Bitcoin Forum

Is there any biometric wallet (i am not talking about simple FaceID or TouchID login usage) for crypto wallets?

I have been looking but not found any good solutions.

Anyone?

Not sure. But the concept is nice :-D

Imagine a wallet that will ask to scan your retina before broadcasting a transaction :-P

Now, wouldn't it be easier to steal your coins? One only need your retina to rob your coins /s

Do you mean generating and backing up a wallet using, for example, a single fingerprint? There are no such wallets and they would be extremely insecure anyway. It would be fairly easy to force you to restore your wallet.


Samsung Galaxy S8 and S9 have a retina scanner. Blockstream Green Wallet (https://play.google.com/store/apps/details?id=com.greenaddress.greenbits_android_wallet&hl=pl) supports such a way of unlocking a wallet.

I've read on reddit (https://www.reddit.com/r/Bitcoin/comments/6uf69b/bitcoin_wallet_for_android_that_supports/dlsklj2/) that Mycelium should have fingerprint support on iOS.
And on Android.. well.. a later post there makes sense: the device is already encrypted - whether with your passphrase or fingerprint or whatever...

Talk about getting robbed "blind"! :o :o :o

https://talkimg.com/images/2023/11/15/z7Ja3.jpeg

Well, you cannot read info from the IOS or Android touchID of faceID as the system blocks you from accessing the data... You can only get a confirmation that
the finger is used to unlock the phone, but would not be able to generate the code on the fly

Exactly :-P


All jokes aside, this was the whole point.

I imagine retinal scanning is bad for long term storage (does it use blood vessel arrangements)?

I wouldn't mine my private keys being generated by dna, but that'd have to come from blood for it to be fairly accurate...

Finger prints and faceid aren't very good and neither are pins for security reasons... I don't know if scanning every finger ever becomes possible then that would be well secured but the issue with biometric scanning is that your data probably won't be encrypted as it can't encrypt them if it's using a pattern matching algorithm.

The way blockchain is designed, what matters is only the private key.

A retina or finger print or whatever would just be a second layer of security, which wouldn't do much if the stealer has the private keys.

Correct, and there are various pathological process which can either alter your retinal vasculature, or prevent the machine from properly scanning your retinas.

DNA can be accurately sequenced from pretty much any cell, which is why using it is a bad idea. We all shed hair and skin cells constantly. An attacker would only need to take a swab from something relatively clean that you've recently touched (like a disposable coffee cup or food wrapper) to have a fairly high chance of being able to sequence your DNA.

Face and iris scanning have been spoofed with pictures before. Fingerprints can be lifted from anything you've touched.

Biometrics really aren't all that secure.

   It depends on the Biometric used. Fingerprints are not that secure because a person leaves those everywhere. I'm sure someone can lift a fingerprint and create something that can fool a scanner. DNA is really not that secure either, since a person leaves traces of their DNA everywhere they go. Facial recognition is not secure either, since someone can easily capture your image, and use that to fool a scanner. I suppose a retinal scan can be pretty secure. It is somewhat difficult for a person to get a copy of that. It's not impossible though.
   Naturally, as you imply, all biometric security is overridden by the five dollar wrench attack. Since a person only has one set of biometrics, they can't even set up a dummy wallet, effectively. I suppose someone could use a different finger/thumb print to set up ten wallets. However, a smart criminal will simply have you try all ten fingerprints.

Well, even a retina scanner can be easily fooled if you take a photo of a victim with a proper camera (infrared night vision setting needs to be turned on). That's how Samsung security can be bypassed (https://www.bbc.com/news/technology-40012990).

Thank for pointing that out. Therefore, I would not use a BTC wallet that is secured by biometrics. I do not plan on wearing some kind of suit and mask that prevents my biometric data from being copied.

I would never use a fingerprint as a way to secure my crypto holdings.
The quality of your print can change as years go by. A close family member of mine had difficulties getting a new ID because more than 80% of the quality of the fingerprint was lost. He works with hot water which is probably the reason his prints are almost gone. Securing your assets that way could mean trouble someway down the road.

It is very easy to duplicate fingerprint in gelatin or some similar material and make a 'backup'
but then again same can be used by hackers, so I also don't think fingerprint alone is bets for securing crypto wallet.

Please read this article of data leak that exposed biometrics of over 1 million people!
https://www.technologyreview.com/f/614163/data-leak-exposes-unchangeable-biometric-data-of-over-1-million-people/?utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement&utm_source=Facebook#Echobox=1565802376

I am using Edge wallet, which provides password + TouchID security for currency i want to carry around.  this is not how i'd carry the bulk of my savings, but for me it is an optimal security/convenience compromise for everyday amounts.

