You are already putting copies of your fingerprints everywhere, by just touching stuff.

Fingerprints, like all biometrics are not a secret like a password. The point is to assess your physical presence. When used with a phone, your fingerprints are not securing your data, the phone, as a physical device does ("something you have"). The fingerprint is a second factor ("something you are"), a way to make sure the device is in your hands and not someone else's hand.

Security depends on the sensor device. That is, how good it is a making a difference between your actual, live finger and something else.

If you are worried about the security of your phone fingerprint sensor, use a password. Your fingerprint itself is already available to anyone who cares.

I don't buy this.

Fingerprints and other biometrics can be used as both/either "something you are" and "something you have", if we're using the MFA terminology.

With that in mind, a system that required 2 biometrics for access might be as good as a system that requires 2 factors in other forms.

If someone steals my fingerprint from a glass in a bar, it's unlikely they also have a model of my face or a print of my retina, or some other biometric. Or if they do, it's likely they were motivated enough to also know my password/PIN/whatever.

Putting the tech aspects aside, a biometric is identification and authentication rolled into one: you're both saying who you are and proving it at the same time.

This is simply untrue, and anyone who follows this advice will fail a NIST audit: https://csrc.nist.gov/glossary/term/multi_factor_authenticat....

All three factors have different security properties. The big downside of biometric factors is that they can't be replaced when compromised. You can't play language games and say "oh, I technically /have/ fingerprints" and pretend that changes their security properties.

> The fingerprint is a second factor ("something you are"), a way to make sure the device is in your hands and not someone else's hand.

> Your fingerprint itself is already available to anyone who cares.

In that case your fingerprint can't prove you're here then

And this is why multiple factors are essential. It does indicate that you've had proximity to the credentials.

Ie, if I replicated your fingerprints from a drink glass in a bar, I'd likely not know your name (username) or password, which would be the first factor.

Equally if I got your credentials from a dark web leak, I'd not know your biometrics, which would be your second factor.

It isn't foolproof, but it is certainly significantly more secure than just making your password more complex.

That said, I do prefer fingerprints being an identifier (or username) rather than a credential, but as part of an MFA process I feel it adds value.

> something you have

Like passkeys, which also cannot reach the secrecy of passwords.

In India the entire population gave their fingerprint to the government via a massive program called Aadhaar! [1]

This is mandatory for bank accounts, sim cards and what not. So its practically unlivable without Aadhaar these days.

[1] https://uidai.gov.in/en/

It's not just the fingerprints, they have the scan of the retina for the entire population.

It's a disaster waiting to happen.

I'm not sure retina is included in every passport. We're not a member of the EU, but our IDs and passports are compatible.

We have encrypted face biometry and fingerprints on them, but no retina. None of the countries I have visited required my retina scan, either.

In the older versions, some data was unencrypted, and most encryption was optional, and someone built a passport scanner and made a talk. I remember that some heads are proverbially rolled and some specifications are updated.

Na, the one that me and the parent are referring to does not apply for visitors. It's for all citizens of India that have opted for the Adhaar card (which is pretty much the entire population).

I know India does this, but I'm not aware that EU countries are doing this, for their population.

What retina scanners do they use? I've been trying to get some to do 3FA on high security areas for years and can't find any that seem decent. (Note that iris scanning is completely different than retina scanning, and is just about as useless as face scanning.)

India is a disaster already happening.

There was also some (unconfirmed) news article that the whole database is for sale like $5 with millions of records. So if that was true, you can unlock almost any Indian persons phone!

which can be most easily hacked by hacking their phones first

In the EU, the ID and passport standard includes biometric data (fingerprints, photos), and those are stored on an NFC chip within the document.

sooner or later, this is gonna hit you so hard in the butt you will feel it in your mouth.

your gvt will deeply regret this move someday. it's beyond stupid.

I think the real issue would be physical access. With fairly high resolution 3d printers and a copy of your prints, I'm sure a replica of your prints could be created in a matter of minutes. Imagine you are at an airport and customs wants to look at your phone. You refuse to unlock it. Depending on the country, they can compel you to do so. If you refuse to comply, if they have a copy of your prints they could just have a replica printed out. This is why there is usually a way to set your phone into a state where it requires a passcode, which in theory is more legally protected than biometrics (on an iPhone, hold the power button + volume up/down for a second until you get the screen to turn off / make an emergency call. Even if you now hit cancel the phone requires a passcode to unlock).

You dont even need anything that advanced. Most biometric scanners can be bypassed with a gummy bear!

https://www.theregister.com/2002/05/16/gummi_bears_defeat_fi...

Well to be fair, the article is about a guy etching fingerprints into a photosensitive PCB to essentially create a mould, then using gelatine to cast a fingerprint....seems way more advanced than directly printing out replica finger or at least printing out a mould and casting it more or less like the article mentions with gelatine.

