Japanese researchers released a paper talking about the (hypothetical) risk of flashing the peace sign.
As we saw a couple of years ago with a German politician, a high definition photo from close enough (a few meters away according to the researchers) , with the right lighting, allowed the researchers to replicate the fingerprint.
Apparently, in Japan, taking selfies with the peace sign is popular, so people are posting many pictures with their fingers in them with their prints facing the camera.
While Snopes went all crazy on it and said the article was no longer there, it is there tonite, at least for me.
Since we know that this has already been done, there is really not much new here.
What is important to understand is that this is technically feasible and will only become more practical for an actual attack as digital cameras get better or people take better photographs.
In fairness to Snopes, they didn’t deny this was possible, they suggested that we should not panic. I agree with Snopes on that, there is always time to panic later.
However, this is a good opportunity to point out that people are using biometrics in the place of passwords and I suggest (and many people agree) that this is a terrible idea.
One more time, we are trading security for convenience.
If you lock your iPhone with your fingerprint and someone compromises your fingerprint, how do you change your fingerprint? I guess, the good news is that most people have ten fingers so you can keep rotating fingers until you run out. If your fingerprints are compromised several at a time (say by lifting the prints of all of your fingers of one hand off a glass, then you might only be able to change it one time.
For most people, protecting their iPhone (and I am only using Apple as an example) is a pretty low priority and a low risk.
For other people biometrics protect a higher value asset, such as a safe.
For those of us who have seen Mission Impossible and other movies, they use biometrics incorrectly.
There is a distinction to security folks, between identifying someone and authenticating them.
Using biometrics to identify a person is fine. Think of using your fingerprint (or iris or retina or other biometric) as a replacement for your user NAME, not your password.
Using it in that way is fine because it is not required to remain secret.
In data centers it is common to use biometrics to control access. You look into a retina scanner or use a fingerprint to identify yourself. Then you enter an 8 digit, for example, PIN to authenticate that it is really you.
This is a form of two factor authentication, there are two things that are required to gain access – something you have – like a fingerprint or hand geometry and something you know – a PIN.
So while I agree with Snopes that we should not panic over this Japanese report, I also think it is a reminder about the appropriate way to use biometrics and that is NOT to use it for authentication.
We have seen a few cases where law enforcement has forced people to press their finger on their phone to unlock it. This is because your fingerprint is something your have. There have been way fewer courts that have said that you can be compelled to unlock a device protected by a password. That subtle distinction – something you have vs. something you know, makes all the difference when it comes to the Fifth Amendment.
And, on a more practical plane, whether it is the Japanese or the Germans or anyone else, you just make life much harder for the bad guys if you use two factor authentication.
So, it all boils down to security or convenience. Your choice. And all risks are not created equal, so sometimes convenience is fine. Just not always. Just make an informed decision.
Information for this post came from Japan Times and Snopes.