[joshavant]

I thought I once read that, since Touch ID relies on fingerprints, a US court order can compel you to provide those, thus forcing you to unlock an iPhone in question.

This, as opposed to a passcode-only configuration, which a court order cannot compel you to give (I believe since this would fall in the category of 'forcing you to testify against yourself').

If that is indeed the case, I imagine it would make better sense to leave Touch ID disabled, unlike what this article suggests.

[mikeash]

I leave it enabled, then power the phone off before interacting with The Man, like when going through customs. Touch ID is disabled on a fresh boot until you enter your passcode, so that basically turns it off temporarily. This is briefly mentioned in the article.

Another thing you could do is set it up with an unusual finger, like the middle-finger of your non-dominant hand. After five failed tries, Touch ID is disabled until you enter your passcode, so you can use the wrong finger five times when they ask you, and disable it that way. Say you're sweating too much or something (a common cause for real Touch ID failures for me).

It all depends on just how paranoid you are and what you want to defend against.

[lostlogin]

Having got sick of damp fingers blocking Touch ID I added my nose as one of the options. No more lockout during dish washing.

[schoen]

Are noses sufficiently different from one another that someone else's nose won't be able to unlock your device?

[robotmlg]

Can a US court order compel you to provide your nose print?

[prawn]

Someone needs to be the first to make the news for refusing to do so!

[overcast]

This works? Genius!

[gamegoblin]

I did this so I can unlock my phone with my snowboarding gloves on. I can unlock with the nose and then press the texting app button with my nose to read tests.

[sjwright]

Do we know if nose-prints are particularly unique? Or even unique in the context of how fingerprints are typically analysed?

[joshuata]

I did this and then tested it against several friends and family. I could only unlock the phone about 75% of the time, but I never got a false positive after about 20 different tries over the next week or two (cleaning the sensor regularly, of course)

[cmdrfred]

I'd guess probably not, but as a 'password' it might be suitably random if you only get 5 attempts.

[Jtsummers]

http://blogs.wsj.com/digits/2014/10/31/judge-rules-suspect-c...

Court decision from 2014.

http://www.theatlantic.com/technology/archive/2016/05/iphone...

First known application since then.

[ThatGeoGuy]

Keep in mind this is strictly relevant to US jurisdiction. In Canada, I recall that you can be compelled by a court to give up a password, or be held in contempt. That being said, something like TouchID is irrelevant if the password is going to be forced out of you anyways.

[jxcl]

This makes sense if you tell them that you know the password and refuse to give it, but what if you claim not to remember the password? Or claim never to have known it? What burden of proof is required then in order to be held in contempt?

[rdtsc]

They won't believe and lock you up until you remember?

Contempt of court can basically be "get into jail indefinitely" card.

From the wiki: "The civil sanction for contempt (which is typically incarceration in the custody of the sheriff or similar court officer) is limited in its imposition for so long as the disobedience to the court's order continues: once the party complies with the court's order, the sanction is lifted."

It seems a judge can "choose" not to believe you. Whether they truly don't or not is another problem, but officially they can claim so. I am not sure if it takes another superior judge to get someone out of jail in that case or ... or just wait for the original judge to retire...

[toomuchtodo]

I would like two passwords. One that unlocks the phone, and one that wipes the entire device immediately.

[ThatGeoGuy]

This would be useful if you had information that would put you in jail for the rest of your life, and certainly should be something offered for users who need it. However, being put in contempt of the court is not joke, and I can't imagine this would go over well if you tried it when compelled to unlock the phone.

Hidden containers similar to what TrueCrypt could do might take you farther in this regard. Self-destructing a hidden container should ideally not expose what you wish to protect and at least provide plausible deniability.

[elithrar]

> If that is indeed the case, I imagine it would make better sense to leave Touch ID disabled, unlike what this article suggests.

It entirely depends on your threat model. If you are at hacker or tech conferences, TouchID is far better as it can't be shoulder surfed. If your threat model is nation-states, then you would take a different approach. As TFA says:

> Turn the phone off before entering any situation that might lead to you being coerced to use your fingerprint to unlock the phone.

[ericabiz]

If you never want Touch ID to work, you can just replace the home button in the phone. It's a security feature from Apple--a new home button will never work with Touch ID again.

It's not too difficult to swap a home button yourself with the right tools, or most stores will do it for ~$49 to $59 (depending on your iPhone model.)

If you have a store do it, definitely ask for your original home button back in case you change your mind later or sell your phone.

[st3fan]

Just don't setup Touch ID?

[ericabiz]

Obviously, but if you're as security-minded as this article author is, I'd trust a hardware solution over a software solution. It's the difference between turning off your camera and actually unplugging your camera (for instance.)

[mynameisvlad]

Except, it's really not. If you've never set up Touch ID on the device, then there's no fingerprint for it to even compare to; it'd be impossible for it to authenticate.

[Esau]

Yeah, fuck Touch ID. In my opinion, a computer security feature that works when you are unconscious is not a computer security feature.

[rimantas]

Talk about throwing out the baby with bathwater. Being unconscious ir a very rare use case for iPhone. In other cases having protection provided by Touch ID beats passcode which is to inconvenient so many would skip and left without ANY protection. Touch ID is basically transparent and provides adequate protection for common scenarios.

[Esau]

I would rather have no passcode than use Touch ID.

[johncolanduoni]

Instead of being vulnerable in some specific scenarios, you want to be vulnerable in a lot of common scenarios as well as the original ones?

[Esau]

Correct. I feel that Touch ID is security snake oil.