» ‘Fingerprints are Usernames, not Passwords’
Dustin Kirkland:
I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings. We could each conveniently identify ourselves by our fingerprint. But biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated.
From a security perspective, he’s absolutely right. If I were designing a corporate security policy, I would not allow TouchID to be used to secure sensitive information (which is why I’ve been kind of surprised to read how TouchID is supposedly a boon for the iPhone in the enterprise).
From a consumer perspective, however, this genie is already out of the bottle. Fortunately, as loose as it is, it’s more secure than what was being used before.
I think his perspective on how private your fingerprints are (“not private at all”) is interesting. Speaking personally, having once had a security clearance and having adopted a child, the government’s already got more copies of my fingerprints than they know what to do with.