It was too good to be true. A fingerprint sensor will be the authentication method of choice for Block’s hardware wallet. The company revealed new details in the March update of their newsletter, and some of them weren’t well received by the community. Besides the fingerprint sensor, the lack of a screen was also a cause of concern.
A couple of weeks ago, Bitcoinist was excited about Block’s bitcoin hardware wallet project. In that article, we said:
“According to the Block/ Square team’s mailing list, “our aim is to bring simple self-custody to a global audience.” Simple words for an extremely ambitious goal. However, Nick Slaney seems confident that the company will pull it off. “If we do our job the way I think we’re going to, explaining seed phrases to your dad is going to be a thing of the past.”
And it all sounded so good. Until the company revealed what the authentication method would be.
What Do We Know About The Fingerprint Sensor?
The company’s reasoning sounds solid, “we want our customers to be able to unlock their wallets securely, but with ease.” They are trying to build a product for the common man, and seed phrases and the risk they entail seem to be too much for the general population.
“We believe PINs, passwords, and seed phrases are confusing and often not secure given the workarounds normal people have to create given all the friction. This compounds when the need for those passwords are more rare.”
Ok, that sounds good. But then, they drop the bomb:
“To achieve seamless authentication in practice, we plan to incorporate a fingerprint sensor into the wallet hardware. Every authentication technology comes with tradeoffs. We’re excited about the security against theft or misuse that this will provide, the peace of mind that will come from not needing to remember yet another PIN, and the ease of placing a finger on the sensor rather than manipulating tiny, failure-prone buttons on a difficult-to-read screen.”
.@jack what the actual fuck are you thinking? https://t.co/CXiCvqVDHN
— Delete LND, Use C-Lightning (@brian_trollz) March 11, 2022
Wow, did they have to throw screens under the bus? Those serve a crucial purpose in bitcoin hardware wallets, but we’ll get to that. Let’s focus on the fingerprint sensor for now. Is that one a safe, tried-and-true security method? Aren’t there serious known drawbacks to biometric authentication? They do talk about tradeoffs, but, aren’t there too many risks associated with the fingerprint sensor method?
BTC price chart for 03/12/2022 on Coinbase | Source: BTC/USD on TradingView.com
Sensitive Data And Other Access Methods
What about the honey pot of personal information that the fingerprint database will create? Well, thankfully, we won’t have to worry about that because the data will never leave the device:
“As we build the product, we’ll evaluate additional access methods that customers could opt into. And of course, fingerprint sensor data will never leave the hardware device. But don’t take our word for it – listen to the independent community that will be able to inspect and verify our source code.”
The “additional access methods that customers could opt into” is also a good sign. And remember, the main characteristic of this particular project is that they’ll take advice from the community. And when they revealed the fingerprint sensor, a lot of advice must have come in.
We've just posted our newest update about the bitcoin wallet we're building. We're including a fingerprint sensor, and not planning to include a display. Read more here and tell us what you think! https://t.co/DyUNg0bOup
— Max Guise (@max_guise) March 11, 2022
Known Fingerprint Sensor’s Drawbacks
Security experts IFSEC Global identified four giant weaknesses of biometric authentication:
- “Biometric authentication details cannot be invalidated remotely if something goes wrong.”
- “The scourge of ‘MasterPrints’ fooling popular smart devices.”
- “Biometrics are immutable.” (that means, if another person gets a replica of your biometrics, there is nothing you can do)
- “Software flaws.”
It's not only hackers that reproduce fingerprints. Law enforcement has been doing it for many years now. Consider this a friendly reminder to disable biometric unlocks when traveling.https://t.co/rvKjR77C2n
— HONK HONK GG ⚡? (@dergigi) June 16, 2021
They also pointed out three known hack vectors:
- “Creating a phony fingerprint.”
- “Manipulating an iris scanner.”
- “Compromising the device and extracting biometric data.”
For extra details and explanations on each of those points, visit the original article.
What other details about the future hardware wallet did Block reveal?
- “We recently chose to use a rechargeable lithium polymer battery and USB-C port to power the device.”
- “Focusing on the mobile application as the primary interface will provide a more accessible, safer, and less expensive wallet.”
- “We plan to build the hardware without a display.”
The lack of a screen was also heavily criticized over at Twitter. People feel that a way to double-check the transaction details is crucial for final settlement operations. Are they on to something? Or is Block’s approach the right one? Will the common man double-check transaction details? Can he or she afford not to?
In any case, that’s what we know so far. Keep your eye on Bitcoinist for this novel product’s further developments.
Featured Image by Allef Vinicius on Unsplash | Charts by TradingView
