A Phone That Reads Your Fingerprint, Ctd

A reader writes:

Your post quotes another article that states thumbprints are “convenient and, at least in theory, uncrackable.” Uncrackable? Bruce Schneier, security expert, differs:

So…can biometric authentication be hacked? Almost certainly. I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone.

Another adds:

I’m sure VanHemert means well when he says a fingerprint is, in theory, uncrackable – but it’s the opposite. The phone would need to access the encrypted print data on the hard drive in order to authenticate the person unlocking the device, which provides another point of access for someone to break into the phone. With any kind of security measure, the less points of access, the better.

Readers also respond to a recent post on heartbeat-based access:

Speaking as one of the millions of people with cardiac arrhythmias, I would be out of luck if a “heartbeat recognition” system was adopted to replace passwords.

EKGs are not analogous to fingerprints. When I’m in normal sinus rhythm, the system would work as advertised and I would be recognizable. However, I have frequent, random episodes where my heart goes out of pattern. These episodes can be momentary or last for hours, and during an episode my heart rate and rhythm pattern goes all over the place. During those episodes, I would presumably be locked out of my Nymi-encrypted device because it wouldn’t recognize my EKG. A conservative estimate is that four million Americans suffer from atrial fibrillation, various tachycardias, sick sinus syndrome, flutter, heart block, or WPW. Despite our electrical problems, most of us are productive members of society. But we’d lose productivity if heartbeat recognition gained ground.

And September is Atrial Fibrillation Awareness Month, so I’d like to make the healthy tech developers aware that their idea is a non-starter for this fast-growing segment of the population.

Yep, Atrial Fibrillation Awareness Month is a real thing. Another reader:

Unfortunately all biometric-based authentication has a fatal flaw. This includes fingerprints, eye scans, and even heartbeats. The problem is that the data can be copied. And once it is copied there is no way to change it.

When your account password is compromised, it is possible to change it. This is impossible for biometric identification. You can’t change your fingerprint or your eye scan or your heartbeat. It is also always available to anyone who cares to copy it. There is nothing stopping your doctor from copying all of your biometric information and using it to impersonate you. This is not possible with passwords, unless you explicitly give them out at the time you type it, which is only a few times a day. Your body is available to anyone you are around all the time.

Passwords provide the strongest possible security guarantee. Which is absolutely necessary for any Internet-based service. Anything online is accessible to anyone in the entire world. That means you have to defend against the most advanced sophisticated genius level criminal attackers out there.

There is a place for biometric-based authentication. It is good to use in addition to passwords. But it can never be a solid foundation alone.  It is the ability to be completely inside your head and not stored anywhere else that makes passwords theoretically uncrackable. In practice you need to choose a good password and not re-use them nor be fooled into giving them away.