People Mastodon

384 readers

256 users here now

People tooting stuff. We allow toots from anyone and are platform agnostic (Mastodon, BlueSky, Twitter, Tumblr, FaceBook, Whatever)

founded 5 months ago

MODERATORS

Deceptichum@quokk.au

481

get facial surgery (infosec.pub)

submitted 1 month ago by Deceptichum@quokk.au to c/peoplemastodon@quokk.au

23 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Maxxie@piefed.blahaj.zone 2 points 1 month ago* (last edited 1 month ago) (7 children)

That's correct, no sane implementation of biometrics stores your actual data. Its hashed when you log in to compare with the stored hash, then deleted.

It can leak if the server is compromised or misconfigured, so it is still worse than a password.

[–] Nomad 1 points 1 month ago (2 children)

So right and so wrong at the same time. A hash loses be by definition information. So you can compare it to a fingerprint and decide if it matches. It can't be used to reconstruct a fingerprint due to complexity of fingerprints and the complexity. So you can't reuse the hash to authenticate anywhere, so stealing it has only reduced benefit. Maybe a mass surveillance state might want that to find your finger prints where you have been but this is a lot more work than just confirming your phone identifier and forcing the cell company to reveal you whereabouts.

[–] Maxxie@piefed.blahaj.zone 2 points 1 month ago* (last edited 1 month ago) (1 children)

which part was wrong?

Because the hashing happens server-side, it still has access to the original data. Which is why I said

It can leak if the server is compromised or misconfigured

[–] Nomad 1 points 1 month ago

The hash for a password is not that secret. For a strong password it can't be used for anything bad really.

load more comments (4 replies)