undefined | Better HN

0 pointsbryanrasmussen1y ago0 comments

basically everything that retains the same structure between two occurrences can be inferred. Only randomness cannot be inferred.

But true randomness is not useful for determining if you are who you say you are.

0 comments

3 comments · 1 top-level

advael1y ago· 2 in thread

Even a password can be changed if there's a compromise. Biometrics are bad because they can be imitated, but not changed. A breach is permanent

bryanrasmussenOP1y ago

good point, but that was left out of the earlier statement about inference. I suppose I should have inferred it however.

advael1y ago

Yea, my bad I guess. I tend to think people mostly get that biometrics are, well, mostly immutable and that not being able to switch them up in response to a suspected breach is a huge inherent weakness. So the only defense I really get of them from anyone is that the effort for the user is minimized while the effort for the attacker is still fairly high. The problem with that is why I mention inferrability: The existence of a computer system that can authenticate via a biometric implies the existence of one that can capture and spoof it, and we don't have any reason to believe this involves, say, more of a cost disparity than cracking a password, let alone anything approaching a strong one-way function. If your face is your key, do you start hiding your face on the street so no one can steal it? Same thing for behaviorals

j / k navigate · click thread line to collapse