DailyDirt: Passwords? We Don't Need No Stinkin' Passwords

from the urls-we-dig-up dept

Fingerprint-based biometric security systems are everywhere now, but there are some well-known problems with using your fingerprints instead of a password. First off, you unconsciously leave copies of your fingerprints just about everywhere you go. Still, fingerprint sensors seem to be getting better and better. I'll stick to my 4-digit PIN for now, though, thanks, but if you like using your finger for your digital locks, check out these links. If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 12 Mar 2015 @ 5:07pm

    Biometrics = Terrible Security

    Let that sink in.

    It is just so much easier to steal your biological information. Especially if you are the government since the practically require you to give it up to easily identify you if they need to connect you to a crime.

    Technology is getting so damn good that just about biometric data can be stolen from you without you even knowing it.

    Go and look at why the President can't even take a single shit in peace...

    reply to this | link to this | view in chronology ]

  • icon
    Bri (profile), 12 Mar 2015 @ 5:25pm

    My doctors office now does hand scans, where it looks at your veins to match you to your records. It's pretty nifty. Also makes me wonder how hard it would be to trick the system.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2015 @ 5:42pm

    Although fingerprint identification technology had been perfected a long time ago, and still in widespread use by the US Border Patrol, FBI, and domestic law enforcement agencies, the US military seems to prefer retina scans and DNA tests -- or at least that's what conquered populatons are forced to endure.

    http://www.dailykos.com/story/2004/12/05/77917/-The-Fallujah-Police-State-retinal-scans-and-a -DNA-database

    reply to this | link to this | view in chronology ]

    • icon
      art guerrilla (profile), 12 Mar 2015 @ 7:13pm

      Re:

      evidently 'perfected' before gummy bears...
      hhh

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Mar 2015 @ 8:08am

      Re:

      "Although fingerprint identification technology had been perfected a long time ago"

      The "perfected" method of fingerprint identification isn't how it's actually done, either by people or computer. What's actually done is not comparing fingerprints, but comparing a small sample of features in each print. Under the best of circumstances, this reduces the accuracy by a huge margin.

      "US military seems to prefer retina scans and DNA tests"

      Probably because fingerprints are easy to copy and forge. Retinal patterns and DNA tests are more difficult.

      reply to this | link to this | view in chronology ]

  • identicon
    JustShutUpAndObey, 12 Mar 2015 @ 5:56pm

    Are fingerprints really unique?

    That is certainly the myth, but as someone who did fingerprint security systems for the FBI, I've yet to find any scientific proof that they are unique.

    To prove it, you would have to compare all fingerprints with all other fingerprints and come up with no duplicates. Even that wouldn't be enough: you'd need to compare all fingerprints in history, past and future.

    reply to this | link to this | view in chronology ]

    • icon
      madasahatter (profile), 12 Mar 2015 @ 6:09pm

      Re: Are fingerprints really unique?

      The best data on this used identical twins and found each had different fingerprints. Also, there has been no documented case of misidentification due to two people having identical fingerprints.

      The problem with biometric systems is that once compromised there is ability to reset the fingerprint. With a password based system, users can change their passwords if needed.

      reply to this | link to this | view in chronology ]

    • identicon
      KRA, 12 Mar 2015 @ 7:59pm

      Re: Are fingerprints really unique?

      It has been a long time since I took stats, but you don't have to test an entire population to get valid and reliable data. The idea is to take a random sample and then apply your findings to the population--the particular type of analysis tells you what your sample size needs to be.

      The issue with fingerprint identification is the lack of consistency in matching and the lack of any scientific basis for calling something a match. This tidbit from a Popular Mechanics article has haunted me since I first read it:

      A 2006 study by the University of Southampton in England asked six veteran fingerprint examiners to study prints taken from actual criminal cases. The experts were not told that they had previously examined the same prints. The researchers' goal was to determine if contextual information—for example, some prints included a notation that the suspect had already confessed—would affect the results. But the experiment revealed a far more serious problem: The analyses of fingerprint examiners were often inconsistent regardless of context. Only two of the six experts reached the same conclusions on second examination as they had on the first.


      Our method of taking prints and evaluating them sucks, even if we assume they are all unique. Interestingly, I trust tech companies to improve fingerprint technology more than I trust law enforcement to. Tech companies have a motive to get it right and law enforcement has a motive to keep it fuzzy.

      reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 12 Mar 2015 @ 11:42pm

        Re: Re: Are fingerprints really unique?

        Fingerprint examination is the problem there, yes. No one matches whole prints on a regular basis, even when they have 2 whole prints to compare. Machines don't, either. But one could hope for tech companies getting it better if they are going to follow this rather stupid route for security.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Mar 2015 @ 8:15am

      Re: Are fingerprints really unique?

      The exact pattern of your fingerprints are not coded for by your DNA, so there's a very large arbitrary and/or random component to them. It's a bit like assigning a random number to every human. There's no guarantee that each will be unique, but the odds of two being identical are very, very tiny.

