Correct, because a fingerprint makes a password to some extent redundant.
> it's just an identifier and shouldn't be treated as a secret
Correct, identifiers are not secrets. Your face is not a secret and your fingerprint either. The problem is that we use secrets to identfy someone, when we potentially already have tech which can identify someone without having to remember a secret and store it in a dictionary of secrets on someone else's computer in the cloud.
The sole purpose of a password is to identify someone with a certain degree of confidence. If a fingerprint taken from a handheld device, which has already been proven to belong to a person, can provide the same if not even a higher level of certainty about someone's identy, then a password or as you say "secret" is not required at all anymore.
The password is to secure that identity. With TouchID or FaceID you are using them for both. Which reduces security.
> then a password or as you say "secret" is not required at all anymore
Definitely incorrect. Someone can cut your finger off, lift a print off your coffee mug, extract it from a selfie etc. There's been dozens of ways to exploit over the years, many of which have hit HN.
With most things you need to authenticate to gain access. Authentication is only trying to solve one question - identifying that a person is who they say they are. If I walk home and my wife sees me, she can identify me immediately by simply seeing my face and other biological attributes which gives her 100% certainty that I am who I am, therefore she doesn't question me on entering the house or calls the police.
If I was to go through some top secret lab experiment which would change my look (make me younger by 10 years or something) then I'd struggle to walk home and convince my wife that I am me without providing additional evidence, like sharing some secrets which only she and I know and we know that nobody else would know.
With technology so far we didn't have the ability to identify someone as confidently and as fast via biometrics (like my wife does) as via other means, which is why a few decades ago we had to invent a workaround, namely username and password - which is a secret that hopefully only me and the website knows. This was to date the best way to identify someone, but times are changing fast, as as biometric identificaiton via technology is advancing fast, we are more and more removing the need of username + password for authentication.
Hope now my point makes sense.
Identification is knowing which account to log in. dustinmoris, User123 or user124.
That alone is useless, as anyone who knows your name could log in. So we need to add security to authenticate you. To authenticate with reasonable certainty that the person accessing dustinmoris actually is Dustin Moris, at this moment willingly accessing their own account, willingly transferring £1m to NeedMoreTea. :)
Now, it's certainly true that biometrics are uniquely associated with you, but prove identity not authentication - bear with me here.
You leak DNA and fingerprints all over the place, constantly. Fingerprints have even been picked up from photos. That makes fingerprints surprisingly weak authentication. Face IDs have been fooled by video and photos. I'm not at all current on what the state of the art on FaceID hacking and devices is, so can't say more there. In a police interview they can place your thumb on the phone or wave phone under your face. Maybe borrow your thumb while you sleep to transfer that £1m. The bank will say you fully authenticated it, in their highly secure app, you will deny it.
In combining biometrics as identification and authentication we've compromised the system. It does not give certainty, or even especially high confidence. If motivated, anyone in your office could lift a print while you're out. Computer or phone says Dustin Moris is believed awake and accessing, but you're certainly not doing so willingly, nor can you resist if just a touch or look unlocks. In this context, your wife might easily pick up on whether you were willing in a police interview or not, the phone can't, because mere identification is the unlock.
With a password they have to persuade you to reveal it. It is very easy to not leak passwords accidentally on PostIts, and manage the complex with a password manager. The police can certainly beat it out of you, but most places are supposed to have rules against that. Many places actually honour those rules. A judge might question the bruises and missing teeth.
For a lot of people that's a fine distinction that doesn't matter, the convenience of it probably being you willingly unlocking the phone with your thumb is good enough. If security actually matters, it's not.
Sorry that got a bit long.
- Fingerprints can be lifted from pictures. - Passwords can be forgotten and thus have seriously flawed reset schemes that often fallback to something as simple as having the right phone or backup code. - passwords can be lifted by keyloggers - passwords can easily be phished - passwords can be shared
Authenticating access can come from 1 or more of: something you know, something you have, something you are.
They each have flaws. They all do the same thing.
In practice the computer is just getting a picture, which is semi-public information, and that's why the only thing you can rely on is that it's an identifier. It's not enough to authenticate when you really need security, only in more casual situations.
That is not correct. The "system" identifies you by your ID (username - biometrics - whatever). And for the system to ensure that whatever actions you perform on it, are really coming from you, you have to add proof of your identity to the orders for those actions. You use a secret to create that proof of identity. The secret is yours, the identity is the system's (what it uses to identify you).
If you use something you don't treat as a secret (such as your fingerprint) as your proof of identity, you'll be loosing it left and right - you'll be inviting everyone around to impersonate you. Drinking a can of coke and throwing it to the bin would be the same as printing your password in cards and passing them around.
A combination of "something you know" and "something you have" is always going to be a very strong authentication scenario, and making "something you have" a non-hackable thing that truly only you can have (i.e not a USB key or a TOTP seed etc.) is a good choice.
The catch here is that when you mention biometrics, you make the assumption of static biometrics (rightfully so, as most methods like Touch ID and Face ID are static), but if you combine lets say face biometrics with liveness checks, you are getting into a territory where faking them becomes much much more difficult (there are various mechanisms out there, the good ones rely on completely random interactions and light-bouncing detection methods as an example).
The real challenge is how do you make these very strong biometric methods frictionless and cheap? Or how do you introduce similar controls - like liveness - for easier methods like fingerprints?
And using any of these (ideally) has absolutely nothing to do with anonymity. You are not anonymous online regardless of what you use for authentication - and you are frankly not smart if you assume thats the case. A company offering a service with biometrics is no different from a company doing the same based on email/username and a password, if they do privacy and security right.
I could actually get into a much longer rant about this last part, as it blows my mind how many netizens are all about privacy and whatnot, yet are willing to expose every single detail about them when its convenient from them...
Why should I use unchangeable, personally identifiable details when logging into some random joe's website? The mechanics of it are also tied to specific devices if I'm not wrong. I can't just login anywhere without risking leaking secrets. When did fingerprints, iris patterns and DNA go from necessary tools in law enforcement and biology (and for highly secure installations) into casual usage all over the place?
But when you want to access something that should only belong to you, e.g. your bank account, your Google Drive files, your private emails, etc. then you must find a way of identifying yourself with given website. Username/password is one way, biometrics is another way.
Only my family has permission to enter my house. When someone enters my house who doesn't look like my family, then they can throw around all secrets, passwords and usernames they want, I'll kick them out, because in my eyes they don't pass the ultimate test of verification, namely biometrics.
So far we were unable to provide the same level of identificaiton via the web, but technology is changing rapidly, so I don't see why username/password are always going to be more secure. On a theoretical basis it doesn't make sense. Because inforation can be easily shared, spread and copied. My physical composition not.
I think you mean pseudonimity. There should be no authentication in anonimity.
> Something you know (as in password) is always theoretically more secure than something you are (your physical characteristics).
If you authenticate, you can use methods that are more or less secure. If you use a password method, and use a secret as password, it will be more secure than if you use a biometric as password.
But the security of the authentication method will bear no weight on the "pseudonimization" - meaning on the difficulty of linking the authenticated identity with your real, legal identity.
A password gives you 0 extra anonymity in this case. All it is used if for "identifycation" and in this regard it sucks in comparison to true biologial identification.
