... and fingerprint authentication has problems too

Mon Aug 1 23:52:46 MST 2016

Am 29. Jul, 2016 schwätzte Tom Roche so:

moin moin,

and how many fingerprints can be replicated from people waving during a
selfie?

Cop shows demonstrate all the time that fingerprints and DNA are pretty
easy to come by without even having to resort to the enhance button.

In both cases, rotating them on a regular basis is a dangerous and
expensive process.

ciao,

der.hans

> Following the recent deprecation of 2FA over SMS (thread head here[1]), I was interested to note this NPR article[2] (dated 'July 27, 2016 2:34 PM ET'): "Police Use Fingertip Replicas To Unlock A Murder Victim's Phone". Basically, a team @ Michigan State University found a way to replicate a fingerprint good enough to unlock a phone. 3 things I noted:
>
> 1. The two-part approach that worked (after 2 previous fails) doesn't seem that hard to replicate. The MSU team enhanced previously-taken, plain-old-fashioned fingerprints, then printed the enhancements with conductive ink. One suspects this will be off-the-shelf before too long. Combine that with the following observations (file under "ISTM/ICBW") that
>
> * there's a lot more fingerprinting "going on out there." E.g., I'm pretty sure I was required to give fingerprints as part of my EPA clearance. (I.e., what one does in order to gain access to ... scientific compute clusters.)
>
> * fingerprints aren't that hard to take, given an item handled at (e.g.) a workplace or restaurant.
>
> 2. What surprised me more is, under current law (sorta--caveat below) something like a password (an "expression") is not subject to "force compulsion," but ...
>
> "The Smartphone versus the Fifth Amendment," Berkeley Technology Law Journal, 21 Dec 2014[3]
>> in the aftermath of Virginia v. Baust, many smartphone users may soon reconsider their reliance on fingerprint ID technology.
>
>> In October [2014], a Virginia trial judge ruled [in Virginia v. Baust] that unlike a passcode, the production of one's fingerprint is not "testimonial communication", and therefore, the Fifth Amendment privilege against self-incrimination cannot be invoked. Rather, the government may properly compel the production of a smartphone user's fingerprint to unlock the user's device. This force compulsion would ostensibly extend to any applications within a device that can be opened via fingerprint.
>
> However,
>
>> As a trial court, the ruling in Virginia v. Baust is not mandatory law. However, as with any early caselaw in a novel and undeveloped area of the law, this opinion will likely be cited as a persuasive authority.
>
> IANAL, so I don't know of subsequent use, or even how to search the case law for it.
>
> 3. I'd be interested to know is, would a hardware key (e.g., SecurID, YubiKey) be considered compellable or not? Either way, for 2FA purposes currently,
>
> 4. ... I'd hafta agree with Ed[4] that password+key beats password+SMS.
>
> 5. ... ISTM password+key beats password+fingerprint to the extent that (IIUC) a duplicate key will be harder to hack than a fingerprint for the forseeable future. Am I missing something?
>
> FWIW, Tom Roche <Tom_Roche at pobox.com>
>
> [1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html
> [2]: http://www.npr.org/sections/alltechconsidered/2016/07/27/487605182/police-use-fingertip-replicas-to-unlock-a-murder-victims-phone
> [3]: http://btlj.org/2014/12/the-smartphone-versus-the-fifth-amendment/
> [4]: http://lists.phxlinux.org/lurker/message/20160729.055043.2f7884f4.en.html
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>

-- 
#  http://www.LuftHans.com/        http://www.PhxLinux.org/
#  Very frankly, I am opposed to people being programmed by others.
#    -- Fred Rogers, aka Mr. Rogers (1928-2003)