      "To prove it, you would have to compare all fingerprints with all other fingerprints and come up with no duplicates"

      No, there's no need to go that far to prove it. And this issue about fingerprints has been very well studied. The usual figure cited for the odds that two people have the same fingerprint (for a single finger) is 1 in 64 million.

      However, due to the fact that fingerprint matching is not done by comparing entire fingerprints means that the odds of two people having their fingerprints being judged as the same are around 1 in 50,000 (depending on the exact method being used).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2015 @ 7:50pm

    Fingerprints and DNA...

    ... can both be stored, copied and faked and neither one can be revoked.

    reply to this | link to this | view in chronology ]

  • icon
    tracyanne (profile), 12 Mar 2015 @ 7:57pm

    I'll stick to my 4-digit PIN for now

    I'll stick to my 12 digit pin, 4 digit pins are so 90s

    reply to this | link to this | view in chronology ]

  • icon
    fairuse (profile), 12 Mar 2015 @ 8:06pm

    This Happened, in another universe, DNA ID [video]

    ACT I.
    We are pretty good at making Science Fiction into Science.

    ACT II.
    People don't care how a thing does magic as long as it doesn't interfere with their goal - open car door, start car, tell the residence to go lock down, buy food.

    ACT III
    The leader of the [ ] makes 1 system and declares it mandatory. This system spans networks all cities and is the only way to do any task; even buy coffee.

    METHOD: place finger on device. The device compares DNA sample to data on file. You are a match = 1? Good. There is no invalid compare = 0. Mismatch = Infinity? Infinity means you are a clone or worse; from the future.

    This brings us to a VFX short film because the film has every horror you can relate to. Count the topics: hint we are trying to find the 1 solution now. It is fun to see all the security vs safety, commerce tracking, locks and passwords are DNA ID and the police have 100% of the data, the access, you are instantly guilty, go to jail, do not collect (..)

    -- The director's youtube accnt
    PLURALITY

    -- If the site boss wants embed ...
    TANSTAAFL

    reply to this | link to this | view in chronology ]

  • icon
    dddimwrong (profile), 12 Mar 2015 @ 9:24pm

    Our Company has been using Finger Vein readers

    We have been using finger vein pattern readers for 3 years now and we are quite satisfied. We've had no false positives or incorrect rejections. As a biometric it would be very hard to duplicate the veins with a warm liquid coursing through them. You'd have to have one very expensive piece of equipment to duplicate someone's pattern of veins in the last half an inch of a digit. The user has to enter their user-id and then the pattern has to match and only a live finger tip will work. The user can change their user-id at any time and can change which finger they are using and each finger is in fact different. The great thing is that your finger vein pattern has absolutely no law enforcement value as no one has ever left their finger vein pattern at any crime scene.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Mar 2015 @ 7:43am

      Re: Our Company has been using Finger Vein readers

      "The user has to enter their user-id and then the pattern has to match and only a live finger tip will work."

      Huh? Why do they have to enter a user-id? Sounds to me like it might not be quite so accurate after all if it can't identify them from their vein pattern.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2015 @ 10:12pm

    Fifth Amendment concern

    Biometric fingerprints aren't protected by the Fifth Amendment, because these aren't stored in your mind.

    You can therefore be compelled to provide your fingerprint, and can't refuse on Fifth Amendment grounds.

    A password on the other hand is stored in your mind, and unless you are stupid and admit you know it, its production can't be compelled.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2015 @ 1:10am

    You can't change your fingerprints so once someone has your fingerprint you are pretty screwed. The same goes for all biometric data.

    Even if you build a device that could not be tricked directly there are always other ways to get around that so having a single unchangeable identity or password is just bad business.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 13 Mar 2015 @ 7:11am

    I think biometrics can be PART of the key to get into some system. But in the end it should be a mix of things so if you don't have a portion of it then you can't go in.

    I'd love to have a combination of password, biometrics, code generators (such as google auth), thumb keys and others. Your choice depending on how much that specific access matters.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Mar 2015 @ 8:21am

      Re:

      Yes, from a security point of view, relying solely on fingerprints in foolish in the extreme. Of course, it's foolish in the extreme to rely on any single method of authentication anyway -- but if you're only going to use one, it shouldn't be fingerprints. Of all the authentication schemes out there, if you're going with single-factor authentication then strong passwords are still the best bet. By a lot.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Mar 2015 @ 7:45am

        Re: Re:

        "strong passwords are still the best"

        Define "strong passwords".

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 16 Mar 2015 @ 8:57am

          Re: Re: Re:

          "Strong" is a bit of a subjective term, but personally I consider the minimum form that qualifies is one that is at least 8 characters long and consists of a random string of characters that include punctuation and a mix of cases.

          Also, to count as "strong", it must only be used to access a single thing (no password duplication) and should be changed regularly. Personally, I go with every 60 days. Expired passwords get discarded, not reused.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 17 Mar 2015 @ 8:27pm

            Re: Re: Re: Re:

            "... consists of a random string of characters that include punctuation and a mix of cases."

            As soon as you start making rules or patterns that it must follow, it's no longer random.

            reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.