Fingerprint readers: can they be trusted?

[dlalonde]

I just got the Moto Z Play, my first phone with a fingerprint scanner. So I'm trying to figure out if, in 2017, I trust that technology. Yeah I know I sound like an old man that's afraid of the TV but, unlike passwords, I can't reset my fingerprints if they're stolen.

I know the technical aspect of it (it's stored on a secure part of the processor and never sent out to the outside world) but there's always the "what if?". What if the software or hardware is faulty (like the times spyware were installed on phones or computers by companies and they didn't even go 'woops, sorry!') or the CloudFlare leak, and so on and so forth.

So what about you? Do you trust fingerprint scanners?

 

[Josiah23]

Yeah, I completely trust fingerprint readers both on my Android and IOS devices. They're fast and reliable, the only reason I would fear of fingerprint readers is if someone can somehow hack into my phone and steal my fingerprint and then I don't know, plant it at a crime scene or something, which would take too much time and effort... lol, but before that can possibly happen I see no reason not to trust it.

 

[dlalonde]

But then if that or say a bug in the software or an update were to happen, your fingerprint would be out in the wild. Wouldn't that worry you?

 

[BBUniq01]

But then if that or say a bug in the software or an update were to happen, your fingerprint would be out in the wild. Wouldn't that worry you?

Honestly, most people would overlook security for the convenience.

 

[dlalonde]

Honestly, most people would overlook security for the convenience.

Yes but are they right? Do you reckon it's safe or you'd rather not risk it even if the sensor is right there ready for use.

 

[Almeuit]

I'm not worried. If you are simply use a password.

 

[ManiacJoe]

Folks seem to be confusing a fingerprint with the digital representation of one.
Two different things.

I stay with password/PIN because a fingerprint scanner requires clean, bare fingers; I cannot guaranty my fingers are always in that condition.

 

[Billy Bob Jimmy Joe]

Maybe stick with a landline? I accepted the fact that anything connected to the Internet can be hacked and/or stolen. The amount of convenience I'm getting completely outweighs the risk, in my opinion.

 

[dlalonde]

I'm not worried. If you are simply use a password.

This was more of a conversation thread than a help one.

Folks seem to be confusing a fingerprint with the digital representation of one.
Two different things.

I stay with password/PIN because a fingerprint scanner requires clean, bare fingers; I cannot guaranty my fingers are always in that condition.

What do you mean? If someone has your fingerprint, they can't use it somewhere else?

Maybe stick with a landline? I accepted the fact that anything connected to the Internet can be hacked and/or stolen. The amount of convenience I'm getting completely outweighs the risk, in my opinion.

Ha ha! I know I'm not that paranoid or naive. As I said, I'm asking because fingerprints cannot be reset (and to create a conversation about it).

 

[Josiah23]

But then if that or say a bug in the software or an update were to happen, your fingerprint would be out in the wild. Wouldn't that worry you?

Even then I oddly wouldn't be too worried about it. I'm not disrespecting Android but I can possibly see this happening to an Android device in the future. If this was to be a big problem with many people's fingerprint compromised, it would be the manufacturers fault and authorities would be involved. There's not much you can do with a fingerprint... at least not much that I'm aware of.

 

[Almeuit]

This was more of a conversation thread than a help one.

Well I mean we could discuss "what if" all day but in reality the what if is really low. They would have to have physical access to the phone to get to the chip and then somehow break the encryption. I look at it this way .. Do you think you really are that important that someone would go through ALL that trouble to get into your phone (which they have to have in their possession)? Doubtful. That is what I ask myself all the time and come up with that same answer. That is a lot of work for a small reward of getting into someones phone. If anything they would do other nefarious things to just get the phone back to a working state to sell or something.

 

[dlalonde]

Well I mean we could discuss "what if" all day but in reality the what if is really low. They would have to have physical access to the phone to get to the chip and then somehow break the encryption. I look at it this way .. Do you think you really are that important that someone would go through ALL that trouble to get into your phone (which they have to have in their possession)? Doubtful. That is what I ask myself all the time and come up with that same answer. That is a lot of work for a small reward of getting into someones phone. If anything they would do other nefarious things to just get the phone back to a working state to sell or something.

True, but what I'm talking about is more related to having your fingerprints out in the wild, not just getting into the phone. Then again, can anyone do anything with a stolen image of your fingerprints?

