[namelost]

https://www.xkcd.com/538/ applies.

Neither Touch ID nor passwords keep determined intruders out. If someone really wants to know what's on your phone, they will arrest/kidnap you and threaten you with prison/violence.

[bodz]

No security is going to keep "determined" intruders out. But the point is that you should still strive to achieve "good enough" security.

The problem is that while the actual ranking from least secure to most secure is "nothing < touchid/faceid < passcode", Apple's marketing and implementation gives people the false impression that its "nothing < passcode < touchid/faceid", which is bad for security.

[panopticon]

I think "nothing < passcode < touchid/faceid" might be true for a startling number of people. I've seen many people with ridiculously easy passcodes and even funnier Android patterns (e.g., one of my colleagues uses his first initial as his Android unlock pattern, and my mom uses her dog's name as her passcode).

So Touch/FaceID isn't better than a good passcode, but maybe it's better than a crappy passcode.

[bigiain]

And TouchID/FaceID that people use is way better than passcodes they do not because they're a pain in the arse.

I noticed a distinct improvement in the speed of the TouchID unlock going from an iPhone 6 to a 7, which pretty much reduced all friction to me using it. Apple's marketing fluff suggests FaceID will be "twice as fast" as TouchID.

[BenjiWiebe]

I could be wrong, but doesn't a passcode actually encrypt the data (for sure on password manager/banking/etc apps) whereas FaceID/TouchID/<insert biometric here> doesn't? And what about hashing? AFAIK you can't really hash biometrics.

[colejohnson66]

With Touch ID and Face ID, you are required to have a passcode. What's the point of Touch ID if it fails and doesn't have any other way into the phone? As for hashing biometrics, Apple has the Secure Enclave which is for storing the biometrics.

[dvhh]

Isn't there a danger of providing 10 wrong passwords and thus trigger the data deletion builtin ?