Comments on: Identification Versus Authentication https://pthree.org/2013/09/23/identification-versus-authentication/ Linux. GNU. Freedom. Wed, 13 Jun 2018 20:15:45 +0000 hourly 1 https://wordpress.org/?v=5.0-alpha-43320 By: Vincent Hamilton https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129735 Mon, 30 Sep 2013 23:45:48 +0000 http://pthree.org/?p=3257#comment-129735 I think many would agree with you in terms of absolute security, even those who created it at Apple. However, much of engineering is about scope and I think TouchID is not attempting to improve absolute security. Rather, I believe the goal is to improve general security. For example, once the majority of the user base is using some sort of code (be it, a short PIN, a long passphrase and/or fingerprint) that also means that those devices are storing encrypted data (according to iOS' security policy). Also, once TouchID is available across the product line, there's no reason Apple couldn't offer other permutations of "fingerprint + X" for all-around increased security.

The idea is that the more people use it, the more it becomes a part of the general system infrastructure. Said infrastructure can then be built upon. There's little reason to be disappointed in what Apple has released. If they did what you are proposing, I think that uptake would be minimal and therefore irrelevant. Passphrases as a device access barrier have been available in iOS for sometime now. It's a highly-personal computer though and having to enter a passphrase whenever you want to use it is not ideal.

Look at the defaults that come on a TouchID setup: once enabled, the device requests authentication upon every sleep/wake cycle. Also, anytime the device is restarted, a short PIN or passphrase is requested, fingerprint alone is not sufficient.

I would recommend a wait-and-see stance here. If the current state of affairs is not iterated upon over the coming quarters, then I encourage there to be an uproar created.

]]>
By: Steve Barker https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129734 Mon, 30 Sep 2013 20:51:56 +0000 http://pthree.org/?p=3257#comment-129734 On a practical level I'd hate to have to use a fingerprint to work my phone. It takes on average 5 attempt to read my fingerprint going into work each morning!

]]>
By: Keith Zubot-Gephart https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129718 Thu, 26 Sep 2013 19:17:07 +0000 http://pthree.org/?p=3257#comment-129718 Err, by phones I mean anything that's NOT phones, so mostly just tablets. Oops.

]]>
By: Keith Zubot-Gephart https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129717 Thu, 26 Sep 2013 19:16:45 +0000 http://pthree.org/?p=3257#comment-129717 Worth noting that Android 4.2 only introduces multiple users for phones. This appears to be because of a patent, sigh.

]]>
By: Aaron Toponce https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129704 Wed, 25 Sep 2013 14:38:19 +0000 http://pthree.org/?p=3257#comment-129704 Is using a fingerprint scanner for authentication worse than no password at all? No. Does using a fingerprint for authentication provide any security over no password at all? No. Not to the determined at least. Having a fingerprint used for authentication isn't going to worsen the security of the phone. It just won't increase it either.

]]>
By: Joseph Scott https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129692 Tue, 24 Sep 2013 14:15:58 +0000 http://pthree.org/?p=3257#comment-129692 There are other angles to this. Reports have indicated that the vast majority of people use no passwords on their phone at all. So one question becomes, would using a finger print be worse than no password at all?

Security options don't exist in a single vacuum situation, there are many levels and trade offs. On top of that it isn't even a one time thing, you might be ok with finger print scanning under normal situations but then switch to long passwords while traveling.

]]>
By: Svetlana Belkin https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129691 Mon, 23 Sep 2013 14:29:21 +0000 http://pthree.org/?p=3257#comment-129691 (I think I may have misread that part about Android 4.2 though not all phones have a built-in fingerprint scanner)

]]>
By: Svetlana Belkin https://pthree.org/2013/09/23/identification-versus-authentication/#comment-129690 Mon, 23 Sep 2013 14:21:34 +0000 http://pthree.org/?p=3257#comment-129690 About your last point about expecting more from Apple. I think this where OpenSource and Ubuntu Touch can shine because it can improved into better secruity system of IDIng first via fingerprint scanner than a password or PIN as you said.

]]>