 

[Gayle Lynn]

Out of all my phones with some type of fingerprint recognition, one works 2-3x as fast and reliable, the Huawei Mate 9.

My iPhone 6S Plus with iOS 9 was weak if my finger had any oil, moisture, etc. Blackberry us rather unreliable. The S7 was. okay. Prior models were still working out kinks.

I'm having eye surgery and I don't think that will affect an Iris scanner but I guess it could. Or contacts. Do spoofing an Iris might be possible. Picking up a fingerprint too if we believe crime drama TV shows.

Makes life and access to apps much easier and less hassle. Never giving it up.

 

[Almeuit]

True, but what I'm talking about is more related to having your fingerprints out in the wild, not just getting into the phone. Then again, can anyone do anything with a stolen image of your fingerprints?

And the same question applies -- Do you think you're that important for them to gain physical access to your phone and then break encryption (which isn't something that is 2 clicks) to get into the chip just to do this? They would have better chance sending out spam emails and having people give their info up instead of doing this.

 

[dlalonde]

And the same question applies -- Do you think you're that important for them to gain physical access to your phone and then break encryption (which isn't something that is 2 clicks) to get into the chip just to do this? They would have better chance sending out spam emails and having people give their info up instead of doing this.

Good point!

 

[LeoRex]

Digital thieves are still just thieves... and they, like water and electricity, like to find the path of least resistance. To get someone's prints, you either pull some Mission Impossible level stuff and hack into Google to inject some malicious code into the Android base AND manage to hide it well enough to not get sniffed out in code reviews... that is, as amazing as it sounds, is harder than it sounds. There are countless sets of far more intelligent eyes pouring over all that code looking for anything that could possibly be exploited, nevermind a purpose-built back door.

Option 2: load up a malicious application that weasels its way into the OS and cracks open the FP container. Android has been significantly hardened in recent versions, and getting in there usually needs the user to pretty much knowingly let Dracula across his threshold... long ago are the days that a malicious app can acquire root access on a fully stock phone. See option 1 on how there are significant roadblocks for anyone looking to get all Mr Robot...

And final... Option 3 : someone takes possession your device to get to the information. Every phone can be hacked into... it is just a matter or motivation. If a government wants the info on your device, they will get it... there is no 100% secure device. If someone has it in hand and has the means to get into it... they can. But oftentimes, they reserve that for a device that has some rather important bit of info... And, and I am fairly confident in this, in all likelihood, none of us are that interesting.

So the chances of some NSA/CIA/FSB type wanting your information is astronomically remote... and it is probably equally true that anyone that pinches your phone is some digital criminal mastermind... if they were, they'd be able to undress you without so much as looking at your phone, nevermind breaking into it.

 

[Aquila]

In the movie Hannibal, Dr Lector did not take kindly to someone attempting to steal his fingerprints.

 

[dlalonde]

It's actually comforting to read you guys. All I've seen in my research articles with titles the like of "Why you shouldn't use fingerprint scanners".

When that happens I try to find the truth within the FUD.

 

[ab304945]

Folks seem to be confusing a fingerprint with the digital representation of one.
Two different things.

I stay with password/PIN because a fingerprint scanner requires clean, bare fingers; I cannot guaranty my fingers are always in that condition.

That's what the back up password or pin is for. If your hand is dirty out have gloves on, you can enter the backup pin our pass.

 

[LeoRex]

It's actually comforting to read you guys. All I've seen in my research articles with titles the like of "Why you shouldn't use fingerprint scanners".

When that happens I try to find the truth within the FUD.

Well... some of those articles are tricky. Security related stuff can sometimes come from some super-paranoid types who think there is a small team of govt spies dedicated to pouring over every aspect of their life. Now, while there ARE teams like that in existence, they are usually focusing on the sketchy dude that lives out in the woods that happens to be buying up an awfully large amount of ammonium nitrate and a bunch of 55 gallon drums.

Now, is NOT using a fingerprint 'safer' than using one? Technically speaking, it is... but there hasn't been a single instance that I've read about where someone hacked a phone and got someone's fingerprints to be used for ill begotten gains. There have been some security types that have shown that you can defeat FPS systems, but every single one required the nefarious marauder to be a) technically savvy and b) have the phone in hand. And someone of that ilk will get in your phone, FPS be damned.

Most every time a phone is stolen, it's by some loser who'll try to turn it around for a quick buck.