When your password leaks:→ Change your password→ Problem solved
-
@capitainesam So maybe you combine biometrics with password/passkey?
One of the foundational stories of cyberpunk illustrated a defense against biometrics fraud. The hackers targeted a victim that used fingerprint login. They managed to get a copy of the victim's fingerprint and used it.
Then the victim's security system kicked in - because the victim always deliberately *failed* the first finger login and used their *second* finger login...
@dancingtreefrog @capitainesam GrapheneOS supports a pin as second factor for biometrics
-
@vrek @capitainesam I seem to recall that it was William Gibson's Neuromancer; the incident that lead to the main character's nervous system being crippled by the Russian mafia. But it's been awhile since I read it, I could be mistaken.
@dancingtreefrog @vrek @capitainesam I think you're describing Orson Scott Card's "Dogwalker," which involves intuiting a password but failing to realize that the target always miskeyed the first time until too late.
"Neuromancer" does have a character who is neurologically crippled by their employer (with a "wartime Russian mycotoxin"). ("He'd made the classic mistake, the one he'd sworn he'd never make. He stole from his employers.")
-
@dancingtreefrog @vrek @capitainesam I think you're describing Orson Scott Card's "Dogwalker," which involves intuiting a password but failing to realize that the target always miskeyed the first time until too late.
"Neuromancer" does have a character who is neurologically crippled by their employer (with a "wartime Russian mycotoxin"). ("He'd made the classic mistake, the one he'd sworn he'd never make. He stole from his employers.")
@trurl @dancingtreefrog @capitainesam thanks for the clarification. I have been avoiding Orson Scott card because of his actions at conventions previously, although I have read enders game. That said I'm due for a re-read of nueromancer.
-
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
I would say you do the exact same thing:
If you used to use biometric for access control and your biometric is "leaked"…
You remove the biometric login and setup something else (password, certificate, passkey… just something else) -
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
The damage is already done for years. Wouldn’t it make more sense to discuss how to mitigate it an to heal it in the next decades?
-
@dancingtreefrog
Why copy? Just get the finger. With or without the human hanging on it.@Mercutio @dancingtreefrog @capitainesam That is something good fingerprint readers will detect. You get way better chances of success with a copy. Needs a print on a surface, a bit of superglue and a printer.
-
@capitainesam@mastodon.social @negative12dollarbill@techhub.social yeah, easy. just get plastic surgery, duhhhhh /j
@Starcross @negative12dollarbill @capitainesam Wasn't that a plot point in many early gangster movies?
What's old is new again! -
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
@capitainesam This is a IMPORTANT POINT!
My question is about biometric data on your phone. What can you do to protect it? Is it always local or is it shared?
Should you never use it because people can get into it -
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
@capitainesam biometrics for logins, not passwords!
-
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
@capitainesam it's also why using biometric data instead of a password or a 2fa on an online service is a bad idea
-
@dancingtreefrog
Why copy? Just get the finger. With or without the human hanging on it. -
@ill_logic @jfml @capitainesam every proper implementation hashes the fingerprint, just like you don't store clear text passwords in the shadow file...
The question is, is this a proper implementation on phones...
@celeste_42bit @ill_logic @capitainesam But does this (hashing of the fingerprint) help with the problem that if it get leaked I can basically never use it again? Using your fingerprint is like having a password you can't change does the hashing change anything about this?
-
@celeste_42bit @ill_logic @capitainesam But does this (hashing of the fingerprint) help with the problem that if it get leaked I can basically never use it again? Using your fingerprint is like having a password you can't change does the hashing change anything about this?
@jfml @celeste_42bit @capitainesam If I somehow get your fingerprint, I can figure out the hash. But if I steal the hash I *can't figure out your fingerprint. Hashes are cool like that. So in principle you should still be able to use it.
* Now the caveat is that it has to be done right. And perhaps someone can find a way to break these systems over time. This has happened with password database systems. Also I don't know anything about biometrics in particular, just the principles at play here.
-
@jfml @celeste_42bit @capitainesam If I somehow get your fingerprint, I can figure out the hash. But if I steal the hash I *can't figure out your fingerprint. Hashes are cool like that. So in principle you should still be able to use it.
* Now the caveat is that it has to be done right. And perhaps someone can find a way to break these systems over time. This has happened with password database systems. Also I don't know anything about biometrics in particular, just the principles at play here.
@jfml @celeste_42bit @capitainesam (BTW I don't use biometric logins)
-
@jfml @celeste_42bit @capitainesam If I somehow get your fingerprint, I can figure out the hash. But if I steal the hash I *can't figure out your fingerprint. Hashes are cool like that. So in principle you should still be able to use it.
* Now the caveat is that it has to be done right. And perhaps someone can find a way to break these systems over time. This has happened with password database systems. Also I don't know anything about biometrics in particular, just the principles at play here.
@ill_logic @celeste_42bit @capitainesam Ah, ok, thanks for the explanation, that makes sense.
-
@ill_logic @celeste_42bit @capitainesam Ah, ok, thanks for the explanation, that makes sense.
@jfml @ill_logic @capitainesam Yea, Hashes are designed to loose data by design.
You can, for example, hash a 1000 page book, and the 265bit hash will still only have 265bits. It's unique for the book, but due to the obvious massive data loss, the book is not recoverable from the hash.
But same here, I have very little understanding of how biometric locks actually work. Just the absolute basics.
-
Won't the law require you to to biometric ID?
@charlesdelavalleepoussin @capitainesam If it's a paid service that might count as automatically verifying any user as being an adult if it only allows payment methods that aren't accessible to minors
-
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
@capitainesam
Interesting point of view.
Department of Witness Protection for leaked biometrics? -
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
@capitainesam Fun bit of trivia for fingerprints is that there are known approaches of using fingerprints to generate pub/private style keypairs, so you can use that biometric in a safer manner (in theory). In practice your point absolutely stands.
-
When your password leaks:
→ Change your password
→ Problem solvedWhen your biometric data leaks:
→ You can't change your face
→ You can't change your fingerprints
→ The compromise is permanent
→ Your biometric data is in breach databases foreverThis is why facial recognition for age verification is dangerous.
@capitainesam IF we could trust that a 1-way transform of the data is stored rather than your raw fingerprints & a jpeg of your face/passport, things would be slightly better
unfortunately, biometric ID is being pushed by untrusted parties