That was nearly 22 years ago. Does the same attack still work against most modern biometric scanners?

We don't know what kind of sensors was used to test this in the article, but there are two main types of fingerprint sensors, optical and capacitive. Optical is just a camera, basically. Capacitive actually measures the variation in electric conductivity caused by the ridges of the fingerprint and can build a unique ID from that. I think the "make a cast of the finger in an electrically conductive material that is more or less within the variation of resistance of an average human finger" method would work with these, too. There are more advanced sensors that are based on capacitive touch, but have anti-cheating measures, such as making sure you have a heart beat and whatnot (think of how pulse ox meters that clip onto your finger work). I am not sure if any phone's use the more advanced types, though. I think all of them would be defeatable by a motivated attacker, even "at scale". I imagine you could create a "skeleton" of a thumb that would defeat a heart rate based verification method, and then a 3d printed fingerprint cast in a conductive material could be slipped over it, etc.

I think FaceID would be more secure based on the fact that it would be hard to fake an entire face at scale (faceID does a bunch of verification type stuff too to make sure you are not just pointing the sensor at a dummy that looks like a person). At the end of the day though, if an attacker has a sufficiently high res scan of your finger or face, and enough time/money/will, any type of biometrics could be bypassed.

The list of devices is on page 21 (of 33) in the presentation at https://web.archive.org/web/20030315060403/https://www.itu.i... . Seven were optical, four capacitive.

I understand a sufficiently capable attacker may be able to bypass fingerprints.

My question is does the gummy bear method (or really, the gelatin method), still work against most modern fingerprint readers?

Even the 2003 research pointed out, at https://totseans.com/totse/en/bad_ideas/locks_and_security/1... , "If "live and well" detectors can clearly distinguish their moisture, electric resistance, transparency or bubble content (i.e., bubble rich material or not) between live fingers and gummy fingers, fingerprint systems can reject gummy fingers. Also, detection of compliance would be helpful for preventing gummy fingers. Furthermore, some of measures which have been proposed in patent literature may be useful in preventing gummy fingers."

Have those methods been widely integrated to make that 20+ year old method no longer viable?

Well if you have a Google pixel you have nothing to worry as it won't recognise legit fingerprint 9 out of 10 times.

I'm not a security expert, but as far as I know, the fingerprint should only be used to identify a user (like a username), not authenticate.

Not sure about how much data any entity could leak but if you want to be sure, perhaps you can use a different method on your phone?

> Even if a third party has my biometric fingerprint details, can I rely on how physical access to my phone is necessary to bypass the fingerprint lock?

I think not, if the third party is a government.

Fingerprints alone are simply a number that is generated by your finger on a reader, and then sent to some other system.

Think of a fingerprint reader as a USB keyboard that types out your fingerprint number for you when you touch it. While an attacker can steal the finger and put it on the reader they are more likely to steal the number and type it in with a regular keyboard.

Border controls are about building a (passport, face, fingerprint) tuple under human (or remote human) supervision on trusted hardware to control physical movement. It feels like one of the few cases where fingerprint readers do actually work as an application.

Now that the border police have your magic finger number they can indeed unlock your phone too. It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.

> It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.

I'm expecting that if you want to do it at scale (like once a day per airport), you can 3d print them within an hour

the magic finger number has a challenge response, so they can't do that (to an iphone)

If the third party is a government (any random three letter agency) none of your opsec matters. Move to Russia as Snowden did.

Just because your government can break your opsec doesn’t imply it’s not worth doing your best. Maybe you’ll avoid being caught in a lower-cost/mass surveillance system and you might not do anything to attract a more dedicated attack.

Re fingerprint: there’s risks around having your fingerprint lifted from something you touch (eg a glass). It’s a movie trope but it’s not that far fetched from being doable. Eg from 20 years ago: https://www.theregister.com/2002/05/16/gummi_bears_defeat_fi...

Just want to point out that foreign nationals are apparently sometimes fingerprinted and their DNA swabbed too on entry (according to the travel advice of several governments) - and electronic devices are sometimes searched at the border too. Biometrics are routinely taken for longer stays according to: https://www.themoscowtimes.com/2021/07/01/russia-imposes-bio...

In Russia they don’t use harvested fingerprints to unlock phones. They use wrenches and flat irons to get info and bad windows on higher floors and polonium tea to prevent anyone else getting info.

Not only in Russia.

Yes. You might just accidentally fall out of the window, no problem.

Probably not worth worrying strictly about the info gathered by airport security unless you're a person of interest, either to that nation or it's allies. If you're that interesting to whoever, all bets are off. Plenty of other ways to get info off phone.

FWIW I really don't recommend just fingerprint for phone access. You can change a PIN if someone else gets a hold of it, there's not much you can do to change your fingerprints.

