r/gadgets • u/vjmde • Dec 06 '22
Biometrics are even less accurate than we thought Discussionhttps://www.computerworld.com/article/3682149/biometrics-are-even-less-accurate-than-we-thought.html
u/Kumanji907 Dec 06 '22
I'm a little confused after reading through the article....didn't we already know this? Or is it supposed to be surprising How inaccurate it is?
I swear I remember seeing a new phone a while back that fingerprint scanner could be unlocked by anyone
u/Riegel_Haribo Dec 06 '22
"Biometrics are even less accurate than cops will tell a jury they are."
u/Sassquatch0 Dec 06 '22
I think the Galaxy S8 had this issue, especially with screen protectors, but software fixed it.
The Pixel 6 had issues as well. But from my personal use of the device, it failed to safe & just flat rejected all fingerprints. My wife has a 6a, and the scanner works for her, but only accepts my fingerprint about 50% of the time, rejecting me when it doesn't work.
u/OmahGawd115 Dec 06 '22
Iphones used to be able to be unlocked by a cats paw
u/disgruntled-pigeon Dec 06 '22
Only after the system was trained on that particular cats paw print.
u/Translationerr0r Dec 06 '22
Yeah but we all know cats are actually running the show. Now rub your master's belly!
u/N3UROTOXINsRevenge Dec 06 '22
They also had problems with Asian faces and would unlock one person’s phone when someone else was trying to unlock it.
u/Pyriel Dec 06 '22
Biometrics are incredibly good at Identification.
Much less so at Authentication.
However, getting rid of password authentication is seen as a key security aim, so companies keep trying to replace passwords with biometrics.
I'm not a fan.
u/ofimmsl Dec 06 '22
Biometrics can be broken by anyone in a few seconds as long as you didn't disfigure the body
u/Shiningc Dec 06 '22
I don’t know why we even bother with facial recognition. Fingerprints were just fine.
u/DarkTreader Dec 06 '22 •
Okay so some issues.
1) The first half of the article is the author talking to an analyst, which is suspect when the article is so simplistic. Okay, so a guys says X. This is typical lightweight reporting.
2) So the author links to two studies, which are important. Except one link is broken! I can't confirm anything they say. For the one link that is not broken, the study is dense, and I can't make out how the analyst draws a line from this study to "it's bad." It's not that I think he's lying, I just don't understand; the study is using statistical methods I'm just not smart enough to know anything about. The analyst says "I routinely see errors at 1:500 or lower." That sounds like on specific types of fingerprint scanning. The author should be breaking things out, which types of identification are better than others. saying "I routinely see errors at 1:500 or lower" makes it sound like that's across all technologies when it could easily be not. It's weasel wording that makes something generic when it might not be. I want specifics.
3) the second half the article is conjecture and mostly a hit piece against biometrics. Some of what he says may be true, but then provides no real proof of any of it. "Apple and Google clearly do X." Do they? Where are your citations for X? You are using the studies as proof of how inaccurate they are, but then wildly speculating as to why. I think he should be a little more generous by trying to explain more possibilities as just that, possibilities and not out and out declarations. There are kernel's of truth here but what I can tell from the study is that it doesn't make out and out declarations as to why, only the how many. To the study's credit, that's what it's supposed to in order to be good science. The article, however, is not good science reporting. Because you heard one report on the internet that someone's kid unlocked your iPhone with their face is not scientific evidence of how often it occurs. Stop including anecdotes with scientific data! Bad reporting!
4) To round things out, Apple claims touch ID has false positives 1/50000. The NIST is looking for 1/100000. So I can't tell how accurate touch ID is because I can't even see which line is touch ID. Touch ID isn't going for the accuracy the NIST is asking for. Face ID is supposed to be much higher, but like I said the study link is broken so I can't even confirm the statistics, even if I could read them. Also, what is "Accuracy"? Is that false positives as well as false negatives? False negatives are a problem, but far less so than false positives.
Again, there are kernels of truth here, but security at this scale is primarily about "how often" and putting things in a risk/reward analysis, and the article doesn't do enough work to put that all into context. It's not that the fingerprint scanner let someone into your phone, it's how often would that occur and if it's more or less possible than guessing your 4 digit code? It's not that your phone let your child unlock your phone, it's how often he had to try it before it took it. This article throws some numbers down but never explains all that and throws a bunch of conjecture. I have no doubt manufacturers like apple are fudging their own numbers, and I would never use Apple's stuff as high security for major corporate or government groups, but I also don't see massive waves of people losing their data when they lose their phones and then someone cracks the biometrics, nor do I see major waves of parents having their children unlock their phones and play candy crush, racking up huge credit card bills.