I rely on TouchID becuase the biometric data is stored on the secure enclave chip on the iphone.  This is also secure enough for most of my everyday activities.  However, i never got a FaceID phone and i'm in no rush to upgrade, so i understand the aversion to this technology at least.

Well, you could hack a trezor or fake an electrum update, so WHY is this idea so much worse?

Because to lose my funds via Electrum I would need to download a fake wallet, forget to verify it, install and use it without doing any due diligence. I'm not that stupid. To lose my funds via a hardware wallet I would need to stop using a passphrase, again use some fake software or maybe let someone else gain physical access to my device, give away my PIN or seed, or something similar. I'm not that stupid.

To lose my funds via a biometric wallet, an attacker only needs a photo of my face or anything I've touched, from a hand rail to a door handle to a bottle of juice. Unless you plan on wearing gloves and a full face covering 24/7, biometrics are far more easily hackable.

How would you do this ?
Circumventing fingerprint security measurements is relatively easy and it has been mentioned how it can be done.

So.. how would you hack a trezor ?




How would you fake the signature ?
I mean.. people who don't verify the signature are at risk.. yes. But that's not how you update electrum. You always have to verify the pgp signature.

So.. how would you do this ?




Because there are easy attack vectors and risk of losing access (all has been mentioned in this thread already).

If you can argue against electrum updates or trezor being hackable the same way with the same level of complexity (very low), then it is not much better.
But as long as you can't, both are definitely better than a fingerprint secured wallet.

What will happen if user lost his finger in case or he become blind by any accident? If there there is any wallet based on fingerprints or retina then a user might lose his fund. So I am not much interested about this mathode. Perhaps it might be added any wallet as a extra security but there should be recovery options if incase happen any accident. So no one will lost his funds.

Presumably the user would be able to recover their funds by importing their seed in to another wallet. If a wallet does not give a seed when you set it up, then you shouldn't be using it.

Don't get me wrong, I still think biometrics are a horrible method of securing your coins, which no one should use beyond maybe a hundred bucks on a mobile wallet, but backing up in case you lose access to your wallets is a non issue.

Listen to this story.

My friend's wife and his daughter went abroad to visit their grandmother. His wife has the FaceID (or whatever it is called) option enabled to unlock her phone. One day he saw a gibberish post on Facebook on his wife's Facebook profile so he called her to see what that was all about. Turns out that their daughter was playing with the phone and the FaceID software recognized her face as that of his wife. She was able to unlock her phone. The interesting part is that the daughter looks entirely like my friend and nothing like his wife. Further proof that this type of protection is not something to rely on.   

So what is safe or what would you rely on? Please enlight me

Nothing is safe if you don't use proper precautions to secure your investments and many things are relatively safe if you do.

There is no need to invent new methods of storing or accessing your coins. We already have hardware wallets, you can use them. Use a paper wallet if you are a more advanced user or multisig options. You can even store your crypto in Electrum or airgapped machines. It all depends on what you have available or what you are ready to invest in combination with your computer habits. Even the most secure paper wallet or hardware device can't help you if you stored your seed/private keys in your email or phone.

Depends on your thread model.

What do you want to protect against ? And how much inconvenience are you accepting to take in order to secure your coins ?
A simple password protected hardware wallet already is much more secure than a 'biometric' wallet could ever be.

There are a lot of possibilities and different ways to do so, while something biometric-like is one of the worst.

Many of us have already shared their opinion about "biometric" and i am not gonna disagree with them too. Implementing retina or finger print scan system for fund transfer or wallet security wouldn't be a good idea. In both of these system there is higher chances to lose fund from wallet because those are easily collectible. I think maybe OP have got interested because in recent times most of the latest mobile phone brands are providing finger print and face detection features for their users. But mobile phone privacy and wallet security doesn't bear the same value. Where it relates with the matter of users fund there security should be unbreakable.

Yeah you can say that hackers can breach any types of security but we have to choose something which has lower chances. Current password based security system is much safer in my opinion where users could change it when they feel it necessary. But for "biometric" system we can't do it for multiple times specially for retina scanning.

Im thinking the same way where op do think up about biometric type which can be commonly seen with smartphones but in terms of level of bypass it do have much higher compared to those wallet that do have traditional passcode or keys and just like what been said above that airgapped devices and hardware wallets is already enough.

