Topic: How secured is fingerprint lock on wallet? (Read 475 times)

Hardware wallets are not mobile phones, they contain the keys used to hold coins. Although, the most important is your seed phrase (+passphrase if included) which can be used to regenerate your keys and addresses. Hardware wallets are portable and can be carried about, but this is not advisable.

Have your hardware wallet in the best possible place you think it is safe (not inside safe or places that can be easily noticed by thieves). Like I implied above, the most important is your seed phrase (+passphrase if included).

If your hardware wallet is compromised, best to send your coins to another address generated by another offline wallet. An offline wallet like paper wallet can be created immediately and send your coins to an address or addresses generated by the paper wallet  and later buy another hardware wallet.

It is advisable to use passphrase with hardware like Trezor, because even if the seed phrase is revealed to the offline attackers, the attacker will not still able to compromise the wallet because different keys and addresses are generated due to the passphrase added to it. Adding passphrase is another protection, but it is needed along with seed phrase during recovery.

I agree with you.

But the problem with a hardware key is that it can also be stolen with the mobile device.
They can steal the suitcase, where you have your documents, smartphone, keys, and even the hardware key.

One thing you have to be aware of, when you physically steal equipment, a good part of the security we have in them can be compromised.
All care is little.

When something like that happens, we should change passwords and pins as soon as possible, and if in accounts and applications where possible, log off remotely.

They are all very useful, only sim authentication, email authentication, fingerprint and face scanner are not recommendable. Pin and password for attackers not to be able to have access to your account, 2FA authenticator as an extra layer of protection in case your account login details has been compromised but 2FA OTP required to withdraw. Even 2FA OTP would most likely be demanded for if an attacker wants to login with another IP address and/or another device.

Yes, no internet access or other connection, it is actually one of the safest.

Sim and email authentication are not even safe but 2FA using open source apps like Aegis on airgapped device is also safe. Just that using Yubikey can be safe for newbies that are not savvy enough to setup 2FA appropriately.

People should look towards the disadvantage especially if wallet apps can also be accessed using only fingerprint without pattern, pin or password required. Some of the wallet offline hack these days could be as a result of fingerprint. Most people just set it up without thinking about its disadvantages.

You narrated the disadvantages of the finger print which is correct. But there are underlying advantages you overlooked. Yes! It is true that finger print does not in any way secure the seed phrases but finger print adds another layer of security and also do these two things below;
1. Some people's memory fail them faster and often, with finger print you will beat that challenge. Like my blockchain and trust wallet pins are more than 4 digits, I can't remember them anymore. But I wrote them down somewhere safe, but I have always been assessing them with my finger print.
2. Again, I might be with my friends or relatives and would want to access my wallet, I wouldn't be hiding to input my password or pin. I'll just use my fingerprint.
These are some of the advantages of fingerprint

Exactly most of the people have the apps and 2FA security on same device.The device going in wrong hands is usually risky because the 2FA code is with them,if you have some OTP based system then sim card is there and most of them have the exact mail being used in logging in to some apps which is being used in their app store or already logged in mobile.So the risk is at full level.I would recommend using proton mail for security purposes but don't forget password about them.The best is secure your device at the first stage.

Although it also has certain limitations but still better than SMS security and as you said on different devices with airgapped system.

That's the best thing you could use as authentication and save yourself from phising attacks because if you are using hardware devices as security purposes the risk factors already reduced unless someone gains access to you keys in real life.But you should create backup codes also in case you have lost but it should be offline.

The security features of Yubikey are far more beneficial than regular TOTP and 2FA on mails and SMS as you could have long codes setup and no need to manually type the code as you just have to press the button on the device to login.Every yubikey is also unique so you don't need to worry about it.But it should be remembered there are risk if we are careless.

Yubikey

The security can be compromised on our end but we should always focus on maximising it because once fund lost it's impossible to get them back.We need to be updated with the latest technology to some possible extent we can.

Not all 2FA is created equally.

If you consider something like SMS or email 2FA, then such things are very insecure. Often people access these on the same device they are using to log in to the account in question (a phone). Often if one of these things is compromised, then both factors can be compromised, meaning it is not really 2FA at all. An example is an attacker gaining access to your email account; they can now send a password reset email and receive your 2FA code via email, rendering email 2FA useless.

2FA using a TOTP generated from a separate device (even better if this device is airgapped) is far more secure.

More secure still is 2FA using a hardware token, such as a YubiKey. To compromise your account an attacker would need to be able to steal or brute force your password, as well as be able to physically steal your hardware key. This is exponentially more difficult than simply gaining access to an email account.

If you want more secure than passwords or codes, then a hardware key is the way to go.

These factors, which you mentioned, show that although 2FA is a good security system, it is not the most practical and the best.

I think you have to start thinking about ways to access accounts, better than passwords, codes, 2FA, etc, since they are increasingly outdated methods and require users to access platforms more and more complicated/difficult.

