Why biometrics suck, the Office of Personnel Management edition

The nation-state hackers who stole 5.6 million+ records of US government employees (cough China cough) also took 5.6 million+ fingerprints. But it's no problem: those people can just get new fingerprints and revoke their old ones right?

Oh, shit.

Biometrics are things that you can't recall, can't change, and that, by definition, are not secret. Authentication tokens are things that you can change, recall and keep secret.

The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling, said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology. Im surprised they didn't have structures in place to determine the number of fingerprints compromised earlier during the investigation.

Lawmakers, too, were upset about the latest revelation. "OPM keeps getting it wrong," said Rep. Jason Chaffetz (R-Utah). " I have zero confidence in OPMs competence and ability to manage this crisis."

As fingerprints increasingly replace passwords as a day-to-day security measure for unlocking your iPhone or even your home, security experts have grown concerned about how hackers might leverage them.

OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought [Andrea Peterson/Washington Post]

(Image: Fingerprint, Saurabh R. Patil, CC-BY-SA)