That seems quite expensive. I bought my USB fingerprint reader dongle from K-Byte on Amazon for $12 and it works wonders with Windows Hello. I don't see the need to pay $50 for Synaptics' version.
Has Microsoft disclosed how much biometric information they retain once its submitted to the OS? It's probably just paranoia, but I have a hard time trusting the company to do the right thing these days with either image information, microphone audio, and fingerprint patterns. Sure most of that can't be used now, but will that always be the case?
It's handled just like Apple and kept only on the local machine. It doesn't require it, but it is also recommended that any use of Hello is in conjunction with a TPM - preferably 2.0. I think it might actually be an OEM requirement, even if it isn't a software requirement.
Under no circumstance should biometric information EVER be used for authentication. Biometrics should only be used for identification (Login), never password. Biometric information is trivial to steal. If you make your fingerprint your password you are leaving your password on every single thing you touch.
Until these readers and the software they use are configured to use the biometric information only as an identity (login) they are utterly worthless.
Fingerprints are pretty bad, but other forms are harder to get and harder to duplicate. Meanwhile passwords suck aggressively. I'd agree that it shouldn't be used as a single factor, but a good second or third factor is desperately needed.
There is no biometric data that can't be gathered. They've demonstrated capturing retnal imprints with high resolution digital photography. Facial unlocks can be fooled by photographs. To read a palm vein print all they would need is an camera with the sensitivity to pick up blood vessels. There isn't a single biometric that you could come up with that someone else couldn't capture unless you locked yourself in a basement and never went anywhere. Every single biometric technology in use right now has been broken with often ridiculously simple capture methods.
I guess you missed the part about it costing "well below $50". I'd imagine around $35, or so. Additionally, it's apparently small enough so you can leave it in the port. That's not so easily done with the K-Byte, judging from the pictures. Lastly, hopefully, it's using a better sensing system. Perhaps something similar to qualcomm's (which, btw, where the hell is that actually being used?).
My thoughts exactly. If this is going to gain traction in the enterprise it will need Linux (and likely, by inheritance, OSX) compatibility. Synaptics is usually ok with cross platform support though so I suspect it will be there.
This is a cool idea, but considering it is a USB device and not low level like a TPM means it really isn't much more than a password displacement device. Which means targeting the enterprise probably isn't going to be a huge priority.
Precisely. Having a BSD-based kernel doesn't really affect driver porting. I've modified Linux drivers to work in OSX using Apple's IOKit. Check it out if you ever can't get a certain device like a barcode scanner or label printer to work (those are the two times I've found it handy.)
The software is another story, but my guess is the software layer of this thing would be pretty minimal as to try integrating it into the OS as much as possible to improve security.
Since when is Linux on the Desktop important to Enterprise and big Enterprise may not go with some off the shelf solution like this. This is for consumers and they will probably have some OS X compatibility but you never know about Linux drivers. In the consumer (not prosumer like most people on the web site) market Linux does not exist.
Linux is used in a lot of commercial systems as turnkey solutions from video editing to render farms to various servers. Tons of thin clients in the enterprise sector run Linux. Having worked in Fortune 500 believe me, it's annoying as hell. Over the last few years, OSX has also gained traction (for some reason...yeah, aesthetics) even though half the time I see MacBook's running Windows, and the other half of the time every application in use is web based so the OS is really irrelevant. Citrix is still king in healthcare, too, and although the client end most often runs Windows, the server end is not Windows-based because if it was corporations would simply use Hyper-V. It's important to also point out the majority of VMWare servers are Linux-based.
Now I get I'm talking about servers here, which this little dongle isn't targeted at, but the initial login/authentication sequence for Thin PC's and Citrix sessions often involves .bash_login and .bash_profile before anything to do with Windows happens. This will require a Linux driver with secure kernel hooks to make this thing relevant.
