Fingerprints for Passwords - Page 2
Blogs > micronesia |
Tephus
Cascadia1753 Posts
| ||
Zess
Adun Toridas!9144 Posts
On April 16 2014 20:25 micronesia wrote: I'm sure some of the people involved in the development of using fingerprints for passwords have given this some though, and have some answers. But it seems to me like the core issues will still be there, and this won't really be any better for us than our current password and identity validation system. The issue with stealing physical fingerprints is a real one (and is why using your fingerprint to lock your iPhone is great against burglars but terrible against the police, although miles better than a terrible 4 digit numeric code). However, the fear that a security breach on one site that you authenticate with will leak your password to all other sites is in fact mitigated with the suggested fingerprint technology. Currently, most websites use a salted one way hash to store your password, so that given a password, you can generate a unique key, but given a unique key, it is very hard to find the password (unless your password sucks). But even so, breaking into the server and obtaining the hash still obtains relevant information about the password. Fingerprint technology paired with a scanning device allows us to use "zero-knowledge" authentication, which means the website will know that you know the password, but no one watching or peeping on this exchange will have any idea of what is going on, and couldn't tell the difference between a real handshake and a fake handshake. So ideally, there would be nothing that could be stolen on the server side that will log you into other servers with their own authentication scheme. http://en.wikipedia.org/wiki/Zero_knowledge_proof#Abstract_example | ||
darkscream
Canada2310 Posts
First of all, its imperfect, your body will be stolen or reproduced. Does not require "you", which is the intent, but its not a wizard's spell from dungeons and dragons, magic doesnt exist secondly, we're already monitored and measured by governments and corporations all day every day, a secure code in your head for a closed (non internet) network is safest and will always be closest to a vault with complex physical key system. Tying it to your body means everyone knows what your key looks like and where you keep it. Really it just seems shortsighted at best, tinfoil-hat conspiratorial at worst. I'm sure it's appropriate as a layer or in some specific security circumstances, but holy shit it just does not seem to be a good idea in this day and age, to login to your phone computer and social media with your biometrics on the open web/telephony system. | ||
| ||