back to article How to give Windows Hello the finger and login as someone on their stolen laptop

Hardware security hackers have detailed how it's possible to bypass Windows Hello's fingerprint authentication and login as someone else – if you can steal or be left alone with their vulnerable device. The research was carried out by Blackwing Intelligence, primarily Jesse D'Aguanno and Timo Teräs, and was commissioned and …

  1. This post has been deleted by its author

  2. Jou (Mxyzptlk) Silver badge

    So the only move to win this game

    is not to play? How about a nice game of face recognition? Or palm recognition?

    Don't play biometrics seems the winning move. At least not alone.

    1. NeilPost

      Re: So the only move to win this game

      Relax… I’m sure they all have TPMv2.0 modules, and are good for Windows 11!

    2. jmch Silver badge
      Boffin

      Re: So the only move to win this game

      "Don't play biometrics seems the winning move"

      Seems to me that it has nothing to do with biometrics themselves and more with the implementation. The way it's implemented, all the security is embedded in the sensor itself, so the sensor is not just a sensor (ie captures the fingerprint), but also does the processing on the fingerprint* and contains all the information matching fingerprint to user. The OS is only receiving a "yup, it's that user". This is equivalent to having the password somehow stored on the keyboard, and if the keyboard detects one of the stored passwords it sends a "yup, it's that user" to the OS (in other words a totally insane way of working it).

      The way it should be done is that the fingerprint sensor sends only the raw scan to the OS, and the OS is internally doing the 'hashing', encryption and storage of user-fingerprint pairs.

      *Fingerprints aren't matched 'raw', there is some processing to 'reduce' the actual pattern to a sort of 'hash' (not exact but close enough for this topic).

      1. Timochka

        Re: So the only move to win this game

        I mean, if your intention is to make it much much less secure, that is indeed the way it should be done.

        The problem here isn't in the challenge/response style integration of the devices, that's the bit that's done right. It's unathenticated channel allowing MITM attacks that is the problem. All your solution does is make replay attacks trivial. (Quite apart from whether it's a security win to have actual scans of your fingerprint floating around in general purpose memory...)

      2. druck Silver badge

        Re: So the only move to win this game

        No, the way it should be done is that the sensor produces the hash, which is matched by the TPM chip against a previous stored (and irretrievable) value.

        1. Anonymous Coward
          Anonymous Coward

          That too is broken

          The only winning move is not to allow physical access to devices while full disk encryption keys are present in RAM. Otherwise an attacker can just steal the laptop and replace the contents of utilman.exe with cmd.exe and reset your password or simply create a local administrator to login with instead from the cmd.exe now running as SYSTEM.

          Sure, it takes more work, but that still lets them at anything local to the device, which in the case of OneDrive-toting folks is a lot of locally cached/synced data, as well as anything else testdisk can image off the moment BitLocker is turned off.

  3. Pascal Monett Silver badge

    So, still no solution for securing against physical access ?

    What a surprise. Especially since, if you've got physical access, why bother with booting the machine ? Take the drive out and hook it up to your miscreant PC via USB and all the software you need.

    Job done, and Windows is none the wiser.

    1. diodesign (Written by Reg staff) Silver badge

      Not that simple

      You don't have to reboot the machine into another OS - that's just one way to do it.

      You can hotplug a MITM device while the laptop is still on to add a fingerprint and log in as the user. If you can keep the stolen PC powered up, you can log in using this method. That defeats any full disk encryption, including Bitlocker, we're told.

      We're checking to what happens if you have Bitlocker and the machine is power cycled. Edit: comments from the researchers added.

      C.

    2. Wzrd1 Silver badge

      Re: So, still no solution for securing against physical access ?

      Hard to do that if the OS is in onboard flash, like most tablets.

      1. MacroRodent

        Re: So, still no solution for securing against physical access ?

        Also, if the disk or SSD is properly encrypted, taking it out and hooking it to your machine does not help, it is still gibberish.

    3. NeilPost

      Re: So, still no solution for securing against physical access ?

      Bitlocker ?

    4. Anonymous Coward
      Anonymous Coward

      Re: So, still no solution for securing against physical access ?

