Preview: Fingerprints Are Usernames, Not Passwords

dustin (1)Dustin Kirkland is the Cloud Solutions Product Manager for Canonical, the company behind the open-source software platform Ubuntu. He will be appearing at SXSW Interactive as a solo speaker on the topic of biometrics in technology.  His panel is titled Fingerprints are Usernames not Passwords.

Q. Can you give me a brief overview of why you see it as a problem that our personal biometrics, at this point mostly fingerprints, are being used to authenticate our actions rather than identify us?

A. How many emails have you received, to date, from some online service or another saying, “We’re sorry, but our site was attacked, and while we don’t think your password was compromised, we think you should change it anyway, for good measure”?

Surely you’ve seen this once or twice, right?  And if you’re like me, you kind of take a deep breath, and think, “Oh man, that’s inconvenient…”

Now, what if that site used some form of biometrics, instead.  Let’s say your fingerprint.  Or your eyeball.  How would that email read? You want me to change my fingerprints!?  My eyeballs!?

That’s ridiculous, of course, but it perfectly shows the problem. Biometrics are not changeable.  You couldn’t alter them if you tried. Being able to change, rotate, and strengthen passwords is one of the most fundamental properties of authentication tokens — and completely missing from all forms of biometrics!

That’s just one of a number of problems with biometrics.

Q. Is biometrics something you’ve worked with professionally? What made you want to do a panel on the issue?

A. I’ve long maintained and developed an encrypted filesystem for Linux, called eCryptfs.  In 2008, I was asked to add eCryptfs support for Thinkpad’s fingerprint reader.  After thinking about it for a while, I refused to do so, with the core arguments being much of what I described above.  With that refusal to support fingerprint readers in 2009, I seemed to have picked a few fights and arguments
with various users.touchid-scan-fingerprint

All was pretty quiet on the home front, until Apple released an iPhone with a built-in fingerprint reader in late 2013, and I blogged this piece that criticized the idea…(which went viral):

http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

Q.  I feel embarrassed to admit that I had never thought of the issue until seeing your panel synopsis.  Then, it seemed incredibly obvious and I found myself looking at my phone’s fingerprint scanner suspiciously.  Why do you think the public has had so little response to biometrics in technology, other than seeing it as a neat feature of a particular gadget?

A. On the surface, it seems like such a good idea.  We’ve all seen Mission Impossible or 007 or countless other spy movies where Hollywood portrays biometrics as the authentication mechanism of the future.  But it’s just that…  Bad pulp fiction.

There are plenty of ideas that probably seemed like a good idea at first. [But] dig a little deeper and many were actually misapplications from the beginning. We’ll be in the same place with biometrics, I have no doubt.

Q. In the future, if we continue down the current path do you see identity theft including the hacking of our fingerprints and voice patterns in addition to our credit card info?

A. I certainly hope we can curtail this doomed path of technology before we get to that point…

But if we don’t, then yes, absolutely.  All of your biometrics are easily collected in public places, with your knowledge.

– Your fingerprints are on your coffee mug and every beer bottle you’ve ever picked up with your bare hands.
– Your hair, dandruff, and dead skin contain your DNA.
– High resolution digital cameras can pick up your iris in incredible detail (less so for the retina currently)
– Facial recognition – seriously, unless you’ve taken exorbitant steps, your face is all over Facebook, Google, LinkedIn, etc., and everywhere you go in public today, there are security monitors.
– The same goes for vocal recognition.  Surely you’ve heard, “This call may be recorded for training purposes”.  Sure, that’s fine.  But do you go spilling your master password to all of your accounts to that phone support?  Well, if you use voice recognition for your authentication, then that’s exactly what you’ve done.

Q. Beyond crime, what are the civil liberties issues you see being entwined with biometrics technology?  Could the government theoretically access this information in much the same way they have our email and phone records in the past?

A. Theoretically, yes.  That “theoretically, yes” is enough for me to be very concerned.

Is Apple colluding with the NSA/FBI/CIA/etc?  I am most certainly NOT making that accusation.

Could they, or anyone else?  Most certainly.  They could even be coerced or forced to do so.  And they could do so unknowingly.  And it might not even be “the good guys”.  Anyone of this magnitude is a target for attacks, by less than savory governments or crime organizations.

Moreover, I strongly recommend that everyone consider their biometrics compromised.  As I said above, you leave a trail of your fingerprints, DNA, face, voice, etc. everywhere you go.  Just accept that they’re not secret, and don’t pretend that they are.

Q. What are some places where you see biometrics as appropriate and useful?

A. Back to the title of the presentation, I think biometrics are decent as a “username,” just not as a “password”… That’s what biometrics are – they’re another expression of your “identity”.  It can be used to replace, or rather, look up your name, username, or email address from a list, as it’s just another expression of that information.

Now, a password is…how you “prove” your identity.  This is something entirely different.  It must be long, and very hard to guess.  You have to be able to change it.  And you have to keep your passwords separate from different accounts, so that no one account could share that with another account and compromise you.

Q. What are your thoughts on SXSW Interactive as a venue for such discussion?

A. I think it’s a fantastic venue!  I attended SXSW Interactive in 2014, and was very impressed with the quality of speakers and discussion around security, privacy, identity, and civil liberties.  I immediately regretted that I didn’t submit this talk for the 2014 conference, and resolved to definitely do so for 2015.  Unfortunately, this subject is still important and topical in 2015. Which means we still have some work to do!

Q. Finally, are there any other panels you’re especially looking forward to?

A.  All of the Open Source ones (of which there are a lot!), as that’s really my passion.

 

 

Leave a Reply