We should start thinking about ways to increase the security of access to accounts, but that this is also done in a simple and secure way.
Is this something possible?

Here is the problem with 2-factor authentification that you mentioned. Many people don't use it as such. 2FA is only effective if the device you receive your codes on is separate from the device you use when you are logging in to a site or service. For example, if you log in to an exchange via your PC, your mobile phone can be a 2FA device. But if you are using your phone to access your exchange account and that same phone stores your 2FA codes, that's not a proper use of the second factor. You need a secondary phone for your 2FA codes. That way, both devices need to be compromised for someone to hijack your 2FA-protected accounts. Accessing everything from one device is a 1-factor+ authentification system. 

That is true, it is better to use a password instead, using fingerprint is not safe like using password, but the security is not about control. If you are talking about control, what about people that are using custodial wallet, no matter how their device security is, they are using a centralized wallet and do not have full control. Having on password is just about security.

It is better to be safe than sorry. Adding a layer to your security only protects you from further risk since there are many fraudsters or scams out there, you can never fully trust anything. I suggest you go retro and use a pin and password to have full control of your wallet at all times, even when you're asleep.

This can only add more to the security of your wallet if you are using a 2fa verification, meaning that it will require your fingerprint first to access imputing the password, but I will advise you to always have two security measures to log into your wallet, things can be wrong with your hand or scanner atimes and the mobile as well can develop fault with time, but having a 2fa verification will guarantee maximum protection to your wallet.

It does add an extra layer of protection on your part. Think of it as like a 2-factor authenticator; before you can log-in with your account, it asks for more information and authenticator by inputting the code sent to your phone/email.

Like what Rikaflip also mentioned, it is also a matter of convenience on your end where you get to see your BTC wallet balance on your account. The best way of getting protected is still not spilling your private keys in your wallet except to one trusted member of your family to add a layer of contingency in the event that some unfortunate event happens.

Fingerprint locks on mobile phone will keep people away from operating your phone at your back but mind you it has nothing to do with keeping your recovery seed or private key safe.

In my opinion biometric security is less secure compared to the random long password because someone can force you to out fingerprint but getting password out of your head is almost impossible unless you tell them. But no matter what kind of password either its random characters or fingerprint you have to be careful if you hold millions worth of cryptocurrencies there.

I know, but this is the first step to start trying to trick recognition system and sensors. If we already think about several ideas how to bypass such security, and DroomieChikito even tried some of the tricks, then people with resources can achieve more. I think that if security system has already weak points during discussion period, then it is no use using it, as criminals creative mind will find a way to bypass it.

It's a form of adding extra security to your wallet, meaning you are trying to avoid everyone from seeing you wallet balance. Wallets like trust wallet, phone fingerprints is not enough for security because supposing you add your private key to the Trust wallet, once someone is able to access your top security on the Trust wallet, he or she can have access to your private key, which is not safe.

Although, not a new technology but yes, it is a good progress to many people, but not to people that are conscious about security, because such people will decide not to use it as it makes their hardware not to be secure at all. Going for only pin would be the better way.

There are a lot that still happening in movies, like plucking someone eyes for eyes recognition and also plucking someone's finger for fingerprint recognition. These two can work out. Yet best to go for Pin, password or pattern.

The easier it becomes the lesser the security.

I don't think that its the same as a PIN or password protection. While you can make it much harder or almost impossible for thieves to penetrate your phone/wallet by using a proper password, you can't do anything about your fingerprint. Phone scans it and that's about it, there's no way for you to make it more sophisticated and there lies the problem.

That's not necessarily true. For example, if you enable biometrics in some mobile phone wallets like Blockchain, it automatically offers it as way to log in into wallet meaning you just made it less secure.

What I'm saying is that for this whole process, it's necessary to steal the phone and fingerprint. This demonstration was done under ideal conditions. Of course it does. And don't forget that the system used in most smartphones is far from the best fingerprint technology.

Either way, I'm not saying fingerprints are more secure than PINs or passwords.

In addition, even the latest technology can unlock phones, if you have access to the hardware. No matter what security system you use, if the criminal has access to the hardware, he may be able to access your data if he has the right tools.

The warning I give is that the person consciously uses the technology at his disposal.

A more worrying thing to me is not that someone can steal my crypto by unlocking my phone while I am asleep, but who could get access to those fingerprints if they were leaked. Smartphones are apparently not storing biometric data in some centralized servers somewhere in the world. It's said that the fingerprints get encrypted and stored locally on your phone. But who can verify and trust that information just because they claim that is the truth?

Smartphones look like the perfect honeypots to gather fingerprint info on millions of users worldwide. Not only that, but we give phone apps the permissions to access storage, data, and other things. Who knows what data Google, Facebook, and other companies are acquiring from our phones!?