Though the traveler may not be particularly interesting, their employer’s trade secrets or database access might be up there.

Perhaps. I would hope that anyone accessing confidential information on a phone with such flimsy security would understand the risks they're taking.

If not then I'd question what their IT department was doing not forcing a least PIN unlock on the phone.

So it is a legitimate concern after all?

Fingerprint is never safe. I can just get your phone and it will be all covered with your fingerprints.

It's like sticking a note with a password on your computer :)

Personal protip: I use fingerprint lock, but anything sensitive on my phone is blocked with extra pattern lock. With unlocked phone you can access my gallery but you cannot access bank apps. IIRC this will be the built in feature of next Android, I use Xiaomi smartphone which has many extra security features like this one since basically always. Maybe there is an app for this too, I don't know.

Of course this isn't 100% secure, I probably have USB Debugging unlocked, but at least saves me from a random person just grabbing my phone while I'm on a bus and running away with unlocked phone.

Before anyone asks "But aren't bank apps already locked with their own PIN codes?" - yes, they are. But some forces me to have 4 digits PIN only, some even suggests using fingerprint to unlock them (and for some I do). But I'm also blocking Google Play, a browser where I do the most private stuff, I could block a messenger app. Basic apps does not have extra security features.

What ROM are you using on your Xiaomi?

It should not matter that I'm using Xiaomi.eu ROM, this was available on stock rom too.

But actually you made me think.. So I'm not sure about current models sold in EU, they removed a lot of MIUI features and replaced them with shitty Google alternatives on EU roms. But would they remove such a "deep" feature? It's not "just an app", it's a system core feature to me.

If you have this "Security"/"Control panel" (idk how it's named in English right now) app (the one with green shield icon) this feature should be available to you

Thanks. My question was aimed more towards both caring about security and using a stock MIUI ROM, which seem to contradict each other.

If you're concerned about security, don't have all your sensitive information packed into a phone.

30 years ago much of the population was concerned about typing a credit card number into 'the internet'. Now we have a small, hackable, stealable, insecure by design device with bank, personal communications, business communications, social security, family photos and numerous more data depending on your choice of app. It's a great win of drip-drip very convenient life is faster now (it isn't, there's just more gap for not planning).

> Does airport fingerprinting compromise my biometric security?

Access by a criminal? probably not much - if they can get physical access to your phone, access to your fingerprint by social manipulation or threat isn't that hard.

Access by government agency that confiscates your phone? theoretically yes, but no more than using printed fingerprints on an arrest record or lifted from your home and printed so they can be used on your phone.

Access by a local sheriff/corrupt cop? a lot of hassle compared with getting access to your finger

We’re gonna go full circle back to passwords - mark my words.

I think 2FA physikal tokens like yubi key will also play a big role.

And honestly, I fear that most people just don't care

Especially most banks and government sites. Why doesn't Social Security and the IRS have Yubi key 2FA?

Ok, granpa!

This is the insightful commentary that I came to expect of HN /s

Biometrics are a terrible choice for sensitive information:

* It is easier to push your thumb on a screen than to pry a password out of your head. (relevant XKCD: https://xkcd.com/538/)

* You will leave fingerprints and other biometric features everywhere.

> Biometrics are a terrible choice for sensitive information [..] It is easier to push your thumb on a screen than to pry a password out of your head

It's way worse than that, you may only need photographs of someone's thumb:

https://arstechnica.com/information-technology/2014/12/polit...

You can also just use a gummy bear https://www.theregister.com/2002/05/16/gummi_bears_defeat_fi...

The gummy bear method needed actual fingerprints from the victim (for instance lifted from a glass the victim had touched).

The CCC improvement worked merely from photos of the victim's thumb...

Depending on jurisdiction, there might be cases where law enforcement can force you to use your biometric to unlock your phone but they can’t force you to reveal your pin. Reality vs what’s technically legal makes this comparison hard (ie consult with a local legal expert).

The only time I have used fingerprints for flights is for bag drop. That is, the fingerprint verifies that the same person dropping the bag is the one that later boards the flight. In that scenario the fingerprint is not needed after that, and I'm sure there is no regulatory permission to store biometric data for any longer period of time than necessary, which is only until the plane leaves. I haven't seen these systems in a while though so its possible that newer regulation like the GDPR even made them too cumbersome to maintain. Of course there is a risk of compromise in such a system, but if someone wanted your fingerprints specifically it would probably be easier to get them from your car door than hacking an airport system.

Fingerprints for unlocking is not very secure it's just a convenience. Consider it to be equivalent to face unlocking. Anyone who is determined enough will bypass it. Whether it's secure enough depends on your threat model. I trust face unlock to prevent my kids unlocking my phone but that's a whole different kind of threat model from a state actor.

> I trust face unlock to prevent my kids unlocking my phone but that's a whole different kind of threat model from a state actor.