But I wont argue with you, the target market for this thing is consumers. It's easy, if not very profitable, and security won't actually play a critical role since what most people will use it for is a password manager (which I suspect Synaptics will either build or parent with a 3rd party on.)
But there is demand for this thing in enterprise because I can't tell you how much people hate smart cards, USB dongles, and all of the other security products that often still require passwords (two factor authentication)
Someone with technical skills would understand that these things don't store or upload your fingerprint. They store some data on your fingerprint, but nothing like the police use.
You should post at Slashdot, where paranoia will get you modded up. They all think they're rebels evading the government we all elected as if it were a foreign entity.
Yes, they store a hash of your fingerprint. Stealing the hash of someone's fingerprint WILL allow authorities to establish whether any particular fingerprint (which they already have) matches a particular hash. So if you're leading a life of crime, you probably don't want the authorities to get that.
Is it only stored on the device though? And then what's passed to the OS, and why can't you just pass the "yeah, this checks out" signal to the OS without the device?
I'm not quite clear how you get the same level of security that iOS with an integrated reader + integrated separate CPU/storage to handle it on a PC where it's being added after the fact. (Which just means I don't get how that would work, not necessarily that it couldn't work.)
Also kind of wish these were just sold straight from the company (which is Apple really?) as that leaves at least one less company you have to trust.
Actually, your fingerprint is used to unlock the authenticator on your device, which generates a public key that is sent to the website. The public key could never be used to reproduce your fingerprint.
A public key says nothing about identity unless it is paired with a known private key. You cannot generate a public key on the fly and make identity claims based on it. Instead, do you mean that a suitably-crafted identity token is sent from the authenticator? That would make much more sense.
In any event, all that we're talking about now is WHERE the fingerprint hash is stored, and the only thing that the location affects is the difficulty of obtaining the data. My point was simply that, assuming a hash is obtained (via legitimate or illegitimate means), it can be used to match an existing fingerprint in the absence of the fingerprint itself.
More marketing games. It's been proven time and time again just how easy it is to trick these cheapo laptop fingerprint scanners.
You have the laptop (which is *covered* in sample prints), all you need to get past your average $25-50 fingerprint reader is a piece of scotch tape and a decent size grape. It's not the encryption or the OS that is the weakest link with these scanners, it's the *scanner* itself.
Exactly. There are plenty of academic studies that demonstrate just how insecure certain kinds of biometric identification can be. And they also demonstrate how trivial it is to bypass it. Unless you wear gloves 24/7, you have to ask yourself just how comfortable you are with leaving your "password" on a lot of surfaces throughout the day.
This isn't knocking all biometric identification. For example, the blood-vessel pattern on the back of my eyeball is fairly secure. But then again, I don't tend to leave that lying around everywhere.
It is entirely possibly that millions of people would love a finger print reader to login to comments sections like this one, forums, Amazon etc.... If your finger print is ever compromised you can just stop using it and go back to passwords. You can also happily choose to leave your bank or other very important information as a strong secure password. And even if your finger print is compromised you have 10 to choose from. I personally love finger print readers they save me a lot of time.
This is of course assuming it's using the same kind of cheap biometric scanner that the other models have used in the past, which I've seen no evidence of one way or the other.
It's easy to trick the apple fingerprint sensor as well. I'd be curious how hard it works be to trick the ultrasonic imaging that Qualcomm uses, though. That's, vaguely, similar to the sensors used at some secure facilities that map some of the venous structures, additionally.
I'm pretty worried by the march of fingerprints to replace passwords. I certainly don't know enough about how it work and I am eager to correct this, but surely if a website which stored your fingerprint was hacked there's FA you can do about it all. At least a password can be changed and with password managers all the hassle of passwords is now taken away.
Back when they announced the ForcePad, they claimed they'd be releasing a standalone touchpad, but as far as I can tell, they never actually did. I wonder if this standalone fingerprint reader will likewise fail to ever actually become available?
