[voidmain]

Biometrics can't be rotated. But they also can't be phished. People have been using "biometrics" to recognize people they trust since the beginning of time, and are pretty rarely fooled. They have also been using passwords since the beginning of time, and have been being compromised since the next day, when someone walked into the enemy camp by accosting a patrolling guard and demanding the password.

The most important factor of authentication protecting a mobile device is just possession of the device. Fingerprint or face unlock adds what so far in practice seems to be a decent layer of security. Eventually I expect that it will be improved a lot by greater situational awareness on the part of the device: you won't just have to steal the phone and fool the 3d camera, but do both without ever letting the phone see, hear, or otherwise sense anything suspicious. Which is probably getting into mission impossible territory in most situations.

But even without that, in practice I think your corporate secrets would be considerably better defended by something like face id and device identity than by, say, a password and a regular old 2fa token that are both easily and simultaneously and remotely compromised by sending the target an email from yourcompany-itdept.com asking them to log in.

[bodz]

> Biometrics can't be rotated. But they also can't be phished.

Sure they can. Haven't you ever seen a cop show where the detective tricks the suspect into drinking from a cup of coffee so they can lift the suspect's fingerprint from the cup?

"Hi John, nice to meet you! * shakes hand *" I now have John's fingerprints from where he touched me when he shook my hand.

"Hey John, can you send me a selfie?" I now have a picture of John's face and possibly his iris.

Hell, I bet it won't be long at all until someone finds a way to use the iPhone X's own "TrueDepth" camera to record a 3D scan of the user's face which can then be used to fool FaceID.

[voidmain]

They can't be phished because they aren't secrets. Yes, if you think of a biometric as a password it is an awful password. But it isn't; its primary source of security is the difficulty of presentation. You should not rely on the secrecy of your biometrics.

You probably don't worry very much that your loved ones have been replaced by impostors, and the reason is not that their appearance is secret! It's just that fooling your face, voice and other "biometrics" without making you suspicious would be, depending on the situation, somewhere between technologically impossible and way more expensive than it would be worth.

A secure biometric is one for which spoofing the sensor is as difficult or expensive as compromising the device hardware some other way. I agree with you that touch ID doesn't quite meet this standard, largely because device hardware has gotten much more tamper resistant in recent years! Hopefully face ID will be better. I can easily remember when it seemed absurd that normal consumer devices would ever have a chance of resisting compromise by a sophisticated adversary that had the device in their possession!

[bodz]

> They can't be phished because they aren't secrets.

And here lies the problem. Apple treats them as if they are.

"Your fingerprint is one of the best passwords in the world" - Apple during the keynote when they introduced TouchID[1]

"Your face is now your secure password" - Apple during yesterday's keynote introducing FaceID[2]

1: https://youtu.be/X5zt1V7H88I?t=227

2: https://youtu.be/K4wEI5zhHB0?t=109

[voidmain]

I wouldn't have put it that way, but the claim Apple is making (in baby talk) is that these are good authenticators, not that they are good secrets. I don't think the average person in their audience has a strong reason to understand the difference. If people were used to biometrics and you tried to get them using passwords, then it would be critical to explain the difference (if you tell the wrong person your password, it loses all its security!)

The mistakes you can make by misunderstanding biometrics seem like more of a problem for system designers, who hopefully don't get their whole understanding of security from Apple keynotes.

[bodz]

> I don't think the average person in their audience has a strong reason to understand the difference.

In my experience as a security consultant, one of the biggest problems (and it's a very big problem) we face is that average users lack training and awareness of good security principles. It's really bad to rely solely on system designers for your security. Even if your system designer is 100% effective, it just takes one unaware user to do something bad such as give their password over to a phishing call and you're screwed. And if for nothing else, training and awareness is necessary because without it, you get users kicking and screaming when they don't understand why you've implemented certain security features, which typically means you end up implementing less security to avoid the kicking and screaming.

And just like in your average security training and awareness session you'll have a lesson on "don't give your password to someone on the phone, even if they claim to be your IT guy", we also have lessons on "fingerprints are not passwords, and you should not use them as such", but this is hard to get through people's heads when Apple's marketing material says otherwise (as shown in my previous comment).