if biometrics is the only thing you have you might aswell not have a password at all but if you use it with a 2fa pin it is good for example for your phone yiu can have a long backup passphrase and if you dont want to type that in you can use biometrics to unlock the pin screeb and still need to type in a pin so its the best of both worlds
If I can’t change it once it gets breached (because it will get breached), then it’s not security, it’s a hurdle at best. Biometrics entry isn’t security; it’s convenience.
Police officers cannot force you to unlock your phone by a testimonial act that reveals the contents of your mind. You can be forced to unlock your phone by a nontestimonial act.
Graphene allows for fingerprint and second factor pin unlock, which is what I use. I mostly do that for cops, though, since in the US you can be legally compelled to unlock your phone with biometrics but not pin.
Wouldn’t stop someone from torturing you to unlock your device, but that’s what a duress pin is for ;) (they may kill you once your phone wipes but at least they wouldn’t have your data)
If you don’t have time to quickly disable biometrics (lockdown mode) before the cops grab it, you wouldn’t have time to turn it off either. A phone in AFU mode is very easily cracked with those forensic devices.
in the U.S
And they could just beat you for the password either way, given the current political atmosphere.
We’re deporting citizens. The distance between biometrics and passcode is not much legally, because if they want to, they’re going to make you or send you to the gulag.
And even if you tell them, probably still send you to the gulag.
I don’t use it at all, even with various bank apps and such yelling at me to do so. Yeah, a $2 wrench could still eventually get it out of me, but you can’t just use my face/finger to do so.
For proper user authentication the model always used to be that the user should present three things: something they were (a username for instance), something they knew (a password), and something they had (a OTP from a device, or a biometric). The idea being that, even if a remote attacker got hold of the username and password, they didn’t have the final factor, and if the user was incapacitated or otherwise forced to provide a biometric, they wouldn’t necessarily supply the password (or on really secure systems, they’d use a ‘panic’ password that would appear to work, but hide sensitive information and send an alert to the security team).
Now we seem to be rushing into a system where you have only two factors, the thing you have, namely your phone, and the other thing you have, namely a fingerprint or your face. Notably you can’t really change either of those, especially your biometrics, so they’re entirely useless for security. Instead your phone should require a biometric and a password to unlock. The biometric being ‘the thing you are’, the phone ‘the thing you have’, and the password being 'the thing you know.
So, yes, I’m entirely against fingerprint unlocking.
Pragmatically, is that really any different with a passcode? Someone might not be able to physically force an unlock like with biometrics by moving the relevant body part over, but there’s certainly nothing stopping someone from forcing you to unlock your phone if you had a passcode through by duress. Most thieves would have certainly wised up enough to force you to remove your passcode before leaving, or they’d watch you unlock your phone, and figured out the passcode that way.
I rather doubt that, if in that kind of situation, there would be many who would resist. Your phone is not worth your life for most.
Personally, if I wasn’t doing anything sensitive, like travelling through some countries (like Australia/the US) or going to a protest, I’d probably keep it on. The convenience makes up for it for the most part.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
if biometrics is the only thing you have you might aswell not have a password at all but if you use it with a 2fa pin it is good for example for your phone yiu can have a long backup passphrase and if you dont want to type that in you can use biometrics to unlock the pin screeb and still need to type in a pin so its the best of both worlds
Take this:
https://xkcd.com/538/
And now encourage people to cut off your thumb
it is an oxymoron. Biometrics are the equivalent of a username, not a password.
I like this perspective. Wish there were more implementations of a biometric + password combo.
100%. Pin plus fingerprint would be truly excellent in my opinion with minimal inconvenience.
If I can’t change it once it gets breached (because it will get breached), then it’s not security, it’s a hurdle at best. Biometrics entry isn’t security; it’s convenience.
From here…
If only for the above reason, I refuse biometrics on any of my devices. 🤷♂️
For every day use, I use it. It’s convenient.
If I’m traveling or going to a protest, I’ll turn it off. I also make sure I know the ways to disable it.
I’d suggest you may be better off not bringing your phone at all, in this case.
Graphene allows for fingerprint and second factor pin unlock, which is what I use. I mostly do that for cops, though, since in the US you can be legally compelled to unlock your phone with biometrics but not pin.
Wouldn’t stop someone from torturing you to unlock your device, but that’s what a duress pin is for ;) (they may kill you once your phone wipes but at least they wouldn’t have your data)
Do NOT use biometric unlock in the U.S.
Law enforcement can force you to open the phone vs. requiring a warrant for PIN/Password.
Same with face unlock, not requiring a warrant, if I’m remembering correctly
Yes
If you don’t have time to quickly disable biometrics (lockdown mode) before the cops grab it, you wouldn’t have time to turn it off either. A phone in AFU mode is very easily cracked with those forensic devices.
And they could just beat you for the password either way, given the current political atmosphere.
We’re deporting citizens. The distance between biometrics and passcode is not much legally, because if they want to, they’re going to make you or send you to the gulag.
And even if you tell them, probably still send you to the gulag.
Biometrics are fine as a /username/ but should not be used as a password - heard that on some security podcast ages ago and have kept with it since.
So basically I don’t use biometrics, lol
I don’t use it at all, even with various bank apps and such yelling at me to do so. Yeah, a $2 wrench could still eventually get it out of me, but you can’t just use my face/finger to do so.
I run GrapheneOS on my phone and reject all biometrics on principle not because I have anything to hide.
But you do have things to hide. Everybody does. That doesn’t make it bad.
For proper user authentication the model always used to be that the user should present three things: something they were (a username for instance), something they knew (a password), and something they had (a OTP from a device, or a biometric). The idea being that, even if a remote attacker got hold of the username and password, they didn’t have the final factor, and if the user was incapacitated or otherwise forced to provide a biometric, they wouldn’t necessarily supply the password (or on really secure systems, they’d use a ‘panic’ password that would appear to work, but hide sensitive information and send an alert to the security team).
Now we seem to be rushing into a system where you have only two factors, the thing you have, namely your phone, and the other thing you have, namely a fingerprint or your face. Notably you can’t really change either of those, especially your biometrics, so they’re entirely useless for security. Instead your phone should require a biometric and a password to unlock. The biometric being ‘the thing you are’, the phone ‘the thing you have’, and the password being 'the thing you know.
So, yes, I’m entirely against fingerprint unlocking.
biometrics are for usernames and not passwords/keys.
GrapheneOS allows it to not be used as the device unlock, but still use it for other apps once unlocked (such as banking apps).
Device unlock should never be biometric.
I also have data over the usb port disabled unless the device is actively unlocked.
Pragmatically, is that really any different with a passcode? Someone might not be able to physically force an unlock like with biometrics by moving the relevant body part over, but there’s certainly nothing stopping someone from forcing you to unlock your phone if you had a passcode through by duress. Most thieves would have certainly wised up enough to force you to remove your passcode before leaving, or they’d watch you unlock your phone, and figured out the passcode that way.
I rather doubt that, if in that kind of situation, there would be many who would resist. Your phone is not worth your life for most.
Personally, if I wasn’t doing anything sensitive, like travelling through some countries (like Australia/the US) or going to a protest, I’d probably keep it on. The convenience makes up for it for the most part.