Linked by Thom Holwerda on Wed 13th Sep 2017 21:56 UTC
Privacy, Security, Encryption

If you value the security of your data - your email, social media accounts, family photos, the history of every place you've ever been with your phone - then I recommend against using biometric identification.

Instead, use a passcode to unlock your phone.

Can't argue with that - especially in place where law enforcement often takes a... Liberal approach to detainees.

Order by: Score:
Well ...
by WorknMan on Thu 14th Sep 2017 02:02 UTC
WorknMan
Member since:
2005-11-13

The police can force me to use my fingerprint to unlock my phone, but they're not going to find anything incriminating on there. I guess they could plant something, but if they want to bust you that badly, you're screwed either way.

I'm not one of those people who say, 'If you have nothing to fear, you have nothing to hide', but I do think a lot of people are too goddamn paranoid. Of course, some people have good reason to be, but I suspect most people don't.

Edited 2017-09-14 02:04 UTC

Reply Score: 2

RE: Well ...
by Alfman on Thu 14th Sep 2017 03:40 UTC in reply to "Well ..."
Alfman Member since:
2011-01-28

WorknMan,

I'm not one of those people who say, 'If you have nothing to fear, you have nothing to hide', but I do think a lot of people are too goddamn paranoid. Of course, some people have good reason to be, but I suspect most people don't.


It's not about paranoia or guilt, IMHO. Instead it is about principals and whether you value our rights as individuals that our forefathers granted us in the constitution.

Reply Score: 3

RE[2]: Well ...
by ilovebeer on Thu 14th Sep 2017 14:39 UTC in reply to "RE: Well ..."
ilovebeer Member since:
2011-08-08

That's where I side on this issue. To me it's 100% principle and rights. There has to be a line drawn between the people and those who are supposed to `serve & protect` us. Law enforcement should never have absolute power or control to invade what's most private and sensitive unless there's true reasonable cause. Human beings simply don't do well when privacy is absent. I could never justify police abuse of power by saying `if you have nothing to hide, you shouldn't have a problem with it`. Yes, you should have a problem with it! A HUGE one! That kind of stuff is the exact opposite of what a democratic society is supposed to be.

Reply Score: 4

RE[2]: Well ...
by WorknMan on Thu 14th Sep 2017 22:02 UTC in reply to "RE: Well ..."
WorknMan Member since:
2005-11-13

It's not about paranoia or guilt, IMHO. Instead it is about principals and whether you value our rights as individuals that our forefathers granted us in the constitution.


So, assuming you don't have anything on your phone that might get you in trouble, you're going to go through the inconvenience of using a pin instead of a fingerprint, because... fuck the police? Please help me make sense out of that.

Reply Score: 1

RE[3]: Well ...
by Alfman on Fri 15th Sep 2017 07:01 UTC in reply to "RE[2]: Well ..."
Alfman Member since:
2011-01-28

WorknMan,

So, assuming you don't have anything on your phone that might get you in trouble, you're going to go through the inconvenience of using a pin instead of a fingerprint, because... f--k the police? Please help me make sense out of that.


I was responding to your original post where you were implying that only guilty people have a good reason to be against the intrusions. Just because you don't care, that doesn't mean others don't or shouldn't care. As I said before, many people object on principal, even if the police wouldn't find anything.

As far as your next point, people can chose for themselves what they do and why. Just keep in mind lax security doesn't just benefit the police, it also benefits criminals. I hope people are able to make an informed decision based on realistic threat models. Unfortunately vendors (including apple) are sometimes known to mislead users by claiming their security is better than it really is - they're not really doing their customers any favors when they exaggerate because it is not going to fool the hackers!

Edited 2017-09-15 07:08 UTC

Reply Score: 4

RE[4]: Well ...
by Kochise on Fri 15th Sep 2017 17:28 UTC in reply to "RE[3]: Well ..."
Kochise Member since:
2006-03-03

Why do governments have secret agencies, classified documents and shit ? Because they all have pretty much dirt under the carpet they don't want you to see. Ministers and leaders can do even more shit without loosing their head/chair, because power/friendship/brotherhood/whatever. But democracy, freedom, justice, wada wada...

Reply Score: 2

RE[4]: Well ...
by WorknMan on Fri 15th Sep 2017 18:26 UTC in reply to "RE[3]: Well ..."
WorknMan Member since:
2005-11-13

where you were implying that only guilty people have a good reason to be against the intrusions.


No, I was implying that only guilty people ought to be paranoid enough to use only passcodes. I mean, you could be completely against police being able to force you to fingerprint unlock, but still use the feature.

As for security, I imagine the odds are about a million to one (or higher) that a security vulnerability like this is going to affect you personally before the general public finds out about it, and then you switch it off until they patch the vulnerability. Besides, there have been vulnerabilities in the past that let people get past a passcoded lock screen, so that ain't no guarantee either.

Edited 2017-09-15 18:28 UTC

Reply Score: 2

RE: Well ...
by sj87 on Thu 14th Sep 2017 04:49 UTC in reply to "Well ..."
sj87 Member since:
2007-12-16

You should check your definition for 'incriminating'... Anything that's illegal by law, will be incriminating in your possession. If you live in a fascist police state (USA, Russia), it is very likely that many harmless things will get you in trouble.

