Getting an ID card checked by security at the door of a secure establishment allows the people inside that building to know that the holder truly is who they say they are. Inside that space the person has access to confidential information and they do not need security to constantly verify their credentials.
..and yet ID cards can be copied and faked - so why do we do this?
This model is how a fingerprint can be used as a shortcut to deliver certain privileges. The user must first pass security by entering their password, and then later numerous safety triggers are in place to require that password again. Meaning that once a person is validated a stand-in can be suitable rather than fully evaluating each and every time.
Back to fingerprints: copying a fingerprint has numerous barriers that these exploits frequently ignore. First it needs to be the correct finger, it must be clear and complete enough to copy and finally it must be used at a time when the device will accept it. While such barriers may be insufficient for a secure environment, this approach provides more security than, for example, a person repeatedly entering a pincode into their phone through the day - something that is both easily observed and remembered (and worse too if it's a gestural passcode.)
To relegate fingerprints as only this or that throws the baby out with the bathwater - appropriate rules and context can make it a useful security improvement over the status quo. That doesn't mean it's perfect or that it has to be.
In the virtual threat model, difficulty needs to be insane, since any of 7 billion people can launch automated attacks on my server.
In the physical threat model, difficulty can be moderate, since the only people who can attack are ones physically here. My front door has a pickable lock, and my windows are breakable. My key threat is my crazy stalker ex.
Fingerprints are usually in the latter category, and provide pretty good security.
I always thought that since the beginning, but unfortunately the world went into another direction. People always said "something you have and something you know", but now for most cases it's just "something you have - your body". Obviously if in the future remote mind-readers are invented, the "something you know" part will also get obsolete, but for now we should stick to it.
I've always disliked this breakdown. My body is something I have -- it's just potentially (not always practically -- see the article) more difficult to clone or otherwise use without my consent than a key fob or something.
Edit: To be clear, I don't think this is an argument for biometrics, but rather an argument against them. They can't complement something I have in a two factor scheme, because my biometrics are something I have.
But it's the parts that are easily forgeable (fingerprints, retinas, etc) that are being relied upon. By "forgeable" I mean "things that someone else can also have by creating copies."
I don't think we have yet good metrics on how to detect specific individuals using a full-body scan. Not to mention the invasiveness of creating your personal initial dataset. Most folks won't stand for it. So right back to parts that are forgeable...
Fingerprints are not usernames. I wish that idea would die but people just love putting things in existing categories so much they keep thinking "fingerprints aren't the same as passwords... so they must be the same as usernames!".
>Fingerprints are usernames, not passwords. Here is an excellent (and timeless) post on this fact
No, that is complete absolute shit post that isn't even self coherent. Like, it literally whines about needing something that can be "independently chosen, changed, and rotated", which obviously describes usernames so obviously biometrics can't possibly be usernames by that very post! Why is this dumb meme so fucking persistent? Fingerprints are one of many biometrics. They aren't usernames, which aren't an authentication factor at all. They aren't passwords. They aren't tokens. They are their own thing. They have their own pluses and minuses as part of a comprehensive response to a given threat scenario. That's it. Trying to shoehorn them into something else is the same as trying to shoehorn everything into a car analogy.
All security exists solely in the context of an equation of threat scenario (the word "threat" doesn't even appear in that post), defender vs attacker resources and the value of what is being defended. Real security must work for actual real humans too. For example, rotating passwords every day/week/month is "secure" except that it's also a huge PITA or even outright impossible for many humans and defending against what should be a non-existent threat scenario anyway. So the obvious and inevitable result is that everyone starts to use crappy passwords, write them all down on sticky notes and text files and such everywhere, or both. That is not the fault of the users, it's the fault of a shitty system.
Another word that doesn't appear in that post? "Camera". Biometrics is an enormously rich potential field, fingerprints are about the worst lowest hanging fruit and in no way represent everything particularly as we use more and more wearables (there are bits of entropy to be found in your body's cardiac cycle for example). But even for fingerprints, which is really lower resource for attackers: getting a reproducing a fingerprint, or having AI go through every single networked look-down camera for the obvious obvious pattern of a human pulling out a slab of screen and then entering a PIN or passcode into it then recording that? Are people expected to never ever unlock a device anywhere but a physically secure area? Because see above, that is not realistic for real humans and thus a worthless security response.