      What about encrypted disks? I'm surprised every time I meet someone and they aren't typing in a bitlocker password when they boot their work laptop..... This should be a minimum level of security used for a business owned computer.

  4. bryces666

    fingerprint works <25% of time

    Fingerprint readers seem to be a big source of frustration for my users and myself, if I stop setting it up that'll solve this issue.

    BTW, does fingerprint login work reliably for anyone? In my recent dell latitude 9430 it drives me nuts, occasionally it will work but much more likely to get 3 failed attempts then told to use my pin so this feature is just out to waste my time.

    I naturally was cursing Microsoft for being shit again, however this article seems to indicate my problem must lie in the reader chip instead and I should be cursing Dell.

    1. Jim Mitchell

      Re: fingerprint works <25% of time

      It works well enough on my Lenovo with synaptics reader. I usually use an external keyboard and have PIN as the default.

      1. Hubert Cumberdale Silver badge

        Re: fingerprint works <25% of time

        My Lenovo has the added bonus of being so awkward to disassemble that it'd probably thwart any attack requiring unplugging the fingerprint reader...

    2. WolfFan

      Kill it with fire

      Cursing Dell is always a good idea. Not buying Dell is even better. Nuking Dell from orbit is overkill; there might be something useful (i.e., something not Dell) within the blast radius. A B-52 load of napalm should be sufficient.

      Who, me, had one encounter too many with Dell crap? Whatever makes you think that?

      1. Anonymous Coward
        Anonymous Coward

        Re: Kill it with fire

        My experience is that their displays are OK (4K, < 800€). They do not try to stuff speakers inside those thin things.

      2. Lord Elpuss Silver badge

        Re: Kill it with fire

        When I worked as an SE in the naughties at a (large, 3-letters) IT vendor, one of our accounts was a (large, 4 letters) headphone/speaker manufacturer. We actually lost the account to Dell because Dell promised they could do a ton of primary logistics stuff we at the time couldn't do because we were too bureaucratic and slow, and our systems weren't joined-up enough.

        Fast forward a year later and the client comes back to us. Because despite their shiny promises, Dell turned out to be too bureaucratic, slow and their systems weren't joined-up enough.

        1. martinusher Silver badge

          Re: Kill it with fire

          That just proves who's got the better salespeople.

          1. Terry 6 Silver badge

            Re: Kill it with fire

            If you mean Dell, one dodgy laptop sale has lost them a new tower PC sale and a new laptop sale ( respectively a Chillblast and Lenovo Yoga). So maybe that guy made his target for the month. But Dell has lost two or three times what he achieved- not including future sales, and lots of dis-recommendations.(Might have invented a word there)

            1. Lord Elpuss Silver badge

              Re: Kill it with fire

              Agree. It might have been "better" for the Dell salesperson in the short term, but it certainly wasn't "better" for the client. Being lied to seldom works out well in the end.

              Also - not sure if it still works like that but our sales people used to have to pay back commission if clients returned the products they bought.

      3. Terry 6 Silver badge

        Re: Kill it with fire

        Dell tower PC I had a while back was really good.

        Dell laptop I bought because of that was seven kinds of crap. Starting from the point where I'd asked their sales guy whether there was room in the chassis (and connections) to add a second HDD and they said there was.- There isn't.

        And the sound stopping working, but with no traceable fault. I assume the tiny thin wire has broken in some location that stops both speakers working. (I think I might have invalidated the warranty when I opened it up to fail to put in that second hdd, so didn't return it- maybe I should have)

        The battery that can only be changed by stripping the whole bloody thing down to it's underwear.

        The flap on the DVD cover that is so flimsy it falls off if you breath near it.

        The back cover that needs a mixture of raw courage and brute force to remove.

        I could go on.

    3. Tim99 Silver badge
      Trollface

      Re: fingerprint works <25% of time

      BTW, does fingerprint login work reliably for anyone? - It works OK for passwords on websites etc., on my Apple iMac which requires a password for initial account login.

      1. Wzrd1 Silver badge

        Re: fingerprint works <25% of time

        Well, proper security would be, something you have, something you know.

        You have your fingerprint, then entering PW or pin would secure the damned thing.

