Do you consider fingerprints to be safe?

I considered the Emperor’s Lounge, but reading the descriptions this should go to News and Updates. So be it.

So, I had a Security & Compliance course at work. At some point they asked how I secured access to my phone, using a PIN, pattern or biometrics (fingerprint/face). I said I was using a pattern.

They then asked if I considered it to be safe. I replied I did.

Then they told me it was safer to use a 6-digit code or even biometrics. This is where I objected.

To me a complex pattern on a large grid is more secure, not only because of the grid size but also because a code shows your thumb clearly stopping and starting while a pattern is a smooth movement.

And when it comes to biometrics, we’ve all seen the fiction TV shows where somebody uses a hand (or face) to unlock a phone while the person sleeps. Biometrics (in the case of a phone or PC) in my opinion actually make things easier and less secure.

Not to mention the first thing the average “secure” app does like banking or password vaults is ask if you wish to use the registered fingerprints and people just love their convenience.

But since the “experts” told me I was all wrong, I’m curious what you guys think. Who uses biometrics on their phone? Who prefers PIN over pattern and vice versa?

Ironically they also told me not to discuss outside of work something that goes on at work and the first thing I do is come here to discuss it. But I think the question is innocent enough and poses no security risk. Maybe we can even learn from the answers.

6 Likes

Don’t you work at subclub though :rofl::rofl::rofl:

As for your question, I agree with the fact that biometrics aren’t as safe and secure as people think.

Lemme tell you things I’ve done, and some things I just lost interest in doing but could have easily carried on doing (due to the ease of the process):

  • easily unlocked Facial Recognition protected phones by just using them when the owners were napping; a 5 year old taught me this cause she did it to her brother, to play games on his phone.

  • fine powder and tape, fingerprint found acquired :sunglasses:.

  • certain fingerprints sensors are also pretty dumb, you can literally use plastic to push on the sensors and it will think that you were the previously entered person :joy: this doesn’t apply to all sensors though.

  • if you’re rich rich, then biometrics = liability = threat to life.

And then there’s also this thing where, you know, our used biometrics are already in major companies’ databases, so the more you use them, the more you’re giving to those companies, and data SELLS.

So yeah, use codes :rofl:

4 Likes

lmao :joy::joy:

Still trying to convince Saint and Fire to take me on as their Chief Public Relations Officer due to my honey-tongued way with words, my superior moral code and of course my modesty. :slight_smile:

Your points are similar to the ones I made. Biometrics are for identity verification, but do not necessarily contribute to security. Using it for logging on is basically still one-factor. Using biometrics in combination with a code or pattern on the other hand, that I could approve of.

So you would use codes over patterns?

Thing, is, you need to consider the actual threat scenario. A snooping acquaintance? I have my phone in my pocket, so the mechanism I use is pretty irrelevant. Customs? Here it gets interesting: In some countries they can force you to unlock it with your fingerprint, but forcing you to give up a passcode is illegal. Some countries, like the US or China, you might simply not want to take your private phone (US has a particularly interesting set of rules for customs if you’re not a citizen.) A criminal with a sufficient monetary motive? It’ll be something along the lines of “unlock the phone or I start breaking joints”. In which case any mechanism is useless. (In my opinion that one is a major failure of security courses, they tend to not think about physical threats at all but get very geeky instead.) Just as one real example: There are countries where overnight abductions are a major thing. Criminals force you into a car at gunpoint and drive you past ATMs until your card doesn’t take any more money out. That scenario can also be used with phones…

For me, since my threat these days is at worst casual, I use biometrics as the most convenient one that works against random people. And I don’t leave it lying around where anyone can get at it. What you really want to think about is your defence mechanisms if someone gets in, like in the “criminal with motive” scenario. This is where deliberately low banking limits and things like that come into play.

1 Like

Pattern or pin only , I don’t trust tech companies to give them my fingerprints or other biometrics .

