LeelooYour fingerprint has expired. Please choose a new fingerprint to continue. You new fingerprint can not be the same as any of the 10 previous fingerprints you have used.
Biometrics is an id, not a password.
Nathan Manceaux-Panot@leeloo This is catchy on paper, but:
- Few people are targeted by actors willing to spend the resources to get a 3D face scan
- The one system I know (iOS) asks you to have a password as backup. It’s explicitly weakening security for convenience (see 1). So you can give your password, instead of your eye, if you prefer
- A corollary to the reasoning you describe: if you EVER use your password in public, you MUST change it immediately. Woof!
IMO your reasoning is sound, but applies to few peeps
@Cykelero
If your phone can do a 3d face scan to unlock, the resources required to get a good enough 3d face scan is a phone like yours.
Your second point is good. Few systems do that. But do you remember the password when you meet the dude with the machete?
As for your third point, do you mean on a computer that may have a keylogger? If so, you are absolutely right. In that case you should use a one time password if you really need to.
@leeloo You need more than scan a face, you also need to retrieve the data (it's intentionally extremely hard on iPhone) + print a convincing face replica. Both need quite specialized hardware—not just a phone!
I think you can forget your password even if bio auth is disabled; machete man will not be pleased either way.
And I meant in general, unlocking your phone in public: people/security cameras might see your screen. You'd need to crouch under a table for every unlock. Few people do that!
@Cykelero
You just need to inject the bits somewhere between the camera sensor and the facial recognition software.
Forgetting a password you used once is much easier than forgetting one you use every day.
@leeloo My understanding is that you do need hardware access in the end (e.g. the CPU physically can’t access the bio data decryption key, vastly upping the bar for a working extraction exploit). That’s stretching my knowledge, though; you really can’t just guess at how these systems are designed.
That infrequent password entry forgetfulness point rings true. (required 1/week on iOS, but result is the same)
@leeloo Ultimately though, adding all that up, bio authentication does weaken security, but only a very slight amount, for most people.
Finding bio scan/storage iffy is a valid reason to avoid the tech. The added risk really isn’t: you cross the street; kiss other humans; bio auth won’t ruin your life either.
Finding bio scan/storage iffy is a valid reason to avoid the tech. The added risk really isn’t: you cross the street; kiss other humans; bio auth won’t ruin your life either.
@Cykelero
Your face is not encrypted. Neither is a picture of you face.
If the signal from the camera to the cpu (or wherever the check is performed) is encrypted, you just need to inject the data before it gets encrypted.