You also need to remember that every police officer is a human aswell. They might use your data for their own private purposes or just solely for stalking you and your family, to cause trouble to a guy who – for no specific reason – ticked them off.

Edited 2017-09-14 04:55 UTC

Reply Score: 5

RE[2]: Well ...
by WorknMan on Thu 14th Sep 2017 22:46 UTC in reply to "RE: Well ..."
WorknMan Member since:
2005-11-13

You should check your definition for 'incriminating'... Anything that's illegal by law, will be incriminating in your possession.


I don't think I have anything like that. Like I said, if they want you that badly, they're going to get you.

Reply Score: 3

RE: Well ...
by Bill Shooter of Bul on Thu 14th Sep 2017 16:52 UTC in reply to "Well ..."
Bill Shooter of Bul Member since:
2006-07-14

Ironically the ones who are usually the most paraniod have no reason to, and those that are not paranoid should be.

There is a smaller subset of criminal masterminds or political dissidents that do have good reason to be paranoid and are. To them, good luck. When nation states are after you, you've got a lot of difficult expensive problems to solve.

But for me yeah, I'm paranoid, but then I get compromised anyways because the stupid credit bureau security sucks. :| no practical defense against those kind of screw ups as an individual. But I feel better knowing that if there is a screw up, its not my fault.

Reply Score: 3

Bares repeating
by JLF65 on Thu 14th Sep 2017 02:23 UTC
JLF65
Member since:
2005-07-06

And in many countries — including the US — the police can legally force you to use your fingerprint to unlock your phone. So they can most certainly point your phone at your face and unlock it against your will.

Biometric security is an oxymoron! Stick to passwords.

Reply Score: 6

RE: Bares repeating
by The123king on Thu 14th Sep 2017 07:40 UTC in reply to "Bares repeating"
The123king Member since:
2009-05-28

You'll have to tear my iPhone 5 away from my cold dead hands

Reply Score: 2

article flawed
by kristoph on Thu 14th Sep 2017 05:05 UTC
kristoph
Member since:
2006-01-01

The article lacks a distinction between active biometric security and passive biometric security.

A passive solution - including Touch ID - is reasonably easy to defeat. You can simply be held down and your finger used to unlock a device.

An active solution - such as Face ID - is more difficult to defeat because you need to actually have your eyes open and be looking at the device. You could be tricked into doing so, certainly, but it would be challenging ( and comical ).

Of course, anyone could use violence against you to force you to do this but that would work just as well in obtaining a password.

( Note that, like the author of the article, I have not used Face ID, so who knows if it's capable of detecting your face and attention effectively. )

Reply Score: 1

RE: article flawed
by fmaxwell on Thu 14th Sep 2017 06:15 UTC in reply to "article flawed"
fmaxwell Member since:
2005-11-13

Agreed. The article is flawed in that the author is apparently blind to the fact (pun intended) that the iPhone will not unlock if your gaze is averted.

He is also under the mistaken impression that simply unlocking an iPhone would somehow give someone the access to "all the data, social media accounts, and bank accounts that comes with it." If you unlock my iPhone, you then have to unlock 1Password separately to get access to any of that sensitive data.

Reply Score: 0

RE: article flawed
by nrlz on Thu 14th Sep 2017 06:53 UTC in reply to "article flawed"
nrlz Member since:
2006-01-27

because you need to actually have your eyes open and be looking at the device. You could be tricked into doing so, certainly, but it would be challenging ( and comical )


Take advantage of human being's natural fight-or-flight response.

1. Don't let the user know you are preparing to unlock their phone.
2. Stand behind him/her holding the phone up to their face.
3. Make a REALLY LOUD noise like glass breaking behind them.
4. Humans will naturally turn around to the source of the danger with eyes wide open.

Come to think of it, here's another way.

1. Print out a photoshopped picture of the target in an incriminating pose on high quality paper.
2. Carefully stick it on their phone so it looks like it is loaded on the phone screen.
3. Pretend that you have unlocked their phone.
4. Ask them why their phone has a picture of them doing whatever.
5. Show it to them.
6. Target looks straight at the phone in surprise and are confused by the photo.
7. Phone is unlocked.

Reply Score: 4

RE[2]: article flawed
by avgalen on Thu 14th Sep 2017 09:26 UTC in reply to "RE: article flawed"
avgalen Member since:
2010-09-23

Summary: <in loud voice>Hey, is this your phone?

Reply Score: 4

RE: article flawed
by Thom_Holwerda on Thu 14th Sep 2017 09:40 UTC in reply to "article flawed"
Thom_Holwerda Member since:
2005-06-29

An active solution - such as Face ID - is more difficult to defeat because you need to actually have your eyes open and be looking at the device. You could be tricked into doing so, certainly, but it would be challenging ( and comical ).


Not really. Hold down detainee, hold up phone in front of his face. If detainee closes eyes, hold up phone unexpectedly during interrogation.

Biometrics like this are convenience, not security.

