• BorgDrone@lemmy.one
      link
      fedilink
      English
      arrow-up
      32
      arrow-down
      1
      ·
      edit-2
      1 year ago

      As with all things security, it depends entirely on your thread model and the value of what you’re trying to protect.

      Biometrics can be a much more secure option than using a PIN or password, depending in circumstances.

      For example: when I’m working on my laptop on the train or in a coffee shop and I need to log into some website I’d rather use my fingerprint to unlock the passkey than type in a password in a public place where I have no idea who is observing me entering my password.

      Same goes for paying with your phone, you can either enter your phone PIN in a crowded supermarket or you unlock with FaceID.

      Also, for phones, for a lot of people the alternative to biometrics wouldn’t be a PIN, it would be no authentication whatsoever. Biometrics lowers the barrier to having a form of authentication at all.

      • Saik0A
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        6
        ·
        1 year ago

        for a lot of people the alternative to biometrics

        Full password Android user representing here… It’s surprising how few people bother to even stop any amount of snooping on their phones. but I guess it’s only surprising in that I wished more from society in general.

      • seaQueue@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        4
        ·
        1 year ago

        Biometrics can be spoofed, or the body part stolen in extreme cases.

        Also, in the US at least, biometrics aren’t protected by the same rights that allow you to not incriminate yourself. IIRC they’re considered a thing you have, which you can be compelled to surrender or use to unlock a device, vs something you know (like a password or pattern) which you can withhold if it would be incriminating. Check with a lawyer on this one, I haven’t paid attention to the case law here for a bit.

        • Squeak@lemmy.world
          link
          fedilink
          English
          arrow-up
          26
          arrow-down
          3
          ·
          edit-2
          1 year ago

          If someone is stealing my body parts, what they access on my devices is the least of my worries!

          • wmassingham@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            2
            ·
            1 year ago

            They don’t have to be stolen. Imagine some clever thief drugging your drink, then when you’re incapacitated they take your phone and press your finger to it or hold it up to your face to unlock it, then transfer all your money out of Venmo or whatever money transfer app you have on your phone.

            • Squeak@lemmy.world
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              1
              ·
              1 year ago

              The comment I replied to said stolen, which is what I was getting at.

              There’s also nothing to stop someone watching over your shoulder to see your PIN for your phone/laptop. Nothing is infallible.

            • jimbo@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              5
              ·
              1 year ago

              God, the shit people dream up to worry themselves about. Nobody is drugging you to unlock your phone.

          • Imgonnatrythis@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Really? Would be up there for me. Sucks to miss a finger or eyeball, but if they’ve also drained my bank account and my credit card - I’m going to be even more pissed for sure.

      • snooggums@kbin.social
        link
        fedilink
        arrow-up
        20
        arrow-down
        2
        ·
        edit-2
        1 year ago

        If it is low detail enough to consistently ‘work’, it isn’t complex enough to be better than something like a chip and pin approach.

        They are repeatedly bypassed with easy hacks like silly putty and photographs. People’s biometrics are not unchanging. Burned fingers, swollen eyes, and sore throats are things that can change enough to make biosecurity unreliable. That is before cold and heat and how they effect biological things!

        That is all before you take into account the fact that some people don’t have whatever is being used. Have fun using eye based biosecurity on someone with cataracts or is missing their eyes entirely due to injury or just being born without them fully developed. Or they have a physical issue that makes it hard for them to interact with the bio reader. Stephen Hawking needing to lean towards a mounted eye scanner would be impossible for example.

        So either you have mediocre security that allows for a lot of false positives to get through or you end up having to add a bypass system for when it fails, and now you have two ways that security can be defeated! A non-biological solution with two factor authentication of an item and a PIN or other knowledge piece is far more secure than biosecurity can ever be.

        So already insecure, but in addition to that anyone with physical access to the person can force them to do the biosecurity. Police are able to force someone to put their finger on their phone, or look at the screen for a face unlock. Maybe they aren’t legally able to, but it is a good example of not being secure.

      • TORFdot0@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        2
        ·
        1 year ago

        They aren’t 100% reliable and it has its’ challenges based on its implementation but I wouldn’t consider it fundamentally insecure. It’s as secure as a NFC token, TOTP, or a push notification as a form of authentication. It’s like birth control, no method is 100% safe and effective, but plain username and password auth is like pulling out, anything is better than that.