OT:
On side note with this fingerprint type padlock https://www.youtube.com/watch?v=RxM55DNS9CE is just useless.

Don't go for it even if there is one. If we are only talking about convenience then this would be great but if you are risking the security of your wallet because of it then it's really not worth the risk. Banks have done this with their apps and one way to avoid abusing it is they added a mandatory pin before you can even send money, the fingerprint was only to access the dashboard part of the app but even that is also a risky move since you are letting other people see what you have in your account.

so nobody here is using faceid or touchid?

Look I think it was cool faceid and it is a form of security for corporate and business use devices, and even for consumer devices etc. But these are rather different use cases than to actually be the main form of security for bitcoin.

Biometrics in security for your iphone I'd say doesn't get me worried about someone hacking off my eyes/finger to get into my phone (I realise I'm dramatising). But if I had a sizeable amount in my bitcoin wallet, I daresay I'd be more worried about that.

P.S. I have used touchid for laptop and happy it's there. But I just wouldn't use touchid for a wallet. Others might. Power to them.

Both of those features work but how good and precise are they, that is the real question!
Have a look at what can happen in a real life example from my above post: https://bitcointalk.org/index.php?topic=5175072.msg52384156#msg52384156

Besides, your fingerprints might change or lose quality due to an accident involving fire or boiling water. How are you going to get to your assets if the system doesn't accept your fingerprint anymore?

A biometric wallet is just too big of a risk if you ask me.

Getting password from users brain is much harder than getting users finger print or retina match. That's why most crypto wallet users keep their trust on password based security rather than finger print or retina scan. Maybe some guys think that its better to continue with modern worlds invention but sometime its better to follow old fashioned way to keep us safer from unexpected attacks.

Wallet security system is always far different than our mobile phone or another devices.

 

There will definitely be people who use the faceid or touchid but I'm sure that faceid/biometric kind of wallet are mostly used by the Chinese. With that been said, I totally don't support such platform because the system will be abuse sooner or later even if it was created by a private or decentralized company.

I get that, but personally I'd feel pretty secure since nobody I know knows I'd have any crypto on a hardware wallet (or phone, which I don't).  The chances of me getting forced at gunpoint to access my crypto is very remote.  Yeah, anything could happen but chances are I wouldn't run into a situation like that.  It would be much more likely I'd lose my wallet, in which case a fingerprint-dependent login would be extremely useful.

I wasn't even aware that biometric flash drives are being made.  I happened to come across some for sale on Amazon when I was looking for a flash drive that could be encrypted.  I think it'd be an awesome idea for Ledger or one of the other manufacturers to make a wallet with this technology.  Sure, things can go wrong....but they can always go wrong anyway.

I get your point and I respect it fully.  But I'd still like the fingerprint tech to be applied to hardware wallets for those who'd want them.  I'd sure be interested in something like that.

Yes, that's the disadvantage. Another thing is, if Biomaterics failed to connect server. It has been happend on real life. Currently I am working abroad and I have to give fingerprints or face to the machine. Means company collecting attendance by a face/fingerprints machine. So some machines not recognized to me. Fingerprints was not working sometimes even face. So I had to inform authority directly. So if this happen for Biomateric wallet then it would be very hard to move your fund. You might not able to make transaction when you need and you should contact support regarding your issue.

Well to be on topic rather than discuss the advantages/disavantages of biometric over pin or password...

The wallets i have used so far that have the feature you are looking for;
- Coinomi Mobile uses Finger Print ID
- imToken 2.0 Mobile Version uses finger Print ID

Pin is usually the default option, you have to set up the Finger print ID after creating the wallet.

The wallets that you mention above basically use 'TouchID' (fingerprint authentication).


I'm pretty sure the failures that you see is not because of connection problems but detection problems. Either the base data that was used to check is faulty, or your log-in process has issues. Some machines can't do their job if you have too much sweat on your finger, for example. Better tell your company to buy a new one. My sister is having the same problem with her office check-in mechanism, and I can say for sure that the device does not need the internet. The fingerprints data are stored offline.

Most likely you are talking about phone lock. Almost all new Android phone coming on markets with fingerprint feature. It can't be compare with Biometric wallet. If there is Biometric wallet then it should be attached individually for each wallet (not with phone)

That's what I was talking about. Not only risk, there would high risk.

Of curse there was detection problem. And what will happen if this detection problems occurs during your transaction on Biometric wallet? You will not able to make transaction when you need.

