Hey, I keep seeing people claim biometrics somehow fix the password problem, but I feel like this is just a password you can't change? I can't change my fingerprints nor my retina, but if that data ever gets leaked, then that's vulnerable forever?
In my mind, there's no world where one could make a biometric scanner that couldn't be spoofed (presumably with an arduino USB interface) and then when all these corporations with the worst security (Facebook, Experian, etc) leak my data, can't anyone log into my account?
My country has my fingerprints because I have an id document like everybody else.
A number of states around the world have my fingerprints too because I entered those countries as tourist and I had to put at least one finger on a reader.
Maybe some country included mine also have my retina scan, I had to look into some cameras sometimes.
All those biometric information could be leaked, sold by corrupt civil servants or exchanged with other countries so random passwords generated by a password manager protects me more than biometric information. Am I wrong?
Of course some site could store and share with whoever they want my cleartext password before hashing it but I use one different password per site.
>All those biometric information could be leaked, sold by corrupt civil servants or exchanged with other countries so random passwords generated by a password manager protects me more than biometric information. Am I wrong?
I know of zero biometric implementations where your biometric data is uploaded to the server for verification. All the biometric implementations I've seen (windows hello, icloud passkey) perform biometric checking on device and send cryptograms to the server, which would be as secure as random passwords.
The point is that the raw unencrypted "secret" - your actual fingerprint or retina print - is directly collected for various purposes by various agencies, which can easily leak it.
However, even worse than that, your fingerprint in particular is something you leave literally everywhere you go. There was even a demonstration of someone copying Gerhard Schroeder's (German PM) fingerprint from a still photo of him from a bottle he had touched, and then creating a mold which fooled a sensor they had access to.
I'm sure that there are plenty of nasty scenarios.
This is one.
1. The attackers create my.name@somedomain.com / my.name.12345@gmail.com and/or use a throw away phone number (especially if the email provider uses some 2FA linked to a phone.)
2. They register an account on a web service using that email or install an app on that phone, maybe a virtualized one. Upload a picture of me as icon or fake one.
3. Use my fingerprints on their phone to get through any possible biometric 2FA.
4. They are me.
If they find a way to automate all those steps or make the labor costs small they can register a lot of bots that are real people, because 2FA says so. It's up to their imagination to find a way to profit from that.
We have id card, which contains client authentication certificates. The procedure on acquiring ID card is the same as passport and carries the same legal power. You have to show up in real life and they take your fingerprints, photo and issue you ID card. ID cards will actually be mandatory for everyone beginning 2023-01-01 - up until now they are optional but very much favored around my circle. There is a fair amount of stuff you can only do with ID card (remotely):
- Set up smart-id for 2FA for banking app in your smartphone. No, I don't have option not to use 2FA.
- Official communication with .gov entities.
- Signature & timestamp service
- Remote notary services (requires video presence and showing ID card additionally to actually using it to put digital signature)
- Logging in various sites (banking, government entities)
- Recovering from lost second factor at national TLD DNS registry.
This is the ultimate authentication mechanism that services use to allow you to perform so much.
To authenticate & put down signature, you must use dedicated PIN code for each of those operations. And of course you must possess the card (use card reader).
PS- Just spotted ftrotter's question for the first time. I also worked in healthcare IT and prototyped a PII protecting schema. Alas, my POC also flew like a lead zepplin. No password recovery. This strategy requires GUIDs, aka RealID in the USA.
"I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translucency. ..."
I could have written that. Oh well. Someone in much the same situation, having the same questions, and then reaching about the same answer is somewhat validating.
10+ years later, I'm sure there's now dozens of us advocating Translucent Databases techniques.
I long wondered about this... How does card reading work?
Are regular smartcard readers compatible? Does the card have NFC for phones? Can you use them under Linux/mac? Do regular browsers work with it? (FIDO/webauthn).
Or is the card reader a standalone device, like my bank uses, where you key in your PIN, and it gives you a one-time code, or a response to a challenge?
Generally, you're not logging in directly with the biometric data. The biometric data never leaves your device, it is just used to protect some kind of secret key on the local device that it actually uses for the authentication when logging in. If you need to log in another device, you would use an existing device to confirm the new login or you would need to use some other authentication method.
