DailyDirt: Passwords? We Don't Need No Stinkin' Passwords
from the urls-we-dig-up dept
Fingerprint-based biometric security systems are everywhere now, but there are some well-known problems with using your fingerprints instead of a password. First off, you unconsciously leave copies of your fingerprints just about everywhere you go. Still, fingerprint sensors seem to be getting better and better. I’ll stick to my 4-digit PIN for now, though, thanks, but if you like using your finger for your digital locks, check out these links.
- Qualcomm has an ultrasonic fingerprint sensor that captures three dimensional characteristics of a user’s fingerprint by penetrating the outer layers of skin with sound. This sensor can more accurately detect fingerprint features when fingers are wet or slathered in hand lotion, but it might not be able to identify you correctly if you get a papercut or cracked, dry skin? [url]
- Vkansee has a high-resolution optical fingerprint sensor that claims to be able to detect the sweat pores of your fingertip. This sensor isn’t available on any commercial smartphones, but presumably better biometric sensors are going to be embedded in more and more devices. Yay? [url]
- There are plenty of concerns about how accurate fingerprint identifications systems are — with issues such as false positives and false rejection rates. One of the key aspects, though, is that fingerprints are not secret and not revocable. Some systems try to detect “liveness” to make sure a fingerprint is attached to a (hopefully healthy and not under duress) living person, and there are a few other approaches to guard against spoofing, but fingerprints aren’t a perfect biometric. (And no perfect biometric system exists….) [url]
If you’d like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.
Filed Under: biometrics, fingerprint, fingerprints, identification, passwords, pin, security, sensors
Companies: qualcomm, vkansee
Comments on “DailyDirt: Passwords? We Don't Need No Stinkin' Passwords”
Biometrics = Terrible Security
Let that sink in.
It is just so much easier to steal your biological information. Especially if you are the government since the practically require you to give it up to easily identify you if they need to connect you to a crime.
Technology is getting so damn good that just about biometric data can be stolen from you without you even knowing it.
Go and look at why the President can’t even take a single shit in peace…
My doctors office now does hand scans, where it looks at your veins to match you to your records. It’s pretty nifty. Also makes me wonder how hard it would be to trick the system.
Although fingerprint identification technology had been perfected a long time ago, and still in widespread use by the US Border Patrol, FBI, and domestic law enforcement agencies, the US military seems to prefer retina scans and DNA tests — or at least that’s what conquered populatons are forced to endure.
http://www.dailykos.com/story/2004/12/05/77917/-The-Fallujah-Police-State-retinal-scans-and-a-DNA-database
Re: Re:
evidently ‘perfected’ before gummy bears…
hhh
Re: Re:
“Although fingerprint identification technology had been perfected a long time ago”
The “perfected” method of fingerprint identification isn’t how it’s actually done, either by people or computer. What’s actually done is not comparing fingerprints, but comparing a small sample of features in each print. Under the best of circumstances, this reduces the accuracy by a huge margin.
“US military seems to prefer retina scans and DNA tests”
Probably because fingerprints are easy to copy and forge. Retinal patterns and DNA tests are more difficult.
Are fingerprints really unique?
That is certainly the myth, but as someone who did fingerprint security systems for the FBI, I’ve yet to find any scientific proof that they are unique.
To prove it, you would have to compare all fingerprints with all other fingerprints and come up with no duplicates. Even that wouldn’t be enough: you’d need to compare all fingerprints in history, past and future.
Re: Are fingerprints really unique?
The best data on this used identical twins and found each had different fingerprints. Also, there has been no documented case of misidentification due to two people having identical fingerprints.
The problem with biometric systems is that once compromised there is ability to reset the fingerprint. With a password based system, users can change their passwords if needed.
Re: Are fingerprints really unique?
It has been a long time since I took stats, but you don’t have to test an entire population to get valid and reliable data. The idea is to take a random sample and then apply your findings to the population–the particular type of analysis tells you what your sample size needs to be.
The issue with fingerprint identification is the lack of consistency in matching and the lack of any scientific basis for calling something a match. This tidbit from a Popular Mechanics article has haunted me since I first read it:
Our method of taking prints and evaluating them sucks, even if we assume they are all unique. Interestingly, I trust tech companies to improve fingerprint technology more than I trust law enforcement to. Tech companies have a motive to get it right and law enforcement has a motive to keep it fuzzy.
Re: Re: Are fingerprints really unique?
Fingerprint examination is the problem there, yes. No one matches whole prints on a regular basis, even when they have 2 whole prints to compare. Machines don’t, either. But one could hope for tech companies getting it better if they are going to follow this rather stupid route for security.
Re: Are fingerprints really unique?