1 Like

Once (years ago) while traveling on a business trip, the border agent was incredibly invasive. The fellow in front of me had a laptop, and the agent ordered him to unlock it and he spent 5-7 minutes looking at all his photos. When it was my turn, he did the same thing to my phone… only a couple of minutes though, as it was a new-ish phone and I mostly had selfies my gf (now wife) had sent me, plus random screenshots etc.
Since then, every time I travel I shut my phone off completely and if asked, say the battery died, usually with the phone buried in my suitcase or backpack. Hasn’t been an issue.

I’m not big on blindly trusting govs, either. Any of them.

For everyday stuff though, I use my fingerprint scanner to open my phone (SE3 ftw…) and my wife has my passcode if needed. Since my phone has access to my emails, my Google Drive, my banking stuff, etc… my main security approach is simply always knowing where my phone is. :nerd_face:

2 Likes

I never knew border agent we’re allowed to view your personal devices so I thought this was a rare case but apparently it’s normal: Examining digital devices at the Canadian border

Actually, the best approach is in making sure nobody else knows where your phone is. :slight_smile:

It is disconcerting though. Letting my phone actually die might be a solid strategy. Saves me from having to turn it off on the plane.

I sometimes consider what would happen to my data backups if I were to migrate across borders. I figure even if they would be allowed to ask for something like a decryption password, the safest way would be to store the backup on a multi-drive volume and take them across one at a time, each drive being illegible without the rest.

Or securing them with a TPM, requiring the exact motherboard to make the data readable. That’s a modern option. Seldom use it, because what if the motherboard breaks? Oops.

Or having the two locations connected to the Internet with remote logon and using a cloud storage to transfer them over.

In truth, it’s more an academic curiosity for me, a what if scenario. It doesn’t mean I have anything they would actually care about or anything which poses a threat to anybody, somehow it just feels off when people force me to show them even my photos of kittens playing with yarn. I don’t know, just feels like a pressure on my chest making it hard to breathe. I don’t like having no power over my life.

1 Like

My phone is in my pocket when I’m out, and on my desk at home unless I’m using it… the biggest concern I have at home is my daughter always wanting to play with it - one time she ordered a video security system from Amazon, thank you one-click Prime and big colorful images on the front page of the app… lol…

I moved across the country many years ago… didn’t cross any borders, but I didn’t trust my data to anyone or anything else (this was pre-cloud storage), so I carried well-padded and encrypted hard drives in a backpack… At the time I had half a terabyte of data, mostly movies, tv shows, and other media… anyway, nobody even mentioned it. However, I’d definitely think twice before crossing a border with hundreds of gigs of encrypted data… even if it was just torrented episodes of Family Guy, Stargate SG1 and other nerdy junk.

2 Likes

I’d give you two likes for mentioning Stargate but alas, the software won’t let me.

1 Like

That is incredibly invasive, I’ll probably take similar counter measures when travelling. I have a lot of private information on my device to the point where it would be more convenient for me to clean format it than to let some random security guard snoop through it.

1 Like

Not sure if this I appropriate here but we have gone into protecting data territory. My friend whos is a cop says that the new phones for Apple and Samsung have a feature that if you shut off your phone, the police and government cannot download your data. It locks them out and both companies are refusing to use their backdoor and constantly sue to protect privacy. Both are also planning on creating phones with no backdoor citing possible hackers.

Bottom line if you are forced to hand over your phone, shut it off.

Also signal is a good messaging app that is a competitor to whatsapp but cannot be bought out due to its notprofit nature and Duck duck go is a great internet browser that blocks websites from trying to track you.

1 Like

Of course 2FA is the best we have right now but not gonna lie I really like FaceID. It won’t let you in if your eyes are closed so the only way an attacker is going to get physical access is with a gun to your head. Which at that point nothing is going to work.,.

Can you share the feature? I’d like to know since I use a Samsung.

All you do is shut off your phone. When they turn it back on from being shit off their system will no longer work.

1 Like

No biometrics for me. I was at one of those Amazon stores and the clerk tried to get my fiancee to pay using her palm. I damn near threw the machine out of the window.

5 Likes

Does anybody have one of those posts where Saint goes “R E C O N C I L I A T I O N” ? :wink:

I get the point though. I’m tempted to log on to work tomorrow to check if they have responded to me telling them their recommendations are wrong.

Thanks for the replies, everybody!

3 Likes