Krissler is providing a huge service here. It's a great illustration of the fact that fingerprints and other biometrics are analogous to usernames and are completely unlike passwords.
It's like Apple and other biometric device purveyors are telling us all to just log in with our username and a blank password. At the moment we're all scrawling our passwords on every surface of every room we enter.
Well, it's a little different, because as far as I can tell he has reconstructed a 2D image of the fingerprint, but not used that fingerprint successfully for any authentication system.
"As an example, he demonstrated how he could use his fake fingerprint to unlock his iPhone — that features a ‘Touch ID’ fingerprint sensor integrated into its home button."
> It isn't entirely clear which fake fingerprint was used.
Obviously his own fingerprint. He doesn't have access to the German Defense Minister iPhone to test the real one (assuming the Defense Minister uses an iPhone and has Touch ID configured).
Hehe well obviously not hers. What I meant was that it wasn't clear how he built the fake fingerprint he tested, whether he used the exact same method he used to construct the defense minister's fingerprint, or whether he "cheated" to make it easier on himself.
Ah haha, sorry, I misunderstood you. Yes, definitively the details of this are fundamental to know if this could work in non-ideal conditions -it's not the same to take a high res photo only of your finger with good lighting than use publicly available, normal photos.
However, you can disable the thumbprint login option, just like you can disable the pin login option. Or you can add a more complicated login. Apple gives you more flexibility to make your own choice about unlocking your iPhone, they're not saying that you're thumbprint is your password.
Given that a) Apple doesn't/can't store your entire 3D fingerprint and b) registering your finger into multiple TouchID "slots" on your phone increases the iPhone's accept rate, to me means that
While I applaud the research, Krissler needs to prove that he can unlock a device reliably using a system like TouchID (as a reference platform) using this intensive photograph-only modeling approach before I become worried - his previous efforts last year don't count as "previous proof" - if it were reliable, there would be a comprehensive breakdown/proof.
Fingerprint technology has improved greatly - e.g. TouchID requires something warm like flesh behind the scan, and does image the 3D contours as applied to the press - which deform the scan from it's natural state.
But more often you either don't change them many times a day (seriously, how many do that?) or don't have PIN at all.
Peeking someone's PIN code and snooping around the phone while the owner is away is much much easier than reconstructing the fingerprint well enough to pass the TouchID.
It was said more than once: TouhcID is not perfect, but better than nothing, and before TouchID "nothing" was more likely, because all of the hassle with PIN.
Sure. However, in practice, what difference does that make?
In many cases fingerprints are perfectly fine to use. However, they do have glaring problems as well. So they are anything but perfect, I’m just not sure what difference that makes to how they are used in practice right now.
Can anyone intent on downvoting explain what is factually wrong or misleading about the quote in the picture? Just because it's on a picture doesn't make it less valid.
If the subject you'd like to bring to discussion is the quote, post the quote. If you want to bring up a humorous Twitter account dealing with security concerns, post the Twitter account. Reposting a meme posted by that account doesn't serve either purpose very well.
If the subject you'd like to bring to discussion is no humour on HN, post no humour on HN. If you want to bring up your confusion about how Taylor Swift and security go together, just say so. Gruntling away in your post doesn't serve either purpose very well. You're being mean to parent.
I posted the original source from the creator, the Twitter account which made the Imgur album. I have swapped the .jpg with the text quote ... I just find it odd HN is so primary-source averse.
If the article was about a case where a person was mandated to unlock their phone because it is only protected by a fingerprint scan, (and of course a person cannot "forget" their fingerprint like they can a password), then your quote would have been on topic.
Yeah, the quote is about fingerprints, but it's really orthogonal to the topic of the article, which is that fingerprints can be "cracked" just like passwords. That's not what the quote you posted is about. The quote is about the fifth amendment (of the US constitution): https://www.eff.org/issues/know-your-rights#17
You don't think the ability to use photographs of hands/fingers and used for fingerprint readers is relevant to a quote about using fingerprints as passwords has a security gap of consent? I'm sorry but what? We've seen many times that fingerprint readers can be fooled, and pointing out that pictures of hands/fingers could be used against you is highly relevant to a decision of securing something with fingerprints or not.
For systems using biometric auth, wouldn't the next step to make it multi-factor biometrics (i.e., obtaining a confidence value based on the combination of fingerprint, face, vein pattern, gait, voice, etc.) rather than the simple one-to-one matching systems we use for it now?
Your far better off simply supervising people while collecting biometrics. Think, guard at the door while you walk into a facility who compares your photo in their sytem with what you look like vs. fingerprint reader at a workstation.
Granted, there also useful limiting casual access. Think kid/roomate using someone elses work laptop vs. a dedicated hacking attempt.
I wonder how well this technique would work with the keys to your house... based on say 50 photos of you with your keys dangling, could you reconstruct the key and then 3d print it?
I remember some years back Diebold posted a photo of their key that unlocks voting machines (or ATM?) as part of their marketing material. Hackers were able to copy the key and open up these machines.
One photo could be enough. There was a talk about this two years ago at 29c3. It's only available in German unfortunately (https://www.youtube.com/watch?v=3JK3TO_crc8) Lockpicking has always been a big topic at the conference.
Testimonies can by themselves end up into a conviction. I am not sure this is comparable. When a crime is committed any evidence is welcome to try and solve it. Investigators are not "choosing" their type of evidences like you can choose a type of digital protection.
I think his point is that you could frame someone using this method. Juries tend to give lots of weight to forensic evidence, often more than is scientifically justified. If you hear 'his fingerprints were found on the murder weapon' then for most people that is more than enough.