(Speaking of the ForcePad, I tried one on the HP Elite 1011, and it sucked: the feeback is only in the OS audio, not via haptics; and in Linux, the touchpad wasn't detected as a touchpad.)
Basically you: 1) log in 2) using a FIDO authenticator, create a public/private key pair on the device. 3) send the public key to the website 4) private key is saved on the device
next visit: 1) site notices you're a returning user from a registered device 2) site sends a challenge 3) using the local device's authenticator, your device signs and returns the challenge 4) site uses the public key to validate the signed challenge.
So, your fingerprint is never stored. The public key on the site cannot be used to identify you. It can only be used to read signed challenges from your specific device. You have to register each device separately after logging in.
I note that this still relies on setting up a password first (because we assume that we have a logged-in, authenticated user). I approve!
The tricky words are "using the local device's authenticator". How exactly does the authenticator check that your fingerprint is the correct fingerprint? It must store a hash of the fingerprint to do so - there is no other way. Anyone who obtains the device, and who is able to extract the fingerprint hash, can now "uniquely" identify your fingerprint, if they should run across it at a later date. (If they're smart, what they probably want to do is extract the private key as well, if they can ... assuming that no key rotation takes place, anyway)
One nice thing is that this may (depending on the device) require some serious technical chops. Then again, challenges that require such skills tend to become automated over time - and that's why we have tiny, cheaply-available card-skimmers available for any thief to use today. Who can obtain the device? Co-workers, perhaps. Border security agencies, certainly. Maybe a nanny or au-pair.
By contrast, how do you get my password? You have to beat it out of me - I'm not going to just tell you what it is, and I don't leave it lying anywhere. Good authentication is multi-factor authentication (what you know [password], what you have [paired device], and what you are [biometric]). Moving to only ONE of these factors is less secure. What the industry should be pushing is NOT passwordless auth, it is n-factor auth.
@Carmen00: "How exactly does the authenticator check that your fingerprint is the correct fingerprint? It must store a hash of the fingerprint to do so - there is no other way."
There is another way, though I doubt they use it. When scanning your fingerprint, they could use the direct output of the algorithm as a "biometric" key for encrypting the private key. No need to store it at all. Rather than compare to a hash, it would simply try to decrypt the private key. If the decryption fails, you have the wrong biometric key. In this way, the biometric information is never stored. Assuming the scan algorithm is even uniquely reversible, you'd have to crack the encryption algorithm on the device to get your prints. There have been no successful attacks on the AES-256 algorithm last time I checked so its up to the implementation. Even then, we know that they (Synaptics) only use a part of the biometric information in the first place, so the prints would not be complete and most likely unusable from a physical identification standpoint.
This approach would satisfy two factor authentication as the private key is unique to the device (something you have) and cannot be obtained until unlocking it via biometrics (something you are). In other words, even if you can acquire my fingerprints and can trick a reader into accepting the fake, it doesn't get you anywhere unless you are using the specific device that I setup.
Feel free to throw in a password for the trifecta. A cryptographically sound method of combining the scanner algorithm output and a strong password before using it as a key to decrypt the private key would certainly make reversing fingerprints an interesting endeavor without knowing the password. Even with the password, it is once again possible that information is lost in reversing the prints.
the fingerprint is all over your laptop so it's something you have as well, and something the thief has if he has your laptop.
Still, this is irrelevant for anyone not doing super-secret stuff that can generate the interest of people with the resources to do this stuff.
What matters is that thieves cannot access your data if they steal your device, and that you don't have to remember a complicated password to access it every day.
Website accounts will always be hackable because people need to be able to log-in from internet cafés and such.
