https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59463#M795 <P>Equating biometrics with other authenticators does not work well due to wildly different characteristics. In addition to being permanent, they also are continuously disclosed, difficult to lose/forget, and difficult to clone (presuming one is&nbsp;<A href="https://dolly.roslin.ed.ac.uk/facts/the-life-of-dolly/index.html" target="_blank" rel="noopener">not a sheep</A> <span class="lia-unicode-emoji" title=":grinning_face:">😀</span>).&nbsp; I view biometrics more as "another tool in the toolbox", not as part of a "chose one" set.</P><P>&nbsp;</P><P>Unlocking a logged-in device that one has in their physical possession is one of the few good use-cases I see. The reason being that I can use the "convenience" of FaceID as a trade-off to gain acceptance of a security goal, short (1-minute) idle locks.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Coupled with that though is biometrics are insufficient when the situation becomes suspicious.&nbsp; For example, a PIN is required after an iPhone reboot, and one must reauthenticate to add a new camera on a Windows.&nbsp; And as failed in the original article, when rate-limiting has been exceeded.</P><P>&nbsp;</P> Thu, 25 May 2023 15:14:58 GMT denbesten 2023-05-25T15:14:58Z https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59443#M792 <P>Hi All</P><P>&nbsp;</P><P>Apparently not, Chinese researchers say they successfully bypassed fingerprint authentication safeguards on smartphones by staging a brute force attack.&nbsp;</P><P>&nbsp;</P><P><A href="https://techxplore.com/news/2023-05-brute-force-bypasses-android-biometric-defense.html" target="_blank" rel="noopener">https://techxplore.com/news/2023-05-brute-force-bypasses-android-biometric-defense.html</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:33:08 GMT https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59443#M792 Caute_cautim 2023-10-09T10:33:08Z https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59448#M793 <P>The fundamental issue described in the article is not the use of biometrics, but rather that the adversary was able to subvert rate-limiting/locking.&nbsp;&nbsp;Keep in mind the traditional fallback for a phone unlock -- a 4-to-6-digit PIN.&nbsp; That takes under 1M attempts to brute force, which makes rate limiting/locking critical.</P><P>&nbsp;</P><P>Safe is a continuum, not a binary value.&nbsp; I personally view biometrics as "safe enough" only when combined with other requirements, including rate-limiting/locking and a&nbsp;physical presence requirement (e.g. to unlock phone that is in my hands, but not to unlock a VM with a remote-USB attached fingerprint reader).</P><P>&nbsp;</P> Thu, 25 May 2023 01:08:07 GMT https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59448#M793 denbesten 2023-05-25T01:08:07Z https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59449#M794 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>I agree, with other measures, but you cannot change Iris's, eyes, fingerprints, or faces, unless you want to willingly undergo surgical procedures at cost.&nbsp;&nbsp; However, within the next ten years there will be a whole host of different cybernetics augmentations, for the human body to overcome losses or deficiencies, so perhaps one can change eyes, facial features and fingerprints.&nbsp;</P><P>&nbsp;</P><P>But some organisations, can facilitate this if you are willing at a cost.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Thu, 25 May 2023 06:23:56 GMT https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59449#M794 Caute_cautim 2023-05-25T06:23:56Z https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59463#M795 <P>Equating biometrics with other authenticators does not work well due to wildly different characteristics. In addition to being permanent, they also are continuously disclosed, difficult to lose/forget, and difficult to clone (presuming one is&nbsp;<A href="https://dolly.roslin.ed.ac.uk/facts/the-life-of-dolly/index.html" target="_blank" rel="noopener">not a sheep</A> <span class="lia-unicode-emoji" title=":grinning_face:">😀</span>).&nbsp; I view biometrics more as "another tool in the toolbox", not as part of a "chose one" set.</P><P>&nbsp;</P><P>Unlocking a logged-in device that one has in their physical possession is one of the few good use-cases I see. The reason being that I can use the "convenience" of FaceID as a trade-off to gain acceptance of a security goal, short (1-minute) idle locks.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Coupled with that though is biometrics are insufficient when the situation becomes suspicious.&nbsp; For example, a PIN is required after an iPhone reboot, and one must reauthenticate to add a new camera on a Windows.&nbsp; And as failed in the original article, when rate-limiting has been exceeded.</P><P>&nbsp;</P> Thu, 25 May 2023 15:14:58 GMT https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59463#M795 denbesten 2023-05-25T15:14:58Z https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59475#M797 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>All good commonsense, although this appears to be a rarity these days!!</P><P>&nbsp;</P><P>Unfortunately, some governments see this as a means of advertising digital identity initiatives and grand standing, whilst others use such techniques for mass surveillance purposes.&nbsp; The public definitely needs to be kept informed.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Thu, 25 May 2023 21:26:27 GMT https://community.isc2.org/t5/Threats/Are-biometrics-secure/m-p/59475#M797 Caute_cautim 2023-05-25T21:26:27Z