Posted on Oct 23, 2016 by Rick Falkvinge

Once more, with passion: Fingerprints suck as passwords

Share Tweet Plus



Imagine you had a really strong and complex password. It was so hard for anyone to remember, that you had printed thousands of business cards with the complex password on them, and left such a card at every single object you just happened to touch. Would that be a good password?

This week, there was a story about an FBI house search where the people in the house were compelled to give up their fingerprints in order to unlock phones, which were locked just with fingerprints.

Most people seemed to be appalled at the FBI being able to coerce somebody into unlocking their phone, while pretty much nobody would have blinked at phones being seized as part of a lawful search.

How many stopped to reflect over the fact that the house was probably filled to capacity, on every object and every surface, with those fingerprints required to unlock the phones in question? That it would have been absolutely trivial to recover them from the first glass fetched from the kitchen, or even from the very phones in question?

Fingerprints aren’t authentication.

Fingerprints are identity. They are usernames.

Fingerprints are something public, which is why it should really bother nobody with a sense of security that the FBI used them to unlock seized phones. You’re literally leaving your fingerprints on every object you touch. That makes for an abysmally awful authentication token.

It’s true that phones can be unlocked with fingerprints, but that doesn’t turn the fingerprint into a secure authentication token. Rather, it turns the phone lock into a phone bolt, without a key requirement – an electronic bolt which one particular person can open trivially (because they carry the fingerprints on their hands) and everybody else can open with a small amount of effort (because those fingerprints are trivially retrievable and copyable). But in no way should it be considered secure, or even a lock: it’s merely something that takes less effort to open for one particular person.

Yes, of course it’s better to have a bolt on something than no bolt (fingerprint security is better than nothing). But a bolt that requires a sliding action should not be mistaken for a lock that requires a key. A false sense of security can be worse than no security in some cases.

Biometrics were never authentication tokens. They were identity tokens. Authentication tokens are secret and replaceable, and your fingerprints (your retina, your iris, and so on) are neither.

When you authenticate something even slightly sensitive with biometrics, you’re doing it wrong.

The right way to do it is to identify with biometrics, and then authenticate with a proper security token, which is secret.

Privacy remains your own responsibility.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.

VPN Service

Leave a Reply

Your email address will not be published. Required fields are marked *

8 Comments

  1. Albert Meyer

    SSShhhhh!! Someone has worked really hard to convince everyone that biometrics ARE authentication (and it’s so much more convenient than remembering a password). Besides, if you’re not doing anything wrong, what do you have to hide? Nothing to see here, move along now.

    2 years ago
    Reply
    1. c0rrupt3d.5y5t3m

      Hello Albert,
      i would reply to your comment by this, maybe a bit hardly, sorry.

      1/ “Someone has worked really hard to convince everyone that biometrics ARE
      authentication (and it’s so much more convenient than remembering a
      password)”:
      Biometrics are not only authentication: It becomes a huge database to exploit.

      Did you ever see the identification badge, on the ears of cows? This only badge is the traceability of the animal. Biometrics, as governments want to use it, have the same goal. Why? For a total control on us, that’s all.
      For people who have problems to remember their passwords, i suggest to them to stop using computers, credit cards, mobile phones, or to stop watching TV or playing too much games, to train a bit their brain, because 90% of humanity becomes less and less intelligent and more lazy, year after year.
      It reminds me the movie “Idiocracy” and we’re on the good way to become like in the movie in about 100 years…

      2/ “Besides, if you’re not doing anything wrong, what do you have to hide?”:

      In all countries, if you read well the lawyers books, you’ll see that EVERYONE can be guilty of something.

      Hopefully, there’s peoples (often hackers) fighting all this shit, to help us to keep anonymity, freedom of expression, to use alternative medicines, etc, etc…

      But the persons who have the same thoughts as yours are a real danger for our freedom, because you’re all ready to accept all kinds of controls, like this cows with their badge, waiting to be killed and served as a steack.

      This link is for you and i hope that it will open your eyes, because all the content of this website show the original and secret documents of governments, industries, etc..:

      https://wikileaks.org/

      I hope that i wasn’t too much rude with what i wrote, but i am always shocked when i see that so much peoples can accept all abuses without trying to fight it, by cowardise or fear.

      Because of persons like you, the world becomes hardest day after day, war after war and thousands of persons die everyday because of this acceptance of slavery and control too. Yes, they die under our democratic bombs, sadly.

      You have to understand that there is already a war between governments and civilians for a REAL democracy, justice and truth, because there’s no country with a democracy, like there’s no country respecting the human rights.

      I am from France, the country where this human rights saw the light… but this “country of human rights” is the first to spit on this texts which should be the basic laws of every country.

      I just want to show you how far their control on us can go, if we leave this few people leading and governing us, taking a full control of our life.

      Try to think about the future generations and not only about yourself.

      What is the future that you wish for them? Tyrany or freedom? Dictatorship or democracy? Deserts or green fields and trees?

      Think well about all this, Albert. Think well. Try to always have a look far and wide, and to project yourself in the future of your acts.

      Kind regards,
      Fred.

      2 years ago
      Reply
  2. Zac Lowing

    On my galaxy s5 you swipe your finger across a sensor. I can see how a stationary print reader can be hacked, but a swipe? Heck, I have mine set for my thumb, and I do it sideways´╗┐, good luck on figuring that out. Besides, I lock it in case it gets stolen from me on the street and I doubt hoodrats have a CSI crime lab at the crib.

    2 years ago
    Reply
    1. Antimon555

      “Heck, I have mine set for my thumb, and I do it sideways´╗┐, good luck on figuring that out.”

      Your thumb, sideways. Got it. Unless you want to say which thumb and what direction too, there are only four ways to try:-)

      2 years ago
      Reply
    2. Alex Rockemer

      Can can still be hacked but it is more work than a stationary fingerprint reader ironically the cheap fingerprint readers that take you 20 a temps to get in are more secure than the expensive versions!

      2 years ago
      Reply
  3. Alex Rockemer

    I know someone that has a fake fingerprint they made using a toe and they use that! ;P

    2 years ago
    Reply
  4. Alex Rockemer

    Passwords can be stolen with several programs or device’s like key logging or listen to key tones which to us sounds the same but too software can be vastly different!

    “The only way to win is not to play! ~ WarGames”

    2 years ago
    Reply
  5. Dariusz G. Jagielski

    Sarcasm.

    It is invisible to you.

    2 years ago
    Reply