In this case we're talking about 2FA. Your fingerprint and your device. Sure, 3FA would be more secure. If someone has stolen your device and your device can be unlocked with your fingerprint and your authenticator can be unlocked with your fingerprint then you're in trouble. Hopefully you're aware that you've lost your device in a relatively short period of time and have locked it remotely.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
45 Comments
Back to Article
euskalzabe - Thursday, June 2, 2016 - link
That seems quite expensive. I bought my USB fingerprint reader dongle from K-Byte on Amazon for $12 and it works wonders with Windows Hello. I don't see the need to pay $50 for Synaptics' version.BrokenCrayons - Thursday, June 2, 2016 - link
Has Microsoft disclosed how much biometric information they retain once its submitted to the OS? It's probably just paranoia, but I have a hard time trusting the company to do the right thing these days with either image information, microphone audio, and fingerprint patterns. Sure most of that can't be used now, but will that always be the case?Solidstate89 - Thursday, June 2, 2016 - link
It's handled just like Apple and kept only on the local machine. It doesn't require it, but it is also recommended that any use of Hello is in conjunction with a TPM - preferably 2.0. I think it might actually be an OEM requirement, even if it isn't a software requirement.rahvin - Thursday, June 2, 2016 - link
Under no circumstance should biometric information EVER be used for authentication. Biometrics should only be used for identification (Login), never password. Biometric information is trivial to steal. If you make your fingerprint your password you are leaving your password on every single thing you touch.Until these readers and the software they use are configured to use the biometric information only as an identity (login) they are utterly worthless.
xthetenth - Saturday, June 4, 2016 - link
Fingerprints are pretty bad, but other forms are harder to get and harder to duplicate. Meanwhile passwords suck aggressively. I'd agree that it shouldn't be used as a single factor, but a good second or third factor is desperately needed.rahvin - Tuesday, June 7, 2016 - link
There is no biometric data that can't be gathered. They've demonstrated capturing retnal imprints with high resolution digital photography. Facial unlocks can be fooled by photographs. To read a palm vein print all they would need is an camera with the sensitivity to pick up blood vessels. There isn't a single biometric that you could come up with that someone else couldn't capture unless you locked yourself in a basement and never went anywhere. Every single biometric technology in use right now has been broken with often ridiculously simple capture methods.NtAbs2000 - Tuesday, June 7, 2016 - link
Plus,Courts/Enforcements can get an order for you to give up your finger prints, but not a password!
tuxRoller - Thursday, June 2, 2016 - link
I guess you missed the part about it costing "well below $50". I'd imagine around $35, or so. Additionally, it's apparently small enough so you can leave it in the port. That's not so easily done with the K-Byte, judging from the pictures.Lastly, hopefully, it's using a better sensing system. Perhaps something similar to qualcomm's (which, btw, where the hell is that actually being used?).
satai - Thursday, June 2, 2016 - link
Linux compatibility?Samus - Thursday, June 2, 2016 - link
My thoughts exactly. If this is going to gain traction in the enterprise it will need Linux (and likely, by inheritance, OSX) compatibility. Synaptics is usually ok with cross platform support though so I suspect it will be there.This is a cool idea, but considering it is a USB device and not low level like a TPM means it really isn't much more than a password displacement device. Which means targeting the enterprise probably isn't going to be a huge priority.
ipkh - Thursday, June 2, 2016 - link
OSX isn't based on linux. It used the BSD base system. The Mach kernel with custom apple stuff. They went out of their way to avoid gpl.satai - Thursday, June 2, 2016 - link
Anyway we can gues they provide their integrated TouchID sooner or later for their notebooks and keyboards.rahvin - Thursday, June 2, 2016 - link
His comment was in reference to the fact that OSX is POSIX compliant and that devices that work on Linux are often very easy to get working on OSX.Samus - Friday, June 3, 2016 - link
Precisely. Having a BSD-based kernel doesn't really affect driver porting. I've modified Linux drivers to work in OSX using Apple's IOKit. Check it out if you ever can't get a certain device like a barcode scanner or label printer to work (those are the two times I've found it handy.)The software is another story, but my guess is the software layer of this thing would be pretty minimal as to try integrating it into the OS as much as possible to improve security.