I started a thread about another biometric wallet, ZenGo, and I was informed about this thread here where more people are involved. Here are the posts so far and I'm curious what you computer experts think of this new wallet:

A few weeks ago I heard a podcast with Anthony Pompliano and the founder of ZenGo, which uses ZoOm, a facial recognition security app to secure Bitcoin. I’ve had a couple of discussions with Ouriel Ohayon from ZenGo about the benefits of ZenGo over Ledger. In comparison, Ledger already seems antiquated but has ZenGo been vetted enough to trust that ZenGo is secure? Since ZenGo uses ZoOm I can see how one party would blame the other party if hacking were to occur. I am not a security expert. What do you all think of ZenGo?


There's a discussion about using biometrics to secure your wallet here: Biometric BTC wallet?
The TL;DR is that it is generally a bad idea as it is far more easily broken than a strong password or passphrase.

In terms of the ZenGo itself, I've not heard of it before, but I've had a quick poke around their website. There are a couple of things which give me some concern.

Firstly is that they extensively use cloud servers for back up. Both the client share on your phone, and their server share which they store, are backed up to the cloud. You don't need me to tell you how poor cloud security generally is - you can do a simple web search and see story after story of cloud servers being hacked.

Secondly is their recovery mechanism. If they go out of business, then they have an escrow who will release a master decryption key so all users can still access their private keys and therefore their coins. That's great, but it means there exists a single point of failure for their entire system - the master decryption key. This has been created and transferred to an escrow. We have no idea how many copies of it exist, how many computer systems it has been on, how many people have had access to it, or how good the security currently protecting it is. It's a massive vector of attack, as if someone gains access to it, they can potentially gain access to every coin held by every owner of one of these devices (and as we said above, with all the back ups being stored on the cloud, this is a real concern).

@o_e_l_e_o

Thank you for your input. Wow, I am glad I did not move my coins to ZenGo yet. I am not technologically minded so I need to rely on you experts here. I don't feel comfortable leaving my Bitcoin on Coinbase and using a Ledger with a 24 word seed phrase just seems antiquated, like I said before. Is this really state-of-the-art? Also, like I said before ZenGo uses ZoOm facial recognition. I am not sure that ZoOm is equivalent to the biometrics in your link. Can you check out the white papers on ZoOm and let me know what you think?

https://www.zoomlogin.com/#page-blk-white-papers

The problem with Adroid or IOS is that it does not let you read the data from a finger or face, the phone only let the app confirm the submitted lock finger/face match the touching finger/face. Which means a rooted phone could be hacked if the android or OSX is "modified"

Then there is always problem with the backup phrase, or if someone has an accident and looses a hand, what then?

So has anyone read the ZoOm white papers? What do you all think of it? It passed all these security tests.
https://www.zoomlogin.com/#page-blk-white-papers

Thats why you probably would salt it with additional data

Could you elaborate please, it seems like an interesting idea.

I know Zengo (https://zengo.com/) wallet provides Biometric 3D Face Authentication and D’CENT Biometric hardware wallet (https://dcentwallet.com/overview/specification.html) provides Fingerprint Biometric Authentication.

• Zengo is the first Keyless Crypto wallet that as no Private keys. It has distributed security between our wallet and ZenGo servers. Even if the wallet is lost or hacked, our assets are safe.

• D’CENT Biometric hardware wallet has built in fingerprint scanner which acts as an additional security for accessing wallet.

---

Source: https://zengo.com/
https://dcentwallet.com/overview/specification.html

Seriously, cut n paste from zengo website

your security is distributed between your device and ZenGo servers

No ZenGo, Not your coins....

How did you find this wallet?

According to the whois, the domain of zengo was registered 1999(Such a good domain)

So how safe this wallet is?

And I found that the domain wayback/history this website is not yet alive until april they have a representative here on the forum but they are not active. You can check their profile here https://bitcointalk.org/index.php?action=profile;u=2568273

So how safe is this wallet?

It is not cut and paste, it is the definition of the wallet in my words.

I saw this thread and searched about Biometric BTC wallet and found these wallets.

I am not sure how safe is this wallet, as I have not used these wallets. It was just a suggestion.

So this keyless wallet, what happens if Zengo goes away, where are my keys?

Read here - https://zengo.com/security/ to know more about Zengo Keyless security. There is no point in discussing here about how Zengo works? Anyone can give any suggestions but before using any wallets, one should do a lot of research about that, check their reviews and then only they should use it.