Follow

FBI Forced Suspect to Unlock His iPhoneX Through Face ID

engadget.com/2018/10/01/fbi-fa

This is why biometrics are NOT secure. Biometrics should be treated as a UserID, and NOT as a password

@matt Yes! I use Face Unlock for my phone, but everyone using it should be aware that it doesn't actually protect them. I mainly use it to protect myself from unlocking my phone in my pocket.

@matt
... Huh. Never thought of it that way. In my head, nothing sounded more secure than "literally only you can unlock it".

@hikaruaikawa Only your face or fingerprints can open your device.

Unfortunately, its relatively easy for someone else to have access to your face or fingerprints.

@matt
Yeah, that's the loophole I hadn't spotted yet.

@matt to get the true level of security we want though, we need another level of human interaction, trust and ethics. No amount of brilliant security can go around social engineering and government pressure on the highest level...

@matt Thank you for giving me another reason to go back to a flip phone when my current phone dies.

@matt 2 factor, something you know and something you have. Biometric can be the have.

@DistroJunkie @matt
Not exactly, but bio does work great in a multifactor auth scenario (1. Something you know, 2. Something you have, 3. Something you are), so you could, and ideally shoulx still have a hardware token of some sort for any secure environments. But unfortunately, the people making mobile devices don't seem to be nearly paranoid enough :/

Would love to see a laptop or something with 3+ factor auth in mind from the start

@architect @DistroJunkie Thats what I'm saying:

1. Something you know = Password
2. Something you have = 2FA token/device/thing
3. Something you are = Username/Biometric fingerprint

If your system does not allow #2, then biometrics should ALWAYS be #3 on this list, and NEVER #1

@matt @architect @DistroJunkie

That made me rethink my choice of using fingerprint lock on my phone.

** Stops tooting and reverts to password lock on phone.

@architect @matt I said biometric could count as something you have but something like a yubikey or a password would be much better.

@matt

seriously.

as the quality of surveillance and digital photography improves, practically *anyone* can steal biometric data to unlock anything.

in China there is already a surveillance system that can capture the facial images from over 5 miles away.

biometric will be a godsend not just for the surveillance state but also for thieves and hackers.

@salixlucida

@matt
This makes sense.

Best kind of security is like a secret society: " in plain sight"? #freemasons

Or brick building , opsec?

Im sure its now possible to " steal a key" (physical metal key) via digital long range photography... In theory. I've never worked with those spooky agencies. So idk.

@QuantumHemp @salixlucida it's no theory. You can copy a key based off of a photo. So all you need is a good enough optical lens and you can make out a key at almost any distance (up to a point though, as physics will get in the way)

@salixlucida @matt it’s why you should always wear sunglasses and keep your hand in your pockets or at least not turned to any devices which could record you. Maybe wear gloves too?

@UnclearFuture @salixlucida sunglasses won't stop facial recognition from partial matches. You would need to cover your entire face.

Of course doing that will result in people mistaking you for a robber, so...

@matt and people are surprised when I tell them biometrics are a bad security choice and that I will always use a password. Not only that but because of how international travel and laws in the country I live in are it’s likely I will have to leave my devices at home because I will always refuse to unlock my devices. In the country I live in that is illegal and will end you up in jail, sigh 🤷🏼‍♀️

@UnclearFuture in my country, the government will just seize your devices at the border whether they have legal authority or not. Then it's good luck getting it back at all.

Sign in to participate in the conversation
LinuxRocks.Online

Linux Geeks doing what Linux Geeks do..