        1. Jimmy2Cows Silver badge

          Re: fingerprint works <25% of time

          Exacty. Your fingerprint, or any other biometric, is like your username. It identifies you. It should not be used to also authenticate you. Lazy security for lazy users.

          1. PB90210 Bronze badge

            Re: fingerprint works <25% of time

            At the beginning of the pandemic, I remember seeing an ad for a face mask company that promised to create a mask that would allow you to unlock your device without having to remove your mask as it had a picture of your chin printed on it

      2. A Non e-mouse Silver badge

        Re: fingerprint works <25% of time

        Just to clarify: MacOS requries you to use the password after every reboot or and then every 14 days.

        1. firu toddo

          Re: fingerprint works <25% of time

          Just to clarify: MacOS requries you to use the password after every reboot or and then every 14 days.

          Not quite right. MacOS will ask for a password MUCH more frequently. Change of network ssid, (its wifi only!), closing the lid and opening it quickly will do it too. As will opening and closing repeatedly. And then sometimes it doesn't! It's Apple, you don't need to know.......

          I sometimes miss the little prompt box asking for a password and wonder why my finger has broken!

          1. A Non e-mouse Silver badge

            Re: fingerprint works <25% of time

            I've not encountered those issues on my MacBooks with fingerprint readers.

        2. Lord Elpuss Silver badge

          Re: fingerprint works <25% of time

          MacOS generally requires password at power-up, and for most admin tasks e.g. installing updates, changing security settings, accessing Password Manager and so on. As well as if you mis-scan your fingerprint a couple of times; then it asks for PW for verification.

    4. Wzrd1 Silver badge

      Re: fingerprint works <25% of time

      It's reliable to the point of worry on my phones. If it's *that* reliable to log on, what does it take to get a rejection?

      False positive is about as bad as having the customized wave through device.

      Meanwhile, Microsoft gave a gift, use a pin to logon, rather than my old 15 character password. :/

      Well, at least I can change that over on devices that I want secure, can't do that with crappily implemented booger picker readers.

      1. Ayemooth

        Re: fingerprint works <25% of time

        Your PIN can have letters in it. Why the idiots called it a PIN, I do not know. Perhaps to encourage people to enter something feeble?

        1. Killfalcon

          Re: fingerprint works <25% of time

          My understanding is that they originally added the PIN to help out home users who were frustrated that the machine in their house was such a pain to log into.

          Then their corporate customers in regulated industries said things like "it is literally against the law for us to use a 4-digit password, what the actual hell is this for", so MS just let the PIN be longer and more complex (and let sysadmins set sensible complexity rules).

        2. PRR Silver badge

          Re: fingerprint works <25% of time

          > PIN can have letters in it. Why the idiots called it a PIN, I do not know.

          I remember it being a "PIN" in early days of cash-machines which only had a TouchTone® derived 4x4 numeric keypad. Even 3x4, no ABCD.

          Keypad - 12 Button at DigiKey

          I dunno if # and * could be in a "PIN"; being my money, in a bank, I would not mess with the rules.

      2. Martin
        Unhappy

        Re: fingerprint works <25% of time

        It's reliable to the point of worry on my phones.

        God, I wish. The old Nexus phones with the fingerprint sensor on the back were pretty reliable, but these newer ones with the sensor on the front are rubbish.

        What was wrong with the sensor on the back, anyway? What's so damn good about the sensor on the front, which means you have to use two hands to unlock the phone - one to hold it and one to poke the sensor multiple times till it says "Please enter password..."

      3. gotes

        Re: fingerprint works <25% of time

        I recently picked up a friend's Samsung phone, planted my thumb on the sensor, and it unlocked more reliably than my own phone.

        1. Martin
          Happy

          Re: fingerprint works <25% of time

          What's wrong with that? It's a fingerprint sensor - and it sensed a fingerprint...

    5. Wzrd1 Silver badge

      Re: fingerprint works <25% of time

      I naturally was cursing Microsoft for being shit again, however this article seems to indicate my problem must lie in the reader chip instead and I should be cursing Dell.

      More like cursing Dell, Lenovo and Microsoft, as well as the hardware vendors behind them.

