Monday, April 23, 2018

Once again, with feeling: do NOT use your fingerprint to unlock your devices

Police in UK arrest a man based on a fingerprint seen in a photo he posted online:
A pioneering fingerprint technique used to convict a drugs gang from a WhatsApp message "is the future" of how police approach evidence to catch criminals. 

An image of a man holding ecstasy tablets in his palm was found on the mobile of someone arrested in Bridgend. 
It was sent to South Wales Police's scientific support unit and helped to secure 11 convictions.
It's just a short step from a photo to a 3D printer, and then you have something that someone can use to get into your stuff.  Let's review the security badness in this strategy:

1. You probably don't know if you've posted photos with enough detail for someone to make your fingerprint.  In more formal security-speak, you can't tell if your fingerprint has been compromised or not.

2. The first rule of passwords is that if you think it may have been compromised, you change the password.  If you use your fingerprint as a password, you can't change it.

And I'll keep beating the drum that I've been pounding on:

3. In some jurisdictions (example: the USA) the authorities cannot compel you to tell them your password (in this case, due to your 5th Amendment protection against compelled testimony against yourself).  However, there is no restriction on them taking your finger and running it across the scanner to unlock your phone.  Or presumably taking your fingerprint (which they do as a matter of routine) and 3D printing one that they use to unlock your device.

To be perfectly clear: stop using your fingerprint to unlock your devices.  Srlsy.  Right now.


Eagle said...

Multifactor authentication, as long as one of those factors isn't your fingerprint. Make sure that both are changeable at will. Keep 'em guessing.

Just sayin'...

Overload in Colorado said...

I would like to both fingerprint and password. I have 'associates' who can catch a 6 digit password with one viewing, even upside down. To secure against them, the fingerprint is better. As you say, a password is better vs the police.
I was looking at my Liberty safe, and the lock has a key in the tumbler. While it's nearly impossible for an observer to see the numbers on the edge of the tumbler, it's easy for them to see the orientation of the keyhole. And from that, they're very close to being able to crack the safe. I'm looking into a tumbler cover that's blank.