a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by kleinbl00
kleinbl00  ·  673 days ago  ·  link  ·    ·  parent  ·  post: Authenticating without a password is something we should talk about

You can compare a data point to another datapoint, you mean.

Android fingerprint readers don't hash your fingerprint. they upload your fucking fingerprint to Amazon. So when a fraudster uses your fingerprint, and you say "nope, that's not my fingerprint, this is my fingerprint", the banks go "same fingerprint d00d." So now your fingerprint is FOREVER out there and you can't use it to validate ever again because it's a stolen credit card number.

So maybe someone grabs Goobster's fingerprint data and the first thing he does is go "huh I'll bet I can use this to score some identities." He goes around with a forged birth certificate and heads to the DMV and says "I need a driver's license, oh by the way my fingerprints were stolen." So now they WON'T USE HIS FINGERPRINT to verify his identity, they'll fall back on their ancient bullshit. Meanwhile, all the speed he's encountering in using your identity to steal your life is slowing you up because while neither one of you can be trusted? He's used to this.

You know what's cool about credentials? They can be revoked. You know what sucks about biometrics? They can't. Mistakes are made, accidental and deliberate, and expecting a company that shows absolutely no interest in protecting your revocable credentials to treat you irrevocable credentials any differently is naive in the extreme.

Meanwhile you've just created a situation where in order to rent a car I now need to get Theranos involved or some shit which, frankly, no thanks.

Nexus passes between the US and Canada have iris scans for Canadians. They don't for Americans, in no small part because customs and border protection in the US didn't want to be responsible for a bunch of indelible biometric data. They know "information wants to be free." I'm sure they'll change their mind eventually - Dipshits have been pushing for this since before Sony rootkitted their compact discs.

But that doesn't make it a good idea.

Shitty passwords are a design choice. They are the outcome of a bad system imposing unrealistic demands on its users. The solution is not to make the users try harder, it's to make the system better. If you need more security than I can provide easily, you can fuck right off. There's nothing you're doing for me that can't be done with less.

Prove me wrong.





goobster  ·  673 days ago  ·  link  ·  

    "You know what's cool about credentials? They can be revoked. You know what sucks about biometrics? They can't."

Ah. Right. That flipped the light on for me...

Thanks, as always, for the education.