    6. thondwe

      Re: fingerprint works <25% of time

      Works fine with my £30 gadget from Amazon - works fine on iPad and old iPhone 8. TBH Face rec is also a mixed bag - Surface is OK but fussy about being "in shot", iPhone is brilliant. Finding fingerprint is more natural for a PC setup, but face on phone is makes things like the MS authenticator, bank app etc much more usable.

      So maybe just finger trouble?

      1. FIA Silver badge

        Re: fingerprint works <25% of time

        To be fair, Apple did also buy the leading fingerprint sensor manufacturer. The TouchID stuff was at the time streets ahead of the competition.

        1. gnasher729 Silver badge

          Re: fingerprint works <25% of time

          To be fair again, this doesn’t seem to be about the quality of the sensor. It’s about someone completely different logging in. (I remember ages ok someone used a fingerprint scanner that would recognise about one in 20 random fingers, so a thief and his three mates would have a ninety percent chance of getting in).

          But I’m quite sure that on iOS you need the device passcode to add a fingerprint, at the time it is added. So if I leave my phone lying around logged in, you can use it, but not add a fingerprint or faceID.

          1. FIA Silver badge

            Re: fingerprint works <25% of time

            Sorry, I was replying to the comment 'fingerprint works <25% of time', not the article in general, just pointing out that the leading fingerprint sensor became vendor specific, and that is why the Apple stuff tends to be better. :)

            Lets be fair, realistically, fingerprints aren't that secure if you're an 'important target'.

            If I've nicked your device I've more than likely nicked a device covered in the fingerprints I need to unlock it.

            Also, as this thread illustrates, consumer grade FP readers tend towards convenience rather than overall accuracy. I've worked with industrial applications of the technology for building access (slightly different as you're trying to identify someone from a fingerprint against a database of hundreds or thousands of people rather than trying to determine if a fingerprint is one person), and in order to be good enough to not have a shocking rate of false positives you often take a few goes to get a successful read.

    7. Catkin Silver badge

      Re: fingerprint works <25% of time

      It works nicely on my older Thinkpads. I use it in office scenarios where it's unlikely that my laptop would be stolen but very likely that a tasteless email would be sent from an unlocked machine. By having fingerprint sign in, I'm much more tolerant of a shorter lock time than if I had to enter a password.

    8. Zibob Silver badge

      Re: fingerprint works <25% of time

      Anecdotal as the system is different but yes my android phone regularly does not recognize me.

      Though I do wear cloves in work and it is dusty, if I go straight from my.glove to the phone it will refuse due to dirt and or sweat, at home it has happened with clean but sweaty fingers.

      Only if it is clean, wiped, and dry will it work.

      That said we have a miterfinch clocking machine and it does a lot, lot better. Still messes up but almost always get it the second time with no changes just trying again.

      Though like I said the phone is, as far as I can gather, just high detail capacitive touch sensing, where the clocking machine is a glass panel with a flash of light to read.

    9. phuzz Silver badge

      Re: fingerprint works <25% of time

      Often it's not so much the fingerprint reader, but your actual fingerprint. I find that my fingerprints fail to scan (across multiple devices) more often when my fingers are very cold and dry.

      If I breathe on them to make them slightly more warm and damp, they scan fine.

      I suspect the solution is to add one or two fingerprints whilst your hands are cold and dry, and then perhaps add some from the other hand when your hand is hot and sweaty.

    10. Lord Elpuss Silver badge

      Re: fingerprint works <25% of time

      "BTW, does fingerprint login work reliably for anyone?"

      Works well enough for me on my MBP.

      It uses a password for admin-related tasks e.g. initial logon, security, setup, updates and accessing the password manager, then uses TouchID after that for all the standard-user stuff, unless you mess it up a few times then it asks for the password again.

    11. Stuart Castle Silver badge

      Re: fingerprint works <25% of time

      Works fine on my Macbook Pro. Used to work much better on my iPhone than Face ID when it was an option. Well, unless I wore gloves, but that's fair enough..

  5. An_Old_Dog Silver badge

    That Old Security Mantra Applies, Yet Once Again

    "If you ain't got physical security, you ain't got security."

    1. NeilPost

      Re: That Old Security Mantra Applies, Yet Once Again

      I bet they have a physical TPMv2.0 module so are Windows 11 ready - d’oh.

  6. IGotOut Silver badge

    So just to clarify...

    This is really a hardware issue or a software issue or both?

    They have targeted Windows Hello, but could this be used, for example, a Chromebook with the same chips, or say Mac if it used the same readers?

    1. Flocke Kroes Silver badge

      Re: Hardware or software

      Firmware.

      Fingerprint readers are small computers with their own built-in software. When software is effectively part of the hardware it is called firmware. Firmware is usually supplied without source code or documentation. Changing firmware is impractical for anyone but the manufacturer of the device. Replacing the firmware may be a simpler option - if you can get hardware documentation.

      This attack could be addressed by a firmware update. Firstly that update must effectively be created by the manufacturer and secondly updating the firmware should not be easy. (If it were, secure devices could be made vulnerable by back dating the firmware.)

      Secure communication is tricky. Clue bats have been applied sufficiently often that most programmers know to use a library created by specialists and not to roll their own. The more difficult stage is to get programmers to RTFM. A hint of blame should go to managers not allocating enough time to reading the manual. Another hint of blame should go to every defective use of secure communications libraries on the internet that programmers use as templates instead of understanding how authentication works.

      The biggest problem is people thinking it is sane to use an authentication device where the key is a part of their body (hard to change) and a copy of the key is left on every door handle and keyboard they touch.

      1. Wzrd1 Silver badge

        Re: Hardware or software

        Hence, why one should have two factors. Something you have, something you know.

        1. 42656e4d203239 Silver badge

          Re: Hardware or software

          >>Something you have

          And the "Something you have" shouldn't be immutable like a finger print or an Iris scan. It also should be revokable (unlike fingerprint or an iris scan)

          Proper security is hard. I would prefer less security theatre and more acutal effort put in to making things properly secure... but that would lower profits, so will never happen.

          1. hayzoos

            Re: Hardware or software

            Fingerprints and the like, only good for Identification, not authentication. Who knew?

            BTW - Also only good for ID are national numbers, insurance numbers, account numbers. Some of those even have ID in their names.

            Stop misusing IDs as authenticators dammit.

            1. Nick Ryan Silver badge

              Re: Hardware or software

              However, Hollywood loves fingerprint, iris and face recognition for authentication purposes in films therefore idiots have to try and implement this in reality.

              Replacing the secret and changeable component of authentication with something that is neither secret nor changeable is only ever going to reduce security.

            2. John Brown (no body) Silver badge

              Re: Hardware or software

              Exactly. As many have said, biometrics are a username, NOT a password.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hardware or software

        And fingerprint readers have interestingly useful amounts of EEPROM/Flash storage, enough in fact to be of interest to the various security services and a known way of exfiltrating/smuggling/hiding data

    2. phuzz Silver badge

      Re: So just to clarify...

      could this be used, for example, a Chromebook with the same chips, or say Mac if it used the same readers

      The issue here is that while Windows does require that devices should follow their SDCP specification, apparently there's no checks that a manufacturer actually is following the spec. (The Microsoft Surface using absolutely no encryption at all must have been particularly embarrassing for the Windows Hello team who sponsored the research). With the information from this research, Microsoft could crackdown on shoddy manufacturer's implementations, but if they're strict then that would result in fingerprint recognition being disabled for many people, just because the manufacturer couldn't/didn't fix their flaws.

      I don't know enough about Chromebooks to say about them, but I'm pretty sure that as Apple control all of the hardware and software they use, they should be more secure. You'd hope so at least.

  7. Anonymous Coward
    Anonymous Coward

    I've never been a fan of fingerprint authentication, we should all just give it the finger. I had a felling it wasn't secure but couldn't quite put my finger on it. Hands down I won't be using it.

    1. John Brown (no body) Silver badge
      Facepalm

      a facepalm moment?

  8. ColinPa

    Finger prints all over the keyboard?

    As people use the keyboard, their finger prints will be all over the keys. Could these be used to confuse the finger print reader and so validate with a correct finger print?

    1. jeremylloyd

      Re: Finger prints all over the keyboard?

      Better finger print readers will do a "liveness" test.

      1. A Non e-mouse Silver badge

        Re: Finger prints all over the keyboard?

        Just like the early facial recognition tech could be fooled just by a photograph. It's why Apple added the IR depth sensor to their iPhones to make facial recognition harder to defeat. (Note I said "harder" not "impossible")

        1. BartyFartsLast Silver badge

          Re: Finger prints all over the keyboard?

          Tis also why some laptops won't do facial recognition for Windows Hello.

  9. Anonymous Coward
    Anonymous Coward

    Hmmmm.

    We now have 6 authentication methods available to users, I can't help but wonder if the variety (created for 'ease of use') has done nothing except expand the attack surface.

  10. abend0c4 Silver badge

    The OS asks you to present your finger

    Windows is clearly under no illusions about its popularity...

    As described, this does seem like a pretty obvious loophole. Without some cryptographically assured data to confirm the fingerprint was enrolled by the specific operating system instance at a known time, all bets are off,

    1. Jou (Mxyzptlk) Silver badge

      Re: The OS asks you to present your finger

      So you want something like the Apple way on the fingerprint sensor? Doesn't have to be this bad, a separate TPM 2.0 chip in the fingerprint sensor would work too.

      1. abend0c4 Silver badge

        Re: The OS asks you to present your finger

        Even a monotonically increasing counter associated with each print would allow you to detect that the fingerprint with the same label as one you'd previously approved wasn't the same print. Some sort of encryption is pretty much inevitable, though, if you want to avoid MITM attacks. You don't have to go as far as "blessing" the physical hardware if you're prepared to accept it functions as it claims.

  11. Anonymous Coward
    Anonymous Coward

    No system is 100% secure

    By design there always needs to be a backdoor way to get in.

    1. gnasher729 Silver badge

      Re: No system is 100% secure

      Macs/iPhones usually have no back doors. If the customer forgets their passcode, tough to be you. If you want your heirs to inherit your iPhone, put the passcode in your will. Because if you can’t get in, apple can’t either.

      1. BartyFartsLast Silver badge

        Re: No system is 100% secure

        That's demonstrably not true, for example the FBI used a 3rd party to get into a mass shooter's locked iPhone, even if they used a zero day (they didn't) it's still technically a backdoor.

      2. IGotOut Silver badge

        Re: No system is 100% secure

        If you know someone's iCloud details (usual password compromise) it's easy to get iPhone data

        Attach to pc / Mac running iTunes

        Factory reset phone

        Restore.

        Done.

  12. John H Woods

    The linked (thank you) article is great ...

    ...beautifully explained with nice easy diagrams.

    I do wish our US English cryptobrethren would stop using the word "nonce" though.

    1. Little Mouse

      Re: The linked (thank you) article is great ...

      YouTube subtitles seems unable to recognise the word "nonce" (Instead it comes up with "Nuns", "NS", etc).

      Is that because it's on the official naughty list (I assume Youtube has a blacklist of forbidden words), or is it just not a known word in the USA?

      1. katrinab Silver badge
        Childcatcher

        Re: The linked (thank you) article is great ...

        A nonce is a person who engages in sexual offences involving underage children.

        1. John H Woods

          Re: The linked (thank you) article is great ...

          The supposed etymology is "Not On Normal Community Exercise" as in prisoner who is likely to be attacked in the exercise yard by other inmates.

          This may, of course, be a backronym.

        2. Anonymous Coward
          Anonymous Coward

          Re: The linked (thank you) article is great ...

          "involving underage children"

          Pleonasm alert. Are there any "overage children" or "underage adults"?

          1. katrinab Silver badge
            Meh

            Re: The linked (thank you) article is great ...

            Arguably yes, if you consider a 16 or 17 year-old to be a child. That's legal as long as you aren't a teacher or similar.

            1. Anonymous Coward
              Anonymous Coward

              Re: The linked (thank you) article is great ...

              There's still bits of the good ole US where the minimum age for marriage is 15, E.G. Kansas and there's a few where either there's no legal minimum or it can be ignored if a court and/or parents agree (Oklahoma for example).

              There's one or two where it can be ignored if the girl is pregnant too.

              Who needs pizza shops when paedophilia is legal...

              1. Anomalous Cowturd
                WTF?

                Re: The linked (thank you) article is great ...