Michael Bay - Thursday, June 2, 2016 - link
>enterprise>loonix
The dream is alive, I see.
BrokenCrayons - Friday, June 3, 2016 - link
It looks like we've just found someone without enterprise IT experience of any sort.trivor - Thursday, June 2, 2016 - link
Since when is Linux on the Desktop important to Enterprise and big Enterprise may not go with some off the shelf solution like this. This is for consumers and they will probably have some OS X compatibility but you never know about Linux drivers. In the consumer (not prosumer like most people on the web site) market Linux does not exist.Samus - Friday, June 3, 2016 - link
Linux is used in a lot of commercial systems as turnkey solutions from video editing to render farms to various servers. Tons of thin clients in the enterprise sector run Linux. Having worked in Fortune 500 believe me, it's annoying as hell. Over the last few years, OSX has also gained traction (for some reason...yeah, aesthetics) even though half the time I see MacBook's running Windows, and the other half of the time every application in use is web based so the OS is really irrelevant. Citrix is still king in healthcare, too, and although the client end most often runs Windows, the server end is not Windows-based because if it was corporations would simply use Hyper-V. It's important to also point out the majority of VMWare servers are Linux-based.Now I get I'm talking about servers here, which this little dongle isn't targeted at, but the initial login/authentication sequence for Thin PC's and Citrix sessions often involves .bash_login and .bash_profile before anything to do with Windows happens. This will require a Linux driver with secure kernel hooks to make this thing relevant.
But I wont argue with you, the target market for this thing is consumers. It's easy, if not very profitable, and security won't actually play a critical role since what most people will use it for is a password manager (which I suspect Synaptics will either build or parent with a 3rd party on.)
But there is demand for this thing in enterprise because I can't tell you how much people hate smart cards, USB dongles, and all of the other security products that often still require passwords (two factor authentication)
tuxRoller - Friday, June 3, 2016 - link
Although I know what you mean, this is also called a USB "dongle".tuxRoller - Friday, June 3, 2016 - link
ChromeOS laptops sell very well, and not just to schools.Regardless, maintain whatever narrative you wish.
JoeyJoJo123 - Thursday, June 2, 2016 - link
Cool! After I upload my fingerprint information to the web, what next?Will they want a blood sample? Urine sample? Will they need a completely intact hair follicle to create a perfect clone of me?
Thanks, NSA!
Love,
Joey JoJo
JeffFlanagan - Thursday, June 2, 2016 - link
Someone with technical skills would understand that these things don't store or upload your fingerprint. They store some data on your fingerprint, but nothing like the police use.You should post at Slashdot, where paranoia will get you modded up. They all think they're rebels evading the government we all elected as if it were a foreign entity.
Carmen00 - Thursday, June 2, 2016 - link
Yes, they store a hash of your fingerprint. Stealing the hash of someone's fingerprint WILL allow authorities to establish whether any particular fingerprint (which they already have) matches a particular hash. So if you're leading a life of crime, you probably don't want the authorities to get that.Wolfpup - Thursday, June 2, 2016 - link
Is it only stored on the device though? And then what's passed to the OS, and why can't you just pass the "yeah, this checks out" signal to the OS without the device?I'm not quite clear how you get the same level of security that iOS with an integrated reader + integrated separate CPU/storage to handle it on a PC where it's being added after the fact. (Which just means I don't get how that would work, not necessarily that it couldn't work.)
Also kind of wish these were just sold straight from the company (which is Apple really?) as that leaves at least one less company you have to trust.
sorten - Thursday, June 2, 2016 - link
"Yes, they store a hash of your fingerprint"Actually, your fingerprint is used to unlock the authenticator on your device, which generates a public key that is sent to the website. The public key could never be used to reproduce your fingerprint.
