when I hit a dot.
I also specifically chosen a pattern that goes through the same dot two or more times, to confuse even more a potential observer. I tested it with friends: I let them observe when I unlock my device, and ask them to try and unlock it. Not one has managed to unlock it.
Because like with almost anything else this is a question trade-offs? Yes, by your measures it is less secure but it is also more convenient. People are ok with trading (the risk of losing) security, and, privacy for convenience.
Such kind of biometric authentication sometimes/often is used in combination with something else - a pin, password etc. You then get authenticated by something that matches your body and a secret.
Because sufficiently advanced Biometrics is a free "in" to your health data.
I'm really curious how many health implications can be guesstimated accurately from Apple's FaceID. There's already milliwave heartbeat detectors being researched to detect people around corners and their health statuses.
While biometric authentication is overall less secure and can be circumvented, I still think there are situations where it's preferable to the alternatives, in particular on smartphones:
All Android versions I used don't support setting an encryption passphrase that's separate from the unlock pin/password. As a result one has to choose between a very long unlock password one has to enter all the time or a convenient short one making encryption basically useless. Given this trade-off, I think using a proper, long passphrase for encryption with a fingerprint for normal unlocks is preferable to the alternatives. It's particularly irritating that this restriction is not at all technical; the only justifications I've read were along the lines of "it might confuse users".
Less importantly, for my phone, a shoulder-surfing attack seems much more likely to me than someone specifically copying my fingerprint.
That's true, though at this point against a sophisticated attacker, it might be game over anyway, since they could read out the encryption key from RAM directly if it's still turned on. If the device is off, the fingerprints won't help and the data is protected by the long passphrase.
Of course all this assumes a particular attacker model and for a lazy attacker that doesn't know how to use the fingerprints to fool the sensor, everything is fine.
Another downside is being possibly forced to unlock my phone at airports, since as far as I'm aware, passwords are protected by the fifth amendment whereas fingerprints are not. In this case it might be smarter to turn off one's phone entirely when crossing borders into countries where one can be compelled in this way. This doesn't even go into all the other kinds of pressure they might apply to make me unlock my phone anyway though, so there's not much protection here aside from leaving my good phone at home.
My thinking has always been that unsupervised biometrics are just a weird form of "something you know." Only when you put a human there to make sure there is no funny business during data entry doors it become "something you are."
Once again proving that biometric authentication is not a replacement for public/private key cryptography. Biometrics are in fact worse than just passwords, because you can't change the authenticating credential.
Really cool demonstration but I don't think it should really surprise anyone. You couldn't really fool a human checking fingerprints because a human has the ability to validate that they're checking the finger of an actual human.
So forget all the fancy ways of encoding our biology into unique patterns. Unless the system can detect that it's reading the arm of an actual human being we're always going to be vulnerable to this kind of attack.
> Unless the system can detect that it's reading the arm of an actual human being
I think that’s the point of biometrics, and what they were attempting to do: make the input sufficiently complicated that it can only, practically, exist in an actual human. I think they came close enough that adding a couple additional sensors (face, eye, subdermal like Touch ID, etc) would make it not worth anyone’s time, which is probably good enough.
Using a human to perform the reading just acts to add another layer of required complexity, in the form of passing an initial Turing test, along with some squishy kinematics.
That's the major appeal of biometrics, the user is considered an attacker, either by knowingly transmitting his credentials or getting dupped into it.
Biometrics restore the illusion of control to the designer, they now have the luxury of no longer caring about user behaviour, it is just a body moving through the system. Except biometrics doesn't work.
I believe only in behavioural "biometrics" which combines knowledge and inference together with zero knowledge proof to locally authenticate users on their personal and probably secure devices. Any other attempts in using biometrics are futile.
Is there a fake/robotic hand I can buy to swipe right on every profile on Tinder and okCupid?
This way I dont do any work nor know those i swiped right on didnt swipe back. I only learn of all those who swiped right then I filter through and start conversations.
This is way off topic, but I don't see how this could possibly help you.
Even if only 1/100 women will swipe-like you, Tinder and OkCupid bubble those women to the top of your swipe session. You don't need to dig through 100 women to find them.
It also works against you to have dozens or hundreds of stale matches accumulated. By the time you get around to sending messages, the women likely don't even remember you, or maybe aren't feeling you as much because it's 9:30am on Monday instead of 9:30pm on Friday.
What I recommend is to treat Tinder as a queue where you only want 3-5 conversations realized at a time, and you only want to realize the next enqueued woman when you are ready to plan a face-to-face meetup. For example, if you only go out on Friday and Saturday, it'd be best to match them on Weds-Sat rather than Monday so you can strike while the iron is hot.
When a woman declines your attempt to stoke a stale fire or your 2nd attempt at scheduling a date, then she falls out of the realized group.
I'm 30 and have been a voracious Tinder user since I was 24, and I think this is the ideal angle of approach. Sitting on matches tickles the ego but cools off the striking iron.
- Biometrics are public, unlike passwords. Biometric data can usually be gathered from a person, often discreetly, by cameras or whatever other sensors are used for authentication, and replayed with sufficient effort to fool the same sensors.
- Biometrics are not revokable, unlike passwords. If you give your biometric data to someone and they mishandle it, it's compromised for life.
- Biometrics cannot be uniquified for different authenticators, which is like using the same password for every service-- terribly insecure.
- Biometrics pose secondary privacy concerns, because they inherently destroy anonymity.
Why is this still a thing?