Reply Score: 4

Comment by Sidux
by Sidux on Thu 14th Sep 2017 06:19 UTC
Sidux
Member since:
2015-03-10

Can't wait for the new Identity ID implants.

Reply Score: 2

Whjy I don't like face recognition
by cropr on Thu 14th Sep 2017 09:13 UTC
cropr
Member since:
2006-02-14

For me the main issue with face recognition is that you have to move your phone in the right direction and that you have to look straight to the phone. The combination of these 2 actions takes a lot longer than a fingerprint scan, where you only have to put your finger on the sensor.
If you do that a 100 times a day, it starts counting.
Also for features like Apple Pay, this is a huge disadvantage. Apple Pay with face recognition will take longer than Apple with a fingerprint scan and also longer than a proximity chip card with a pin code

Reply Score: 2

pattern
by nicubunu on Thu 14th Sep 2017 10:00 UTC
nicubunu
Member since:
2014-01-08

Honestly, if I would care strongly about the security of the data on my phone, I would probably not use a pattern to unlock it, traces of grease should be the easiest to find.

Reply Score: 2

You can deactivate it
by mkone on Thu 14th Sep 2017 10:11 UTC
mkone
Member since:
2006-03-14

FaceID unlock (and TouchID for that matter) can be temporarily disabled by either:
- Turning off the phone, or
- In IOS 11, by hitting the power button 5 times.

So, for the iPhone X, you can disable FaceID in under a second, after which, they would need to force you to give them the pass code.

Edited 2017-09-14 10:11 UTC

Reply Score: 1

RE: You can deactivate it
by sj87 on Thu 14th Sep 2017 10:17 UTC in reply to "You can deactivate it"
sj87 Member since:
2007-12-16

It isn't true security when enabling it requires active measures from the user.

Reply Score: 3

RE[2]: You can deactivate it
by mkone on Thu 14th Sep 2017 10:23 UTC in reply to "RE: You can deactivate it"
mkone Member since:
2006-03-14

FaceID and TouchID are also about convenience. And security that is not convenient is bad security too as people will just disable it.

Besides, this is optional. You can disable TouchID and FaceID completely. Just don't register your face or fingerprints, and no one in the world can force you to unlock your phone using your face/fingerprints!

Reply Score: 2

RE[3]: You can deactivate it
by Alfman on Thu 14th Sep 2017 14:27 UTC in reply to "RE[2]: You can deactivate it"
Alfman Member since:
2011-01-28

mkone,

FaceID and TouchID are also about convenience. And security that is not convenient is bad security too as people will just disable it.


I agree, while it's not very secure to use physical appearances to login, at least people don't have to use it.


Besides, this is optional. You can disable TouchID and FaceID completely. Just don't register your face or fingerprints, and no one in the world can force you to unlock your phone using your face/fingerprints!


I do worry more broadly about what happens as biometrics become more widely used. It's well understood why one shouldn't use the same passwords in multiple systems, and yet this is effectively very much what we are doing with biometrics. We end up having to violate a whole host of best practices to use biometrics. The opportunity for misuse and equifax-style leaks is ever-increasing.

Reply Score: 3

HereIsAThought
Member since:
2017-09-14

So I'm now carrying a 3D scanner in my hand. How many other peoples faces could I capture in 3D detail with that?

If I had access to Apple's database of Face2People - how quickly and accurately ( beyond typical face recognition ) could I ID people. If I didn't have Apples database could I use a combination of a 3D model built from photos from different angles taken from the web and the captured 3D model to improve matches between the physical virtual - hold up your phone and have an AR app where is everything you can find out online about that person is in a bubble over their head.

Security services gonna love this.

In terms of device security - well at least they need the device as well as the face, I hope nobody is stupid enough to extend this to a web app.

Reply Score: 2

darknexus Member since:
2008-07-15

If I understand Apple's presentation correctly, they do not store a database of faces. They were quite clear that all recognition takes place on the device and is never sent to the internet for processing. Facial data is stored in a hardware-backed encryption enclave on the A11 chip itself. They could be lying about that of course but, given how much people are going to be digging for security flaws in it, I doubt they'd risk a lie.

Reply Score: 2

Tony Swash
Member since:
2009-08-22

Apparently if people (not sure how many) look at your iPhone X it disables the FaceID and you have to use a passcode. Apparently during the stage set up at the keynote Apple techies looked at the phone and inadvertently locked the FaceID.

So - if the cops grab your phone and look at the screen Face ID will stop working and they will need you to hand over the passcode. Clever security measure.

Edited 2017-09-14 19:05 UTC

Reply Score: 0

Disabling Touch/Face ID
by surfmike on Thu 14th Sep 2017 21:29 UTC
surfmike
Member since:
2017-06-26

You can disable it (and force passcode unlock) by pressing the power button 5 times.

Reply Score: 1

RE: Disabling Touch/Face ID
by JLF65 on Thu 14th Sep 2017 22:10 UTC in reply to "Disabling Touch/Face ID"
JLF65 Member since:
2005-07-06

It used to be "The cops are here! Quick, flush the drugs!" Now it's "The cops are here! Quick, press the power button five times!" ;)

Reply Score: 4