Carmen00 - Friday, June 3, 2016 - link
A public key says nothing about identity unless it is paired with a known private key. You cannot generate a public key on the fly and make identity claims based on it. Instead, do you mean that a suitably-crafted identity token is sent from the authenticator? That would make much more sense.In any event, all that we're talking about now is WHERE the fingerprint hash is stored, and the only thing that the location affects is the difficulty of obtaining the data. My point was simply that, assuming a hash is obtained (via legitimate or illegitimate means), it can be used to match an existing fingerprint in the absence of the fingerprint itself.
sorten - Friday, June 3, 2016 - link
Your fingerprint unlocks the authenticator. The authenticator generates public and private keys.tuxRoller - Friday, June 3, 2016 - link
No.sorten - Thursday, June 2, 2016 - link
You don't upload your fingerprint information to the web.Mushkins - Thursday, June 2, 2016 - link
More marketing games. It's been proven time and time again just how easy it is to trick these cheapo laptop fingerprint scanners.You have the laptop (which is *covered* in sample prints), all you need to get past your average $25-50 fingerprint reader is a piece of scotch tape and a decent size grape. It's not the encryption or the OS that is the weakest link with these scanners, it's the *scanner* itself.
Carmen00 - Thursday, June 2, 2016 - link
Exactly. There are plenty of academic studies that demonstrate just how insecure certain kinds of biometric identification can be. And they also demonstrate how trivial it is to bypass it. Unless you wear gloves 24/7, you have to ask yourself just how comfortable you are with leaving your "password" on a lot of surfaces throughout the day.This isn't knocking all biometric identification. For example, the blood-vessel pattern on the back of my eyeball is fairly secure. But then again, I don't tend to leave that lying around everywhere.
PubFiction - Tuesday, June 7, 2016 - link
Whats up with all the all or nothing people?It is entirely possibly that millions of people would love a finger print reader to login to comments sections like this one, forums, Amazon etc.... If your finger print is ever compromised you can just stop using it and go back to passwords. You can also happily choose to leave your bank or other very important information as a strong secure password. And even if your finger print is compromised you have 10 to choose from. I personally love finger print readers they save me a lot of time.
Solidstate89 - Thursday, June 2, 2016 - link
This is of course assuming it's using the same kind of cheap biometric scanner that the other models have used in the past, which I've seen no evidence of one way or the other.tuxRoller - Friday, June 3, 2016 - link
It's easy to trick the apple fingerprint sensor as well.I'd be curious how hard it works be to trick the ultrasonic imaging that Qualcomm uses, though. That's, vaguely, similar to the sensors used at some secure facilities that map some of the venous structures, additionally.
romesh - Monday, June 13, 2016 - link
bring this on my wireless mouse..i'm soldCoup27 - Thursday, June 2, 2016 - link
I'm pretty worried by the march of fingerprints to replace passwords. I certainly don't know enough about how it work and I am eager to correct this, but surely if a website which stored your fingerprint was hacked there's FA you can do about it all. At least a password can be changed and with password managers all the hassle of passwords is now taken away.sorten - Thursday, June 2, 2016 - link
Your fingerprint is never sent to a website.DanaGoyette - Thursday, June 2, 2016 - link
Back when they announced the ForcePad, they claimed they'd be releasing a standalone touchpad, but as far as I can tell, they never actually did. I wonder if this standalone fingerprint reader will likewise fail to ever actually become available?(Speaking of the ForcePad, I tried one on the HP Elite 1011, and it sucked: the feeback is only in the OS audio, not via haptics; and in Linux, the touchpad wasn't detected as a touchpad.)
sorten - Thursday, June 2, 2016 - link
People are having a lot of trouble understanding how password-less auth works. You can read about it here: https://fidoalliance.org/specifications/overview/.Basically you:
1) log in
2) using a FIDO authenticator, create a public/private key pair on the device.
3) send the public key to the website
4) private key is saved on the device
next visit:
1) site notices you're a returning user from a registered device
2) site sends a challenge
3) using the local device's authenticator, your device signs and returns the challenge
4) site uses the public key to validate the signed challenge.
