http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...
Biometric information is a means to verify identification. A username and a password is also a means to verify identification. A fingerprint is no more a username than a password is a username. In the case of a username/password it's the combination that's required to verify the identity.
Is it really? I think if I send you an email at colinbartlett@whateversitehostsyouremail.com I've verified your identity as much as I need with only your username.
A username and password is a case of identification (username) and authentication (password). Authentication is proof. When you have authenticated identification (like a username and password) it's proof that the person is why they say they are.
The reason people conflate identification with authentication is that we typically use the two together. But there are lots of cases where we only care about one or the other.
For example, many systems (such as routers) implement administrative tasks with an administrative password. You don't care who performed the task, you only care that they had permission to do it. That's authentication without identification.
Similarly, there are plenty of cases where you don't care about authentication, you only care about identification. For example, anyone can send you an email. On many systems you can send people messages anonymously: there's no authentication necessary, no proof of anything necessary to be allowed to send the message. The only thing necessary is the identity of the receiver. That's identification without authentication.
Fingerprints are identification. They are used as authentication because the difficulty of collecting the identification gives a small barrier to falsifying authentication, but they're pretty terrible for that purpose. You leave your fingerprints all over the place: it's like if you just went around writing your bank PIN everywhere. There are already proofs of concepts of people constructing fingerprints from polymers; this is a simple case of privilege escalation, where gaining one level of privilege allows you access to a higher level of privilege. Given that most people give everyone access to their fingerprints that's a pretty low point to allow escalation from.
Sure, a fingerprint might be one of several factors for authentication at secure sites, but that is rarely the only thing. It usually coincides with badge readers, photo-ID, etc.
Ok. Neither the argument nor your counterargument really make sense. Yeah you can argue a very long username, something like a UUID might as well be a username and password all in one in some circumstances.
But stepping back, this is kind of a dead end argument. It doesn't help with security. Biometric information and username/pass both have enough cons that you really want both.
Basically you need both:
* Something you know (your username/password)
* Something you have (some kind of a card, your finger, you retina, some physical token).
This is the classic multi-factor authentication, most commonly used version is 2FA (two-factor authentication).
Fair enough. I agree that it should be, and that perhaps saying "they're usernames" is not really the way to go.
But would you set your password to something you leave on almost every surface you ever touch?
I would not be surprised if the fingerprint scans the police take from you down at the station or the ones you give up when entering a US airport when travelling from another country could be used to open up a fingerprint protected phone in the near future.
No matter what anyone says, the fingerprint reader is convenience, not extra security.
Note also that the passcode is needed occasionally and if the wrong print is used it can be triggered sooner. The attacker doesn't get many chances using the scanned fingerprint. I'm not saying it is impossible to break or that a long passcode on its own isn't more secure but for most people the TouchID is a better trade off.
After all we have so many laws that offer similar type of protections already, such as a wife not having to testify against her husband. At some point the society decided that it's the "right thing" to do.
Perhaps the society can decide that having the government force you to unlock your devices with your finger is unacceptable.
To put it in context: spousal privilege is rooted deeply in religious tradition going back hundreds if not thousands of years. It fell naturally out of a belief that people already had (the indivisible marital unit). That's what it takes to overcome the default presumption that "the public has the right to every man's evidence." Now, the fact that something has been the case for probably 800 years doesn't mean it can't be changed, but does suggest that if people really had a problem with it, they would have taken issue with it by now.
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples...
- If Touch ID hasn't been used in 48 hours, you'll need to enter your passcode or password to re-enable it.
- If your iPhone has been rebooted or reset, you'll need to enter your passcode or password to re-enable it.
- If a fingerprint isn't recognized 5 times in a row, you'll need to enter your passcode or password to re-enable it.
- If a remote lock has been sent via Find my iPhone, you'll need to enter your passcode or password to re-enable it.
Remote lock - or delay for 48 hours - or - give the wrong finger 5 times in a row - or get the phone reset/Rebooted
(careful of contempt of court - there few things more unstoppable than a pissed-off Judge with contempt powers)
"One of the contest's organizers, Washington D.C.-based security researcher Nick de Petrillo, scanned his penis with TouchID and then used it to unlock his phone. He announced his success on Twitter on Saturday (Sept. 21) and fellow security researcher Andrew Ruef replied "Now no one will ever, ever steal your phone. [Is this] the secret to the correct use of TouchID?" "
Future HN headline: "Judge Rules Suspect Can Be Required to Unlock Phone with Penis"
Here's one example: http://www.cnn.com/2014/01/16/justice/new-mexico-search-sett...
Presumably they can force the person to type the password themselves and guarantee to not look or record they keystrokes. If they refuse, keep them in jail for contempt of court indefinitely.
Where did this silly meme come from? Sure, great, they can't use your "confession" to prosecute you for being the zodiac killer. They don't give a shit. They're going to prosecute you for the crimes for which evidence exists on your phone and leave the confession out of it.
Is it just me, or is there a contradiction here? I'm happy to provide you with a finger print (in ink), but that in itself is not enough to unlock the phone. You need my live hand attached to my live finger.
I think the problem here is that it is an oversimplification to call it a "finger print".
But that all misses the point. The only reason passwords get special treatment is that an order to compel production of a password is an order to testify against oneself. For example, unless the defendant already admits to knowing the password, the fact that the defendent knew the password after production would be obviously prejudicial. It would be tantamount to requiring the defendent to testify, "yes, it was me".
In other words, compulsory production of information whose existence and location is not a foregone conclusion probably falls foul of the Fifth Amendment. Compulsory production of your finger does not require you to provide any information other than information that clearly exists about you.
(IANAL)
A fingerprint is a means to identify someone, not a security mechanism (like a password).
This seems pedantic and absurd. A password or a username is no different than any other proxy variable to verify identity and authorizations.
The bigger question is about the implications of "authorized user access" schemata, more generally.
For example, what happens when technology allows intrusive searches of the human brain/memory?
Who is an authorized user and what is a viable way to protect against "unreasonable searches" of the human mind? Obviously the concept of a "password" is anachronistic.
"Biometric security" is authentication - not authorization.
Am I naive for thinking these technicalities are really silly? Is not the goal here to establish whether accessing and searching one's phone is fair game at some point in an investigation / trial?
I'm not a big fan of "compelled evidence" (gathering DNA, blood or fingerprints from a suspect), but the courts have been saying it's ok, and that's the approach they're taking here.
They just can't (so far, in the US) compel you to actually produce testimonial evidence like passwords, passcodes, etc.
Therefore, cops would technically not even need you to be physically present to unlock your phone. Chances are, your thumbs or index fingers are the ones used to unlock your device, so if I were a cop, that's what I'd try first.
I'm not sure though how this would stand up on legal grounds. Anyone?
Which is why 2 factor authentication is so important.
What a great ending to the story.