Well, I got fingerprinted by FINRA when I took a job at a trading company, and I have been fingerprinted by the US government multiple times. When I went through China once, they needed a fingerprint or two. Same for my Brazilian visa.
Biometric information leaks through other means, and if you rely on it for security, you are letting a lot of people in.
Yeah biometrics are not password replacement. The solution everyone uses today is "something you have (2fac device) + something you know (password)" -- the 2fac device needs to be a OTP generator, but you could even further secure this by requiring biometrics to generate the OTP (e.g. imagine a security key that refuses to acknowledge touch unless it senses your fingerprint).
Biometrics without the other two doesn't help anyone.
> but I feel like this is just a password you can't change
Not quite. IBM has (had?) a research program on "cancelable" biometrics. I do not recall perfectly, but I think they were tweaking the encoded biometric sensor data before committing it to DBs. If there is a leak, one can redo it with a new tweak (like a new salt or nonce).
The worst thing about biometrics or hardware devices is that someone can force you to give them out in my opinion. If I have a 6 word passphrase which I remembered, no one can get it unless I give it to them (Yeah, I know there's still some methods https://xkcd.com/538/).
In the Netherlands, the police can hold your finger to the fingerprint reader on a device they confiscated (might need a court order, or might depend on circumstances if there is an imminent threat to life or something), but they cannot order you to work on your own prosecution in general. Why, then, you can be ordered to put your finger on the pad, I have no idea, but it has been ruled that you cannot be ordered to tell them a password.
Then again, the secret services have been allowed to order giving up passwords since forever.
The solution there is to set aside a few less-used fingers which, when applied to the scanner in sequence, tell it to perform a secure wipe. I'm left-handed so I use a few fingers on my right hand plus my left little finger for access, this leaves enough fingers for a fingerprint-directed wipe command:
left index followed by
left ring followed by
left middle => Wipe
There is bound to be an app or option in some AOSP-derived distribution for that, if not you got the idea here.
You will almost always use one or two fingers to unlock your phone due to the fingerprint readers position and the police might be intelligent enough to ask you to put that exact finger on.
> Of course, someone might be able to clone your head shape.
This is from 2005:
> Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.
I guess this is a question of threat model. I hope nobody would want to chop of my head just to unlock my iphone. But this always reminds me of the scene in "Demolition Man" where Wesley Snipes spoons out someone's eyeball to open the biometrically locked door of his prison.
What I'm hearing you say is that the hardware has baked-in private keys. That is not biometrics, that's public-private key authentication. People already do this with ssh/pgp private keys on a hardware token. Which is a good idea, but it has nothing to do with biometrics and is not something you need to sell your soul to apple for.
> It’s also more secure than a password on a phone because if you’re using it in public someone can watch you type your password in.
I'd rather hold a hand over a PIN pad than having to wear a mask to prevent my face from being scanned in public.
> What I'm hearing you say is that the hardware has baked-in private keys. That is not biometrics, that's public-private key authentication.
Even if you could write your sensor's face data into someone else's phone, you still wouldn't be able to authenticate with it, because it doesn't have the same sensor. It's not just different keys, the fixed layout of the IR pattern is different.
> I'd rather hold a hand over a PIN pad than having to wear a mask to prevent my face from being scanned in public.
And not sure what the actual threat model here is, but I don't think strangers can scan your face in a way that's useful to Face ID. (Wearing a mask doesn't stop general identification technology, it doesn't even break Face ID anymore.)
I don't think they meant respiratory masks to hide from your head being scanned, especially if the algorithm doesn't look at that part of your head.
> Even if you could write your sensor's face data into someone else's phone,
Since the keys presumably aren't retrievable from the hardware, it doesn't matter if there are random or intentional production flaws in the sensor itself: you need the original hardware anyway. You just need to trick it into doing the authentication. That's the part where biometrics are involved, the part where you present it with a username so to say. The rest is private key authentication.
In my mind, there's no world where one could make a biometric scanner that couldn't be spoofed (presumably with an arduino USB interface) and then when all these corporations with the worst security (Facebook, Experian, etc) leak my data, can't anyone log into my account?