I thought biometric passwords like fingerprints, facial recognition, etc. were a highly secure method of using encryption. However your digital biometric fingerprint, if it gets stolen, will give hackers access to every one of your accounts.
Is any of this true? Are biometrics far less secure because once you steal one password you’ve stolen them all, or are biometrics more secure than that?
It’s a bad idea to use biometrics alone because things like fingerprints, pictures, etc. can be duplicated by anybody who is physically around you a lot.
In the consumer space they are usually marketed as gimmicks and password replacements (swipe your finger to log on instantly! use your face to unlock your phone!). That’s horrible. In the latter instance, any of your Facebook friends can show your face to your phone and access it.
In the enterprise space, biometrics are usually combined with other authentication methods (a password and/or a dongle) to be one additional layer of protection. In those instances they can add to security, but they also mean that people who really want your password might be tempted to cut off a finger or rip out an eyeball. Hopefully you’ll never have to deal with anything that sensitive.
Basically, you want to use something the user has (a dongle or a smartphone), something the user knows (a password), and something the user is (biometrics) – all three together for maximum security. And maximum frustration.
By the way, biometrics are not encryption, they are authentication. Authentication is “Is this person the right person?” Encryption is “How do I make sure only authorized users can see this information?” You use both together, but they are not the same thing.
You don’t have a digital fingerprint that can be stolen. A fingerprint reader creates a hash value of information at a number of points on your finger. This hash value can’t be reversed back to a fingerprint, since a number of different combinations give the same hash. Further, each reader should use a different seed so if I scan the same finger on two different readers I will not get the same hash.
I think Apple hit upon the right approach of using TouchID as a way of minimizing, not eliminating typing in your passphrase. Certain, higher security operations still require entering your passphrase such that someone who manages to both steal your phone and your fingerprint is mitigated from doing too much damage.
A relative of mine was working for the Pentagon’s Defense Information Systems Agency, and had his laptop with a fingerprint reader built into it. (This was a few years ago, when such things were quite uncommon (and probably quite expensive).) I mentioned the cut-off-a-finger idea, and he said they had been told that this would not work – the sensor would be able to tell this, and would not accept it.
They had not been told any details on just how this worked, but he & I speculated that it could possibly use temperature of the fingertip or some kind of sensor that identified blood flow in the finger. In any case, probably a much more sensitive and complicated sensor than the current ones on consumer-grade machines.
Supposedly it won’t work for apple too. I am not willing to cut my finger off to test it. Wouldn’t surprise me if you could heat it up, or just make an imprint or something and attach it to your own. As others have pointed out - it isn’t a password/encryption in and of itself - and it shouldn’t be used as the only method of securing anything.
I think the last time I had to use something to get in a secure facility it used the spacing between my fingers AND my passcode. The idea wasn’t that the spacing between my fingers (I think it’s more like the relative position of your webbing of your fingers to each other) was secure in and of itself, but that using that PLUS my ID badge was better. And that way - I couldn’t just give someone my badge to get in (or get it stolen from me).
It’s an arms race, like anything else security. If it looks for temperature, then you heat up your fingerprint. Etc. There’s apparently an annual competition too: http://prag.diee.unica.it/fldc/
And PS – If somebody is already willing to cut off your fingers to get access to what they want, eh… the finger may be only the first thing you lose.
I read once that they found out fingerprints scans can be copied by sometimes just breathing on the spot of the last fingerprint and the last impression will still appear. I once found a recipe for “stealing someone’s finger” by using a type of gelatin mold. Plus as they have done in a couple of movies, their is nothing to keep bad guys from literally removing ones finger or eyeball.
Yeah, if they are willing and able to remove your finger or eyeball, they will probably be able to get your password out of you fairly easily, too.
Actually, if they are that violent and ruthless, they probably will not need to actually remove your finger or eyeball either. It is probably going to be much easier and less messy for them to just threaten and/or torture you until you co-operate. The time to die will come after that.
It’s also only secure if the fingerprint (or retina, or whatever) reader is in the same location as the system that you’re trying to gain access to. If you tried to use biometrics for security on a website, then the user sitting at the computer would have to read the fingerprint, convert that to some form of digital information, and transmit that digital information to the website. At that point, the biometric data is just another password, and is vulnerable to all the same things as any other password (for instance, if someone intercepts the communication, they have something they can send to the website that will look like a fingerprint to the website).
On the other hand, if you’ve got a door with a fingerprint reader on the lock, then the data doesn’t have to go anywhere, and so it can’t be intercepted en route. In this case, it provides a meaningful extra layer of security.