[alxhill]

Whilst it's certainly valuable to make people aware of the limitations of the security systems we use, this shouldn't really come as a surpre. If someone is close enough and motivated enough to take a high-res photo of your face just to access your mobile device, they're also probably close enough to film you typing in your passcode - sure, you might do that less often, but for an average user are either of those things a real concern? The security model hasn't really been "broken" because if someone steals my phone they don't have access to the device by default.

[piyush_soni]

> If someone is close enough and motivated enough to take a high-res photo of your face just to access your mobile device, they're also probably close enough to film you typing in your passcode

Not sure about that. All of my friends, family and work colleagues are 'close enough' to me to take a high res photo of my face (and I'd gladly let them do it), but none of them can see my passwords when I'm typing or unlock my phone without my permission. For me this revelation is of a big concern.

[dx034]

With a 4k camera and decent light conditions that could be possible in public space. Whereas you can avoid entering your passcode in public spaces (or shield it well enough).

It shows again that for people with very valuable data (where others would spend significant amounts of money to get data), passwords remain the only secure way.

[konceptz]

We should understand the attack model better and the likelihood of a successful eye capture.

We know that it's certainly less hard than knowing someone's password given a semi sane password policy, but more difficult than scraping fb selfies and printing them.

Thinking out loud, I certainly don't share my phone password with my eye doctor, so there's one example of disclosure.