So, your fingerprint is never stored. The public key on the site cannot be used to identify you. It can only be used to read signed challenges from your specific device. You have to register each device separately after logging in.
Please stop the fear mongering.
Carmen00 - Friday, June 3, 2016 - link
I note that this still relies on setting up a password first (because we assume that we have a logged-in, authenticated user). I approve!The tricky words are "using the local device's authenticator". How exactly does the authenticator check that your fingerprint is the correct fingerprint? It must store a hash of the fingerprint to do so - there is no other way. Anyone who obtains the device, and who is able to extract the fingerprint hash, can now "uniquely" identify your fingerprint, if they should run across it at a later date. (If they're smart, what they probably want to do is extract the private key as well, if they can ... assuming that no key rotation takes place, anyway)
One nice thing is that this may (depending on the device) require some serious technical chops. Then again, challenges that require such skills tend to become automated over time - and that's why we have tiny, cheaply-available card-skimmers available for any thief to use today. Who can obtain the device? Co-workers, perhaps. Border security agencies, certainly. Maybe a nanny or au-pair.
By contrast, how do you get my password? You have to beat it out of me - I'm not going to just tell you what it is, and I don't leave it lying anywhere. Good authentication is multi-factor authentication (what you know [password], what you have [paired device], and what you are [biometric]). Moving to only ONE of these factors is less secure. What the industry should be pushing is NOT passwordless auth, it is n-factor auth.
BurntMyBacon - Friday, June 3, 2016 - link
@Carmen00: "How exactly does the authenticator check that your fingerprint is the correct fingerprint? It must store a hash of the fingerprint to do so - there is no other way."There is another way, though I doubt they use it. When scanning your fingerprint, they could use the direct output of the algorithm as a "biometric" key for encrypting the private key. No need to store it at all. Rather than compare to a hash, it would simply try to decrypt the private key. If the decryption fails, you have the wrong biometric key. In this way, the biometric information is never stored. Assuming the scan algorithm is even uniquely reversible, you'd have to crack the encryption algorithm on the device to get your prints. There have been no successful attacks on the AES-256 algorithm last time I checked so its up to the implementation. Even then, we know that they (Synaptics) only use a part of the biometric information in the first place, so the prints would not be complete and most likely unusable from a physical identification standpoint.
This approach would satisfy two factor authentication as the private key is unique to the device (something you have) and cannot be obtained until unlocking it via biometrics (something you are). In other words, even if you can acquire my fingerprints and can trick a reader into accepting the fake, it doesn't get you anywhere unless you are using the specific device that I setup.
Feel free to throw in a password for the trifecta. A cryptographically sound method of combining the scanner algorithm output and a strong password before using it as a key to decrypt the private key would certainly make reversing fingerprints an interesting endeavor without knowing the password. Even with the password, it is once again possible that information is lost in reversing the prints.
Murloc - Friday, June 3, 2016 - link
the fingerprint is all over your laptop so it's something you have as well, and something the thief has if he has your laptop.Still, this is irrelevant for anyone not doing super-secret stuff that can generate the interest of people with the resources to do this stuff.
What matters is that thieves cannot access your data if they steal your device, and that you don't have to remember a complicated password to access it every day.
Website accounts will always be hackable because people need to be able to log-in from internet cafés and such.
sorten - Friday, June 3, 2016 - link
In this case we're talking about 2FA. Your fingerprint and your device. Sure, 3FA would be more secure. If someone has stolen your device and your device can be unlocked with your fingerprint and your authenticator can be unlocked with your fingerprint then you're in trouble. Hopefully you're aware that you've lost your device in a relatively short period of time and have locked it remotely.ClioCreslind - Saturday, June 4, 2016 - link
Synaptics, please let this work as a trackpoint for the 99.9% of time when it's not required to read fingerprints.LuxZg - Tuesday, June 7, 2016 - link
Inexpensive? Than it should be well below 10$!! No news here...