As is usually the case, the best answer is hybrid, with multiple levels of factor usage to try to combine the strengths of each. And indeed that is the way things are going.
Edit to add: And if I sound irritated about this I am. This is the same kind of user hostile shallow anti-security thinking that brought us things like "security" questions, password rotation policies, lengthy and baroque "must contain 2 caps 1 number 3 special characters but not those special characters and cannot START with a number" password policies, etc. All of which add aggravation and failure points to no good end. Bad security practices affect our entire industry to the detriment of us all, but "bad security" isn't just a technical thing it's a human UX thing.
Bizarrely, my organization limits passwords to a length of 12 characters or shorter. I agree with you, I don't want a password the size of a paragraph, but c'mon... 12 characters?
I think you misread me, or I didn't communicate clearly. By "lengthy" I was referring to the policy, not password length. Indeed max password length itself is another common bit of foolishness, for sanity reasons arguably it shouldn't be infinite but ~150 characters should be fine so that if people want to have a long diceware passphrase that's fine. To the extent passwords are used at all it should be exclusively as input to a KDF or adaptive-hash anyway so storage-side it should all be normalized regardless of input length.
Ah, gotcha, sorry. "Lengthy (password policies)", not "(lengthy password) policies". I wouldn't call the policies themselves particularly lengthy, though we do have multiple systems with different policies for which we're supposed to use the same password, so there's that -- it's possible to set a password in one place that can't be set in the other. (Would something bad happen if they weren't in sync? I can't see how, other than it wouldn't be clear half the time which password to use.)
Sorry for not being clearer. Really though, the only "password policy" should be "no password reuse/dictionary" (check it against haveibeenpwned.com or the like, there is a nice API), and some minimum decent length. Preferably with a decent user friendly generator option for default suggestions too, and password manager friendly. It's probably not the weakest link at that point. "Multiple systems with different policies for which we're supposed to use the same password" seems like it should just be SSO?
But I recognize in reality when using archaic systems at businesses with no budget sometimes hacks are just the best that can be done, and that's how it is. I mean, obviously best of all is no shared password, use proper key via hardware token instead and the password/PIN or (gasp :)) biometrics is purely something the user uses to activate the token. Unfortunately it'll probably be awhile until we get there. But the general use of baroque password policies, particular when interfacing with the general public, is still an anti-feature for security which has finally started to fade away.
Secrecy is only an approximation of difficulty. Given the difficulty, I would estimate it as a two character password. It should be fine for people who have nothing to hide.
> Given the difficulty, I would estimate it as a two character password.
Sorry, but that is _way_ off.
I can run through 2 character passwords by hand in a few hours at most, likely faster. (Assuming a qwerty keyboard, 62 alphanumeric, plus roughly 33 other characters makes for 9025 possible passwords.)
To reproduce a fingerprint requires access, money, time, and expertise. It's not _hard_ but it is not trivial either. You need access to a good fingerprint. You need the money to buy the supplies (a laser printer, some acetate, and some wood glue). You need time to both capture the fingerprint, refine it in the photo editor of you choice, and then actually turn it into something that scans. And you need to know that this is all actually doable. And then that all assumes that it actually works; I can assure you this is not a 100% success rate.
Put another way, if you told me you _personally_ had a two character password on a specific account, I could likely log into it _today_. Conversely, if you told me it also required a fingerprint to log into, I'd be out of luck. I'd have to learn who you are, where you lived, and then concoct a way to capture a clean print.
As others have pointed out, biometrics != password. It's an apples to oranges comparison.
>It should be fine for people who have nothing to hide.
If I'm a company, would I want my employees to give up proprietary data they hold just because they personally "have nothing to hide?" Anyone who thinks that's acceptable is someone who isn't worthy of trust.
https://blog.dustinkirkland.com/2013/10/fingerprints-are-use...