The exact pattern of your fingerprints are not coded for by your DNA, so there’s a very large arbitrary and/or random component to them. It’s a bit like assigning a random number to every human. There’s no guarantee that each will be unique, but the odds of two being identical are very, very tiny.
“To prove it, you would have to compare all fingerprints with all other fingerprints and come up with no duplicates”
No, there’s no need to go that far to prove it. And this issue about fingerprints has been very well studied. The usual figure cited for the odds that two people have the same fingerprint (for a single finger) is 1 in 64 million.
However, due to the fact that fingerprint matching is not done by comparing entire fingerprints means that the odds of two people having their fingerprints being judged as the same are around 1 in 50,000 (depending on the exact method being used).
Fingerprints and DNA...
… can both be stored, copied and faked and neither one can be revoked.
I'll stick to my 4-digit PIN for now
I’ll stick to my 12 digit pin, 4 digit pins are so 90s
This Happened, in another universe, DNA ID [video]
ACT I.
We are pretty good at making Science Fiction into Science.
ACT II.
People don’t care how a thing does magic as long as it doesn’t interfere with their goal – open car door, start car, tell the residence to go lock down, buy food.
ACT III
The leader of the [ ] makes 1 system and declares it mandatory. This system spans networks all cities and is the only way to do any task; even buy coffee.
METHOD: place finger on device. The device compares DNA sample to data on file. You are a match = 1? Good. There is no invalid compare = 0. Mismatch = Infinity? Infinity means you are a clone or worse; from the future.
This brings us to a VFX short film because the film has every horror you can relate to. Count the topics: hint we are trying to find the 1 solution now. It is fun to see all the security vs safety, commerce tracking, locks and passwords are DNA ID and the police have 100% of the data, the access, you are instantly guilty, go to jail, do not collect (..)
— The director’s youtube accnt
PLURALITY
— If the site boss wants embed …
TANSTAAFL
Our Company has been using Finger Vein readers
We have been using finger vein pattern readers for 3 years now and we are quite satisfied. We’ve had no false positives or incorrect rejections. As a biometric it would be very hard to duplicate the veins with a warm liquid coursing through them. You’d have to have one very expensive piece of equipment to duplicate someone’s pattern of veins in the last half an inch of a digit. The user has to enter their user-id and then the pattern has to match and only a live finger tip will work. The user can change their user-id at any time and can change which finger they are using and each finger is in fact different. The great thing is that your finger vein pattern has absolutely no law enforcement value as no one has ever left their finger vein pattern at any crime scene.
Re: Our Company has been using Finger Vein readers
“The user has to enter their user-id and then the pattern has to match and only a live finger tip will work.”
Huh? Why do they have to enter a user-id? Sounds to me like it might not be quite so accurate after all if it can’t identify them from their vein pattern.
Fifth Amendment concern
Biometric fingerprints aren’t protected by the Fifth Amendment, because these aren’t stored in your mind.
You can therefore be compelled to provide your fingerprint, and can’t refuse on Fifth Amendment grounds.
A password on the other hand is stored in your mind, and unless you are stupid and admit you know it, its production can’t be compelled.
Re: Fifth Amendment concern
Yes, a password can be compelled.
You can be held in jail until you give it up.
Re: Re: Fifth Amendment concern
“You can be held in jail until you give it up.”
Citation, please.
You can’t change your fingerprints so once someone has your fingerprint you are pretty screwed. The same goes for all biometric data.
Even if you build a device that could not be tricked directly there are always other ways to get around that so having a single unchangeable identity or password is just bad business.
I think biometrics can be PART of the key to get into some system. But in the end it should be a mix of things so if you don’t have a portion of it then you can’t go in.
I’d love to have a combination of password, biometrics, code generators (such as google auth), thumb keys and others. Your choice depending on how much that specific access matters.
Re: Re:
Yes, from a security point of view, relying solely on fingerprints in foolish in the extreme. Of course, it’s foolish in the extreme to rely on any single method of authentication anyway — but if you’re only going to use one, it shouldn’t be fingerprints. Of all the authentication schemes out there, if you’re going with single-factor authentication then strong passwords are still the best bet. By a lot.
Re: Re: Re:
“strong passwords are still the best”
Define “strong passwords”.
Re: Re: Re: Re:
“Strong” is a bit of a subjective term, but personally I consider the minimum form that qualifies is one that is at least 8 characters long and consists of a random string of characters that include punctuation and a mix of cases.
Also, to count as “strong”, it must only be used to access a single thing (no password duplication) and should be changed regularly. Personally, I go with every 60 days. Expired passwords get discarded, not reused.
Re: Re: Re:2 Re:
“… consists of a random string of characters that include punctuation and a mix of cases.”
As soon as you start making rules or patterns that it must follow, it’s no longer random.