Tuesday, October 1, 2013

Fingerprints are Usernames, not Passwords


As one of the maintainers of eCryptfs, and a long time Thinkpad owner, I have been asked many times to add support to eCryptfs for Thinkpad's fingerprint readers.

I actually captured this as a wishlist bug in Launchpad in August 2008, but upon thinking about it a bit more, I later closed the bug "won't fix" in February 2009, and discussed in a blog post, saying:
Hi, thanks so much for the bug report.I've been thinking about this quite a bit lately. I'm going to have to mark this "won't fix" for now. The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords. Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-) This wikipedia entry (although it's about Microsoft Fingerprint Readers) is pretty accurate: * http://en.wikipedia.org/wiki/Microsoft_Fingerprint_ReaderSo, I'm sorry, but I don't think we'll be fixing this for now.
I'm bringing this up again to highlight the work released last week by The Chaos Computer Club, which has demonstrated how truly insecure Apple's TouchID is.


There may be civil liberties at issue as well.  While this piece is satire, and Apple says that it is not sharing your fingerprints with the government, we've been kept in the dark about such things before.  I'll leave you to draw your own conclusions on that one.

But let's just say you're okay with Apple sharing your fingerprints with the NSA, as I've already told you, they're not private at all.  You leave them on everything you touch.  And let's say you're insistent on using fingerprint (biometric) technology because you can.  In that case, your fingerprints might identify you, much as a your email address or username identifies you, perhaps from a list.

I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings.  We could each conveniently identify ourselves by our fingerprint.  But biometrics cannot, and absolutely must not, be used to authenticate an identity.  For authentication, you need a password or passphrase.  Something that can be independently chosen, changed, and rotated.  I will continue to advocate this within the Ubuntu development community, as I have since 2009.

Once your fingerprint is compromised (and, yes, it almost certainly already is, if you've crossed an international border or registered for a driver's license in some US states and countries), how do you change it?  Are you starting to see why this is a really bad idea?

There are plenty of inventions that exist, but turned out to be bad ideas.  And I think fingerprint readers are another one of those.

This isn't a knock on Apple, as Thinkpad have embedded fingerprint readers for nearly a decade.  My intention is to help stop and think about the place of biometrics in security.  Biometrics can be use used as a lightweight, convenient mechanism to establish identity, but they cannot authenticate a person or a thing alone.

So please, if you have any  respect for the privacy your data, or your contacts' information, please don't use fingerprints (or biometrics, in general) for authentication.

kthxbye,
:-Dustin

No comments:

Post a Comment

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin