back to article German minister photo fingerprint 'theft' seemed far too EASY, wail securobods

Claims that fingerprints can be cloned from pictures are being taken seriously by security experts, who argue that any possible hack underlines the fragility of the biometric technique. Hacker Jan "Starbug" Krisller cloned the thumbprint of the German Defence Minister Ursula von der Leyen after photographing her hand at a …

  1. Anonymous Coward
    Anonymous Coward

    Agreed

    As someone once said, currently if an account gets cracked, you can change your password - but if your biometric details are cracked, you can't exactly change your fingers/eyes etc.

    1. Yet Another Anonymous coward Silver badge

      Re: Agreed

      A fingerprint is a userid not a password.

      If your account is hacked you don't change your name

      1. Anonymous Coward
        Anonymous Coward

        Re: Agreed

        "A fingerprint is a userid not a password."

        Really?

        1. The BigYin

          Re: Agreed

          Yes. Well, it certainly shouldn't be taken as proof of identity - instead part of some greater whole. The general mantra is "something you have, something you know".

          Biometrics are pretty simple for people and, as with many things in security, ease of use is inverse to strength of security.

      2. Dodgy Geezer Silver badge

        Re: Agreed

        ...A fingerprint is a userid not a password....

        No. If that were so, why not just type the ID in - it's cheaper and simpler.

        The fingerprint is used as both an identification AND an authentication. It's much like a swipe-card pass, which has a name on it, but also gives the bearer the right to enter doors.

  2. Graham 24

    Worse than just data loss

    Sure, El Reg is a technology site, so the article focusses on "hacking" - getting into someone else's smartphone and so on. The ability to take a photo of someone's hands and then generate usable "fingerprints" has more problems than just giving someone access to those dodgy selfies you have.

    What if I can make a pair of gloves with all ten fingerprints from someone else on them, and then go and commit a crime and leave "my" fingerprints for SoCO to find?

    1. John Brown (no body) Silver badge

      Re: Worse than just data loss

      "What if I can make a pair of gloves with all ten fingerprints from someone else on them, and then go and commit a crime and leave "my" fingerprints for SoCO to find?"

      But surely every police force has a sufficiently trained and funded CSI team who can analyse DNA from the slightest speck and match it within minutes through a national database which is so fast and efficient it even flashes up the mug shots of each sample it's matching against. Fingerprints are just so 200BC. It's about time something new was tried.

      1. Anonymous Coward
        Anonymous Coward

        Re: Worse than just data loss

        I know you were posting in jest, but even if that was true people leave their DNA all over the place. All you need to frame someone else is a bit of their that would be collected to combine with their fingerprints and you make them the leading suspect.

        Especially if their DNA would not be expected at the crime scene but yours would be expected (if you committed a murder in your own home or car where your stooge would rightly claim he's never been)

      2. The BigYin

        Re: Worse than just data loss

        "But surely every police force has a sufficiently trained and funded CSI team who can analyse DNA from the slightest speck and match it within minutes through a national database which is so fast and efficient it even flashes up the mug shots of each sample it's matching against."

        Almost, which is why the smart crooks poison the scene by dropping items they have collect from random places. In the TV show the evil-doers had a "DNA-bomb" device to poison the evidence; how long before we see that in the real world?

  3. Alan Denman

    A seanced messages says

    Your holding it wrong, wear gloves.

  4. MacroRodent

    In a sane world

    ...this should be the nail in the coffin of fingerprint authentication, at least of the cheap variety. What is the use if it is tuned to accept anything vaguely resembling the real print?

    In the real world, we of course identify each other by "biometrics", but we take into account many factors: facial appearance, voice, height, gait... mostly unconsciously.

    1. Anonymous Coward
      Anonymous Coward

      Re: In a sane world

      But the problem therein lies that between biometrics and authentication there needs to be a bit of 'blackbox' wizardry - and it is that is which will get cracked to copy/clone biometric details - hence the above story is that the 'reader' can easily be fooled into believing printed/etched copies.

      1. John Brown (no body) Silver badge

        Re: In a sane world

        "there needs to be a bit of 'blackbox' wizardry - and it is that is which will get cracked to copy/clone biometric details"

        Surely the "blackbox" just holds a hash based on the biometrics presented. That won't stop the BB being hacked,but it ought to minimise copying/cloning of the "source data".

        1. Anonymous Coward
          Anonymous Coward

          Re: In a sane world

          No - the 'blackbox' is the reader, if you like, and as long as the data presented to it fits, then it processes it - but as I stated in my first post is that once that happens you cannot change YOUR biometric data - so basically end up the creek without a paddle and no way to fix it.

          With a hash/salt you need a password or two - if it gets cracked you can change them and create new hashes/salts - but what to do with fixed static data like fingerprints/retina scans when they get cloned?

    2. DropBear
      Facepalm

      Re: In a sane world

      "...this should be the nail in the coffin of fingerprint authentication, at least of the cheap variety."

      You're far too optimistic. Simpler people are still stuck at the "but my mate here can't unlock my phone and I can! See? It's working!" stage, and there are no signs that would change anytime soon.

      1. Anonymous Coward
        Anonymous Coward

        Re: In a sane world

        " Simpler people are still stuck at the "but my mate here can't unlock my phone and I can! See? It's working!" stage, and there are no signs that would change anytime soon."

        But it depends what you're trying to protect, and how much resource the "attacker" is willing to deploy. Compared to the probable alternative of a four digit PIN, a fingerprint reader is potentially still more secure at protecting the average Joe's phone data against casual access (noting caveats about bypassing fingerprint readers). But if you're a "high net worth individual" (aka a rich b*****d), with sensitive financial data on the device then you'd be a fool to rely on your fingerprint.

        1. Graham 24

          Re: In a sane world

          "if you're a "high net worth individual" (aka a rich b*****d), with sensitive financial data on the device then you'd be a fool to rely on your fingerprint."

          I would say that if you're a high net worth individual, you'd be a fool to have sensitive financial information on the device at all, regardless of how it's protected, as highlighted in this XKCD cartoon.

      2. Anonymous Coward
        Anonymous Coward

        Who are you protecting your phone from?

        "but my mate here can't unlock my phone and I can! See? It's working!"

        This is all most people are really worried about. If I'm worried about keeping it safe from the police or other more determined attacker I'll use a PIN, too.

        The proper implementation is a print for all unlocks, with an additional PIN required after a certain user settable timeout. The paranoid can set the timeout to 0, those who only care about keeping it away from their technically clueless spouse can disable it, I'd choose 30-60 minutes so it wouldn't be too annoying but if the cops arrested me by the time I was booked and they wanted to peruse the evidence the window of opportunity to hack my fingerprint will have passed.

    3. The BigYin

      Re: In a sane world

      "the nail in the coffin of fingerprint authentication, at least of the cheap variety."

      I suggest you rent and watch the "Mythbusters" episode where they do fingerprints (and some other security methods)...the results are hilariously troubling.

    4. Dodgy Geezer Silver badge

      Re: In a sane world

      ...In a sane world

      ...this should be the nail in the coffin of fingerprint authentication, at least of the cheap variety. What is the use if it is tuned to accept anything vaguely resembling the real print?...

      A bit of explanation.

      1 - Manual fingerprint authentication is done by an expert comparing all aspects of a fingerprint. This is a skilled job which takes a bit of time. Its effectiveness depends on the expert's skill and experience.

      Automatic 'biometric' fingerprint recognition is done with a pattern matching algorithm (originally invented in the UK at RSRE for use in radar signal analysis) which identifies a few 'salient' points and matches these. With limited processing power and the need to avoid false negatives these matches may be quite poor and still 'pass'.

      2 - There is indeed a question mark hanging over the whole of fingerprint identification. It has simply been asserted to be true that no two fingerprints are the same. But no one knows if this is true, or how good fingerprint experts are at distinguishing similar prints. It is just assumed that they are infallible and fingerprints are all unique, because that supports the justice system...

  5. P. Lee

    Should be falsifiable

    The fingerprint creation technique is well known, the only new addition is using a hi-res camera.

    A cynic might say that this is Apple's level of innovation. Yes, its very cool, but is it pushing the state of the art?

    Either way, thumbs up for security-bods.

    Oh wait, better not...

  6. Anonymous IV

    Some day my prints will come

    Fingers ain't wot they used ter be...

  7. YetAnotherLocksmith Silver badge

    Anyone doubting this is not up on the state of the art. There is a commercial machine/robot developed for the US military that uses a camera to fingerprint people from ten+ feet away. (If you can find it on Google I'll be impressed though - I've just searched for half an hour for it to no avail)

    It barks orders from a friendly looking robot face to put your hands up for scanning, and left right and front photos, by high res camera.

    So this is real.

    I've even done it myself, though not with any success - I got the print, I just didn't have a sensible way to extract the visible pattern into a black and white one suitable for the scanners.

    1. Graham 24

      How about this?

      http://www.aos-inc.com/index.php/products/biometrics-new/airprint-new

  8. Stevie

    Bah!

    How is this news? There are accounts of how to forge fingerprints that go back to the time fingerprinting was still to be widely adopted as an identification technique by Scotland Yard.

    Better yet, there's one account I've read from the dawn of the previous century of how to make a rubber stamp of someone's fingerprints using ... photography. Admittedly, it was wet chemical photography, which as any fule kno is a dead and forgotten art akin to Alchemy.

    I remember back in the late seventies reading an account of a US sheriff having forged a fingerprint to get a conviction using Scotch tape to transfer a print from one place to another. another "well, duh!" moment for the press and criminal scientists. Any kid left alone with a reel of shiny-type Scotch tape will discover the print-lifting capabilities of the product in about a minute.

    And I would have thought anyone who had used an old-style carbon fusion photocopier would have spent some time thinking about how it could be used to lift prints from the glass.

  9. Pen-y-gors

    Biometrics? Meh!

    Austin Freeman's story 'The Red Thumb Mark' (available on Gutenberg - it's jolly good) was published in 1907 and revolves around a faked thumbprint left at a crime scene. Why are people still trying to use basic fingerprints as identification evidenc in 2014?

    Just about any biometric other than DNA can be faked with enough effort. For private individuals it's probably not worth the hassle, but when it's GCHQ/NSA/CIA/KGB/the Chinese involved faking the biometrics to access foreign government networks (or even their own government networks) then money's no object.

    I'm waiting for the next big thing in biometrics - the discovery that the pattern of one's "rusty sheriff's badge" (as Stephen Fry referred to it on QI) is unique. There's a whole new meaning to the idea of dropping your trousers for immigration checks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Biometrics? Meh!

      "Just about any biometric other than DNA can be faked..."

      DNA doesn't need to be faked - we all leave it everywhere we touch, glasses we drink from etc. So it wouldn't be much to use someone else's DNA deliberately - in fact DNA technology is just about getting scary, as it's regarded as so foolproof that if YOUR DNA was found at a crime scene (albeit planted), there is no way out.

    2. Captain DaFt

      Re: Biometrics? Meh!

      "Just about any biometric other than DNA can be faked"

      Problem is, modern DNA testing isn't that reliable:

      http://www.marymeetsdolly.com/blog/index.php?/archives/925-Unreliable-evidence-A-look-at-DNA-forensics.html

      Tl:dr: 10 to 13 points is the normally accepted baseline for identity, but that has been called into question.

      IRL: it's often impossible to use DNA found at the scene to get more than 9 matching points.

      So most courts say 'Good enough.', even though it's only narrowed the match to dozens, even hundreds of individuals.

      (Just get an 'expert' to testify, "Totally Accurate!", and the jury accepts that.)

      Still Tl;dr: DNA evidence that is used as infallible, actually doesn't prove the accused did it.

  10. Lee D Silver badge

    Fingerprints aren't completely useless. They are not, however, and never have been, secure.

    The fingerprint is your username. Probably shown at the top of every forum you visit, attached to every one of your posts and maybe even part of your public URL (e.g. Facebook vanity URL's). Also probably related to your name, or your well-known aliases. In schools and companies, your username is - well - your name. Your email username is almost always the first part of your email (before the @).

    The fingerprint, however, is NOT your password and never should be. That's just stupid.

    With just the username, you can't do anything interesting. With the password too, you can do it all. The fingerprint/username is a convenience - "this is who I intend to try to authenticate as". But without the secret password, or whatever, you can't actually do anything interesting.

    Which is why I laugh at all the people I see who use fingerprint readers for library access systems, access control in schools, and even fingerprint readers on their laptops. IT IS NOT AUTHENTICATION. It's a username-shortcut.

    I actually have an old USB fingerprint reader. It's a scanner. I kid you not. It's a miniature black and white scanner with a clear rubberised surface the size of a finger to scan. All the hard work is done on the software end with finding edges etc. I could scan your finger and - short of some impressively expensive fingerprinting system in place - reproduce your fingerprint pretty easily (as pointed out, laser printer on balloons, or just a gummi bear pressed onto a laser-printed-and-acid-etched PCB to give it some depth). The stuff to do this is available from your local Maplin's for a handful of pounds, and will get you into most of these systems (except possibly the very top-end that aren't actually doing fingerprints at all, as pointed out in the article).

    Fingerprints are not the password.

    They are the username.

    Explain this to your users and you'll have a much easier time of things.

    P.S. I work in schools. Sometimes they're happy to have "username shortcuts" for the little'uns, e.g. to log into the library rather than the librarian having to memorise 1000 kids. But they aren't secure. The security comes from elsewhere.

    1. Anonymous Coward
      Anonymous Coward

      Great post - but it still leaves the fact that your 'username' can be cloned/copied and never, ever changed.

      That is bad.

    2. Anonymous Coward
      Anonymous Coward

      "The stuff to do this is available from your local Maplin's for a handful of pounds, and will get you into most of these systems"

      But the day to day use of fingerprints is not really about security is it? My bank don't use it as part of their 2FA, my employers don't use it as part of their 2FA, and I can't think of any instance that a fingerprint is acceptable, other than low threshold smartphone access control and the school uses you mention (where the risks of error or fraud are outweighed by the benefits of recording access, not replacing lost cards, not having pupils carrying cash etc).

      I'm sure other readers will have experience of (eg) corporate IT that might use built in fingerprint readers, but I've worked reasonably widely and think I'm correct to say that's an absolute minority of companies.

      If you accept fingerprint ID as a simple but not very secure access control for low value applications it isn't that bad, and probably no less robust than the sort of enterprise password policies that cause half the staff to write this months password on a post it fixed to the monitor.....

      1. Rakkor

        There are 2FA processes that rely on fingerprints out there, in every major bank in the world

        "But the day to day use of fingerprints is not really about security is it? My bank don't use it as part of their 2FA, my employers don't use it as part of their 2FA, and I can't think of any instance that a fingerprint is acceptable,"

        Bloomberg - they have fingerprints as part of their 2FA process for Bloomberg Anywhere, and our security bods love the fact that they do, as it ticks their vendor security assessment boxes very nicely. Maybe a rethink will be in the offing

    3. jonathanb Silver badge

      If it is a library, and there is somebody watching you use the fingerprint scanner, then it is probably a bit more secure. They will likely notice if you have a bit of balloon attached to your finger.

  11. Anonymous Coward
    Anonymous Coward

    DNA and the twins

    Great read here:

    Twins, murder and DNA

  12. Nya
    Joke

    New fitness device biometric

    Ideal for all the fitness types also, combine the thing with a blood glucose reader and a DNA sampler and you have it taking a blood sample to access it. Incorrect blood sample and you don't get in. The blood glucose sample is just used as the marketing front :P

    Other advantage with it having to take a blood sample to access is on a phone at least it'll stop people fiddling with the things all day long. Or am I just being a grumpy old git?!

  13. Anonymous Coward
    Anonymous Coward

    But then what can a person with abysmal memory use? How can they use something they know when it's tough for them to remember ANYTHING?

  14. VinceH

    "However, as previously reported it’s unclear whether the fake thumbprint matches von der Leyen's actual digit."

    And it's unlikely that they'll be able to check that. The correct approach would be to apply the same technique to x willing test subjects - obtaining their prints by the same method, and then using the acquired prints to access something protected by their real prints.

    But presumably a test on x no-names, whether it's successful or otherwise, is less newsworthy than a non-test on someone more significant.

  15. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    Hey dude, hand me the finger cutter......

    We've all seen the movie where a bad simply chops off the good guy's finger to use as ID to open the vault. Although usually done with less drama, taking biometric data is relative child play physically and for governments legally.

    In the USA a court may not compel a person to divulge a password, because it's an intellect value. However, they can and do order people to provide biometric data all the time, for example, DUI breathalyzer tests. It's a strong legal precedent.

    I assume the big push for biometric authentication is coming from Big Brother States that already have vast fingerprint data bases, and are working on others such as face scans.

    A bullet proof encrypted password is the gold standard and should be.

    1. Chris G

      Re: Hey dude, hand me the finger cutter......

      Big brother states is right!

      This from Widdlypaedia "The United Kingdom National DNA Database (NDNAD; officially the UK National Criminal Intelligence DNA Database) is a national DNA Database that was set up in 1995. As of the end of 2005, it carried the profiles of around 3.1 million people. In March 2012 the database contained an estimated 5,950,612 individuals. The database, which grows by 30,000 samples each month, is populated by samples recovered from crime scenes and taken from police suspects[1] and, in England and Wales, anyone arrested and detained at a police station."

      You can read more here: http://en.wikipedia.org/wiki/United_Kingdom_National_DNA_Database

      So we have 10% of the population recorded more or less whose DNA is considered by the fuzz to be proof positive of who they are.

      I can see the day when that is encoded onto your ID card and will be the first point of access for all Brits when dealing with anything official, if there is a question about the card you get a smack in the mouth and it's verified physically. I am guessing they are waiting for someone to come up with the DNA equivalent of a breathalyser before implementing it.

      In a court in spite of what the fuzz would like to think, at best DNA can only be considered circumstantial evidence except possibly in cases of rape/sexual assault where it is proof of an act even if it may not be the act in question.

      Secret password however should remain just that; secret and in your head where even cutting it off is not going to reveal the password. Yet!

      Maybe it's time to re-invent the the Dick Tracy code ring!

      1. Anonymous Coward
        Anonymous Coward

        Re: Hey dude, hand me the finger cutter......

        "Secret password however should remain just that; secret and in your head where even cutting it off is not going to reveal the password. Yet!"

        But like I said, what about people with bad memories? For them, a bulletproof password is one they can't remember. AFAIK, no one's invented a foolproof way to do "something you AND ONLY YOU know" that works even for people who have trouble remembering their own name.

        1. Mike007 Bronze badge

          Re: Hey dude, hand me the finger cutter......

          If you have trouble remembering your own name, how are you going to remember that you even work for XYZ corp? and then when you've logged in, what is your job? what are you meant to be doing? and how do you do it? what do you click?

          If you can't remember a password, you are very unlikely to be compitent enough to actually need a password for anything.

          1. Charles 9

            Re: Hey dude, hand me the finger cutter......

            So in other words, "Goodbye. Game Over. Better Luck Next Life"? Because some people really ARE that bad. There's also the matter of information overload, since just about every site under the Sun demands a unique account with them, and SOP is to use a different password with each one. A password manager can be subverted or you just forget the password to the password manager.

  17. raving angry loony

    Hmm. Somewhat misleading perhaps?

    Authentication is normally based on 'something you know', and not just 'something you have' such as a fingerprint or any other biometric.

    Technically incorrect, unless you add "insecure" to the beginning of that quote. Also, I've always been told fingerprints don't count as "something you have", they're only "something you are", which is lousy security because it can't be changed. Slightly more secure authentication is based on both something you know, AND something you have. Also not just "something you are", such as the horribly insecure fingerprint, which as noted can be duplicated. The duplication can be in any of several ways, either pre (the print itself) or post (the digital "signature" of that print) processing. Just one of the above is, today, not really considered "secure". Or at least, not "secure enough".

  18. This post has been deleted by its author

  19. Christian Berger

    Video here

    Of course it has German live interpretation for people not speaking German.

    http://media.ccc.de/browse/congress/2014/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug.html#download

  20. Anonymous Coward
    Anonymous Coward

    How can grown adults not tell the difference between fiction and reality?

    It's obvious what's gone wrong here.

    Some idiots have seen movies where Tom Cruise is a crack government agent and his fingerprints are necessary to access the nuclear missiles at the top secret military base.

    So these idiots think, hey, fingerprints are supposed to be the best possible form of security and are only used to secure things that are SUPER important and valuable. Then they get all butthurt when it turns out that might not be the case, and they think they have to inform the world and hold conferences about it.

    Back in the real world, any normal adult can explain the point of the fingerprint sensor on the iPhone: it's so a pickpocket won't be able to access your vacation photos before you get a chance to remotely wipe your phone. And for that purpose it seems to be more convenient and secure and effective than a PIN code which people tend to not use anyway.

    Maybe it's not a coincidence that Germans are trying so hard to alert the world about this. Do they understand the concept of fiction? Maybe they think Tom Cruise movies are documentaries.

    1. Zetschka

      Re: How can grown adults not tell the difference between fiction and reality?

      Can the pickpocket use one of the fingerprints you left on your phone?

      1. Anonymous Coward
        Anonymous Coward

        Re: How can grown adults not tell the difference between fiction and reality?

        >>Can the pickpocket use one of the fingerprints you left on your phone?

        I think this would be practically impossible. Watch the original "hack" of the Apple sensor--even under ideal conditions with an ideal scan of the correct finger, it takes 3 tries to unlock the phone. You only get 5 tries.

        If you were to lift a fingerprint from the phone itself, what are the odds that (1) it would be a finger that the phone was programmed to recognize, (2) there would be enough of the fingerprint to fill the entire sensor, (3) that the lift would give you enough quality and resolution to fool the sensor, and (4) you could do all of this in less than an hour, which is probably the worst-case amount of time I would need to notice that my phone is stolen and remotely wipe it?

        I'm comfortable keeping sensitive information on my phone with those odds. And certainly more comfortable than when I used a PIN code to lock my phone. It's stupid easy to look over somebody's shoulder and see their code or unlock pattern. You might be able to figure it out just from the motion of their hand even if you weren't able to see the screen.

        1. Hans 1

          Re: How can grown adults not tell the difference between fiction and reality?

          >If you were to lift a fingerprint from the phone itself, what are the odds that (1) it would be a finger that the phone was programmed to recognize, (2) there would be enough of the fingerprint to fill the entire sensor, (3) that the lift would give you enough quality and resolution to fool the sensor, and (4) you could do all of this in less than an hour, which is probably the worst-case amount of time I would need to notice that my phone is stolen and remotely wipe it?

          Actually, you can tell from the finger print which finger it is. They could be at quite a distance - all they need to know is the finger you used. It is on there unless you use gloves ... do you not hold backspace a few times when you type passwords in public places - I do sometimes forget, but try to stick to it (type something, first x letters are good, then hold backspace to delete more than one character - as many as required to get to x letters - then type on) ?

          I have fat fingers and do it accidentally as well ... I mistype my passphrase quite often ... a sentence full of silly typos.

        2. Anonymous Coward
          Anonymous Coward

          Re: How can grown adults not tell the difference between fiction and reality?

          "If you were to lift a fingerprint from the phone itself, what are the odds that (1) it would be a finger that the phone was programmed to recognize, (2) there would be enough of the fingerprint to fill the entire sensor, (3) that the lift would give you enough quality and resolution to fool the sensor, and (4) you could do all of this in less than an hour, which is probably the worst-case amount of time I would need to notice that my phone is stolen and remotely wipe it?"

          (1) and (2). First place to look would be the sensor itself. Who actually wipes their print off the phone after using the sensor to unlock it?

          (4) Two words: Faraday cage. No wipe signal gets through. Now you have all the time on the clock.

  21. Private Citizen.AU
    Stop

    Survival Golden Rules

    Rule 1. Never make a part of your anatomy more valuable to someone else than it is to you.

  22. Hans 1
    Boffin

    James Bond - Diamonds Are Forever

    Where are the bond fans when you need them ...

    Diamonds Are Forever: Bond uses a fake fingerprint that clings to his thumb to trick Tiffany Case into believing he is Peter Franks.

    Diamonds Are Forever, 1971 ...

    So, how is this even news ??????

    1. raving angry loony

      Re: James Bond - Diamonds Are Forever

      Maybe security journalists, or even those working in security, don't watch frivolous films like James Bond movies? Which is a pity, because there's a lot of great ideas in there that used to be science fiction and are now just potentially silly toys.

  23. Steve Barnett

    Not this old chestnut again

    Every few years someone with nothing new to say drags this horse corpse out and flogs it one more time for some publicity.

    Biometrics are useful in their place delivering speed, convenience and decent level of security - you can often guess a password or a PIN but try guessing a finger print; I've never seen a post-it with "this weeks retina" stuck on the notice board. Got it on my iPhone and love it's convenient security for signing stuff, elsewhere I use a pin or a sms code.

    Using biometrics Is just part of the authentication mix, now move along nothing to see here.

  24. sisk

    Pretty much what I've been saying

    I talked some friends out of putting a fingerprint lock on their front door a while back by showing them the Mythbusters episode where they took on biometric locks. The Mythbusters aren't exactly the most rigorous of pen testers so if they can beat the things I'm not about to use my fingerprints for security. Not to mention the fact that in the process they told the whole world how to beat fingerprint readers.

  25. LaeMing
    Black Helicopters

    This is why...

    ...all the government officials, their bag-men and the like wear gloves in Dystopian-Future SciFi!

  26. Ian Watkinson

    Layers...

    People seem to be missing the fact that security should be layered.

    I like the fact that when I'm unlocking my phone on the plane, the person next to me can't look at the passcode as I'm just pushing my finger on it. (look at screen remember passcode - much easier than taking a photo and producing a balloon.

    However I also like the fact that on a cold boot you need the whole pin, so having a fingerprint doesn't cut it all the time.

    Given that for a lot of people they've gone from no passcode to finger, it's a step up.

    If people are securing national secrets using fingerprints ONLY, then there's an issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like