Your Fingerprint is Not a Password

FIngerprintsI like my new iPhone. The fingerprint authentication is cool, but it’s important to realize that it’s only a toy.

Although fingerprint authentication gets a huge amount of positive press coverage, it is a horrible form of security at it’s most basic level. Put aside for a moment the crazy stories of gangs cutting off people’s fingers in order to fool fingerprint scanners, the flaw is much simpler and less dramatic.

Within days of the the release of the new iPhone, it was cracked so that it could be unlocked using a copy of someone’s fingerprint. Naturally, biometric advocates claim that the current security flaw will be fixed with better scanning hardware or improved recognition software, but this misses to core issue.

Fingerprints will always be a horrible form of security. The fundamental problem is that we leave our fingerprints everywhere. We can’t keep them secret and we can’t change them if they fall into the wrong hands.

Tim says:

It’s not a bad use. The data on the phone is really not that valuable — yet. As we move forward and our phones start acting like wallets or have more connection to banking, we’ll that’s another matter.

Paul McMahon says:

I agree that finger print authentication doesn’t provide a high level of security.

However, I think unlocking your phone is actually a good use case for it.

Yes, a motivated attacker could steal your fingerprint and unlock your phone. But someone similarly motivated could look over your shoulder as you unlock your phone on the train or elsewhere.

The main use case of the lock is preventing casual snooping and preventing a lost phone from being compromised (by a common thief as opposed to a motivated attacker). As long as those are what you want to protect against, I think it is a fine mechanism.

Post Navigation