Thumbprints are not Passwords

After every Apple keynote, you can always expect to read the same type of sensationalist article. You know, the “Is this the end of _______ as we know it?” Well, iPads didn’t kill PCs, Siri didn’t kill Google search, and thumbprint scanners will NOT kill passwords.

See, biometrics aren’t really in the same vein as passwords; they’re really more of a supplement, or a verification of a person’s prescence, like a PIN number or SMART card. They’re not trying to be passwords, they’re something else entirely. They’re just trying to make life difficult enough for people who aren’t you, or at least difficult enough without a specialized computer. Even a 6 digit PIN only has 1,000,000 combinations, which would take a computer seconds to brute force, but that’s beside the point.

The point I’m going to make is that biometrics have similar flaws that don’t make it suitable as a password replacement. In all fairness, replacing a PIN number is really all Apple is trying to accomplish at this point, and I think that’s great, so it’s the media that has it all wrong.

So what’s wrong with thumbprints compared to passwords? Just off the top of my head…

  • Thumbprints cannot be changed, revoked, or reset. If someone knows your thumbprint hash, you’re out of luck, forever. If you are concerned about the NSA, this should terrify you.
  • You are limited to 10 thumbprints. And even then, you’re not going to remember which finger you used for what website.
  • They technically aren’t replacing a password, A thumbprint is read as a hash and stored as a shadow password. It will especially work this way for websites.
  • The thumbprint reader and software introduces failure points. A hacker could take control of these systems and force a certain hash without scanning a thumb. A man in the middle could read the hardware interaction and simulate it later.
  • Thumbprints aren’t secret. You leave traces of your fingerprints on everything. Especially mobile devices.
  • Technology exists to “lift”, analyze, and reproduce said fingerprints, and it will only improve with demand.
  • Some people have stubborn fingerprints. Me, for instance. When I worked for the University, we went through several thumb and handprint timeclocks the professors had to use. Those machines hated me. One of them would routinely make me scan 8-10 times before it would get a match, while it worked fine for everyone else. I think it had to do with my hands always sweating.
  • They add a failure point for the device. As someone who has owned several scanners through the years… these things break. On a PC it’s not a big deal, you can run out any buy the same brand thumbprint scanner, but what happens when it breaks on your iPhone? You buy a new phone, and you don’t get your data back.
  • You can’t let a trusted party use your thumbprint when you’re away.
  • You can damage your thumbprint. What if you burn your thumb while cooking dinner? You could be locked out of your computer for weeks, or in some cases, permanently.
  • There hasn’t been much study on this, but thumbprints could be prone to hash collisions, especially if you are forced to scan a “backup finger”. Different biometric technologies, or course, will vary greatly.
  • Your actual thumb could get stolen. Don’t laugh, it has happened. Some thieves are willing to cut off your thumb if it will give them complete, unrevokable access to your entire life.
  • Biometric hardware does not give standard readings, so you’re at the mercy of a third party to maintain access to your accounts. If you replace one piece of hardware with another brand, it will probably not give the right hash.

Passwords, of course, have problems of their own, but they are still the most secure and sensible way to protect your data. Even something easy to remember like “iLikeBag3lsAndCr3amcheese_” is incredibly secure for years to come. The thing is, security is up to you. Your password should be long. It should have caps, numbers, and special characters. You should not use the same password twice. It should not be obvious, and you should not write it down. Follow these rules and you have very little to worry about, besides forgetting it.

What’s the right way to go about authentication? I dunno, I’m not a security expert. I would say multi-factor authentication is always best, so maybe a password-protected SMART cart would be the best way.

Leave a Reply

Your email address will not be published. Required fields are marked *