As long as you keep the default of requiring attention, face lock is likely safer than a fingerprint from the kid threat vector.

"Fox News reports that six-year-old Ashlynd Howell from Arkansas spotted her mother Bethany taking a nap on the couch. The girl then took her sleeping mother’s thumb and placed it on her iPhone’s fingerprint reader to unlock the device, all so she could order $250 worth of Pokémon merchandise on Amazon." - https://wsvn.com/news/us-world/6-year-old-uses-sleeping-moms...

"Cryptographic expert Matthew Green has found his son Harrison bypassing the security measures, CNN Money reports, by swiping the phone with his thumb while he slept" - https://www.dailydot.com/debug/touch-id-child-iphone-unlock/

Though depending on how deeply you sleep:

"Man opens eyelids of sleeping girlfriend to unlock her phone, steals over Rs 18 lakh from her bank app" - https://www.indiatoday.in/technology/news/story/man-opens-ey...

and from five years ago: "Heavy sleepers, beware: Researchers bypass Apple FaceID using glasses with tape" - https://www.digitaltrends.com/mobile/apple-faceid-tricked-by...

Bonus: "Face ID shown unlocking for family members who aren’t alike" - https://bgr.com/tech/iphone-x-face-id-hack-family-members/ with the suggestion that Face ID continuously updates the facial features, and by sharing the phone the recognition algorithm may have ended up trained on both faces.

In which country was that? You mention GDPR, but I've not seen it in the ~10 EU countries I've used airports in in the last few years.

That was Sweden. I googled and it was introduced around 2007 in several airports but I can’t see when it was discontinued but I think it was around a bit into the 10’s at least. It has definitely not been used in the last 5 years in those airports and possibly not even the last 10.

I probably just missed it.

I mostly use the main airport of southern Sweden — Copenhagen.

Fingerprints aren't equivalent to security.

They are at best a quick convenience for perhaps a time logging machine? Where security really isn't a factor.

Spare a thought for people with unreadable fingerprints. Airports & foreign immigration are a continuing pain in the neck.

Is this a genetic condition, or caused by trauma like burns?

> Even if a third party has my biometric fingerprint details, can I rely on how physical access to my phone is necessary to bypass the fingerprint lock

Two points to make:

First, I don't know about Android, but certainly on iPhone, the fingerprint data is stored in the Secure Enclave and the biometric reader on the phone establishes a secure communications channel (unique session key) with the Secure Enclave. So remote attacks are unfeasable unless you've managed to extract the underlying shared key from the Secure Enclave.[1]

Second, the definition of what is "stored". There are a number of different approaches to storing biometric data, and most if not all "modern" methods will store an algorithmic derivation of some sort rather than actual raw measurement data. Hence if the government is using algorithm A and your phone is using algorithm B, then in all likelyhood there is no viable way to transpose between the two.

Third, generally good OPSEC suggests to disable the biometric login to your phone anyway and rely on a password. That way, for example, someone can't just hit you on the head to render you unconcious and hold your finger to the sensor. (They would have to force the password out of you whilst you were concious, per XKCD[2] ;-)

[1]https://support.apple.com/en-gb/guide/security/sec067eb0c9e/... [2]https://xkcd.com/538/

There's plenty of reasons to not use fingerprints to unlock an iPhone, just saying.

as far as i know, we do not store fingerprints but i kind of hash of the fingerprint. so if this hash is stolen, it should not be possible to reconstruct the fingerprint "curve points" to use it on your device. but if someone does gain access to your device, i'd say that device is fucked anyway.

if your device is locked with fingerprint, it will be FAR easier to grab your fingerprint from something you touched. and creating a fingerprint impression from this will be VERY easy. it takes simple glue and it is very low-cost. you use cyanolate and a gummy bear. the gummy bear will hold the fingerprint while you apply it to the sensor :)

here are a few links : https://blog.kraken.com/product/security/your-fingerprint-ca... https://blog.talosintelligence.com/fingerprint-research/ https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

fingerprints are a conveniance. they will work at home where you want that phone to be protected from your kid you don't want to be accessing internet too easily.

as a security measure, it's stupid because it is very easy to grab fingerprints : you leave those all around. it is also very easy to just create an impression from a picture with a good quality camera. and once it's compromised, you CANNOT change your fingerprint for another one.

do. not. use. fingerprints. for. security.

> as far as i know, we do not store fingerprints but i kind of hash of the fingerprint

Kyrgyzstan also has a similar database but with actual fingerprints, not hashes. It is illegal to not have a passport for anyone 16+ and your cannot have one without fingerprinting. The procedure was introduced by the ruling party to allegedly make elections secure and sponsored by the Japanese government (JAICA).

> as far as i know, we do not store fingerprints but i kind of hash of the fingerprint

Who is "we" in this context?