                And last time I checked, six states where bestiality is legal.

                I didn't believe it either, when told, which is why I checked.

    2. BartyFartsLast Silver badge

      Re: The linked (thank you) article is great ...

      It's an English word that's been used for an awful lot longer than the USofA has been such, since around 1200 in the civilised bit of the world and was used to mean something used only once so it's a perfect.

      Still not convinced the USofAians speak English though.

      1. ThatOne Silver badge
        Devil

        Re: The linked (thank you) article is great ...

        > Still not convinced the USofAians speak English though.

        "USofAians" speak American! Good old patriotic American like our forefathers (and Jesus)!

        /s

  13. mpi Silver badge

    "Replace the passwords!!!!"

    Yell the proponents of biometrics and passwordless world. "Insecure they are!" they shout, "inconvenient be they!" they clamour.

    Well, we did.

    And what do we find? Oh, what a surprise; the methodologies used to replace all these passwords and all their flaws ... can themselves have flaws! No! Yes! Ohh! And yes a user can easily mess up by using a bad excuse instead of a password, but usually such blunder is limited in scope to the user and maybe his companies network (if things really go wrong). But when devices, services, and other EXTERNAL replacements for passwords are broken, at fundamental levels, they break for MANY people and organisations, everywhere, all at once, even if none of the users mess up anything.

    And that, my fellow people around the globe, is why I shall continue to ignore the clamoring, the shouting, and the yelling, and will continue to use passwords (Possibly with MFA).

    1. Nick Ryan Silver badge

      Re: "Replace the passwords!!!!"

      Replacing the secret, changeable component in authentication with a non-secret non-changeable component is never going to improve security. Biometrics can verify identity, but that is different to authentication.

  14. Tron Silver badge

    Not secure anyway.

    If the user was asleep, unconscious or had had an unfortunate accident, you could just use their digit to access their stuff.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not secure anyway.

      I had it suggested to me that supercars should be secure with fingerprint readers.

      They didn't seem impressed when I agreed and said I wasn't at all bothered if supercar owners had their fingers cut off by car thieves.

      1. Paul Crawford Silver badge

        Re: Not secure anyway.

        News from 2005:

        http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

  15. JulieM Silver badge

    How many times need it be said?

    How many times need it be said?

    A fingerprint (or any piece of biometric data) is equivalent to a login name, not a password. It's not secret, and it can't be changed if it becomes compromised.

    It may not be feasible any longer just to lift a person's fingerprint, using graphite powder and adhesive tape, from something they touched and make a gelatin cast of it, using equipment anyone who does electronics is likely to have in their workshop -- I've not tried it lately -- but if there is something on a device protected by your fingerprint that someone is sufficiently desperate to get, probably the easiest way for them to get it is to use your finger. Whether or not it's attached to the rest of you.

  16. Mage Silver badge
    Alert

    above named devices vulnerable to unlocking

    But blunders in implementing this system have left at least the above named devices vulnerable to unlocking – provided one can nab the gear long enough to connect some electronics.

    Anyone would be mad to use it to unlock anyway. What if your finger(s) are injured?

  17. Grogan Silver badge

    Umm, if I have, or am alone with someone's device, and I care (I have no reason to think I would ever want to do that to anyone), they are in trouble anyway.

    I'm kind of the opposite. My motto was "confidential service" (I say was, because I have quit doing computer servicing for the foreseeable future... I hate the environment now).

    When asked about it, I bluntly stated that I don't care what you do. I am not interested in your data, only to protect it for you. I'm not here to judge you and I won't rat you out to anyone, for anything (well, never say never, but under normal circumstances no). I won't blackmail you, it's not my style etc. I had one cop customer that said "hmm, I see" lol. It works in his favour too though, I won't compromise him if I get a hold of his emails (which I easily could) or find his porn or warez stash.

    I did work for the "Assistant Crown Attorney" of the region. She trusted me and loved that I came over (to her home I mean) and stayed the course. Policy dictated that I not take the computers from her view, and I understood (I defended my honour though) but later she was trying to convince ME that it was OK if I did, she just wouldn't tell them. I declined, because I didn't want to be in that situation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like