[naravara]

>For pretty much anyone who is logged into their work email/VPN via their phone, or is using fingerprint scanners to secure their work laptop, this is a very real concern that I have seen exploited a few times in the real world.

You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops. If it's that important, use a biometric print AND a PIN. Easy enough no? At least way easier than requiring an absurd password requirement that people wind up writing into a post-it-note anyway.

>You can defeat TouchID with $10 worth of office supplies and some play-dough.

And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

>Since your phone literally has your fingerprint left on it from when you touched it, this isn't really a difficult task.

This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern? And what do you think they're going to do when there is a face-scanner or retina scanner? I suppose they could just clone you, wait however many years for the clone to mature, and then use it.

> it's even worse if you're one of the people who uses a password manager on your phone that is also locked with fingerprint.

Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock. Not everything needs the level of security of my bank-account, and when ever service a person interacts with wants to pretend they're a bank or credit card then it makes people take their bank or credit card's information less seriously than they need to out of sheer fatigue.

Security should be about fostering secure behaviors and culture in your users, not just ramming the most technically secure set of rules at people regardless of the context. That just makes people behave in insecure ways, like what you're talking about, because you haven't bought them into the importance of the big picture.

>it's just made more difficult to do that when Apple is pushing falsehoods like "TouchID is the most secure thing ever!" in all of their marketing materials.

I don't understand how you derived THAT from this: >Much of our digital lives is stored on our Apple devices, <b>and we recommend that you always use a passcode or password to help protect this important information and your privacy. Using Touch ID on your iPhone, iPad, and MacBook Pro is an easy way to use your fingerprint instead of a password for many common operations.</b>

[bodz]

> You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops.

No, I'm not. TouchID is the most popular implementation, and because it's present on every iPhone (which is the most common device to be a work phone, and thus also connected to work email and work networks), and because TouchID is also insecure, thus arises the problem.

> If it's that important, use a biometric print AND a PIN.

This is not possible on the iPhone, and wouldn't solve the problem anyway: consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck and they can't use fingerprint locks (or have to use fingerprint + something else) if they also use their phone for work stuff.

> And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

What? No, you don't. You're just making stuff up now. You can steal someone's fingerprint by simply having access to something they touched, and then you can duplicate it with $10 worth of office supplies.

> This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern?

Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

> Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock.

You miss the point. This wouldn't solve the issue at all, and would actually worsen it. Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

> I don't understand how you derived THAT from this:

I "derived" it from years of experience working as a cybersecurity consultant where at every company someone complains that "Apple says it's secure, so you must be wrong". Watch the keynote. Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

[naravara]

>(which is the most common device to be a work phone, and thus also connected to work email and work networks)

So your VPN isn't adding any extra layer of auth? This doesn't seem like a TouchID problem. . .

This is also a security design problem. You shouldn't be transmitting sensitive information via e-mail. If I want sensitive data stored in your e-mail, I'd start with a phishing attack long before I decide that physically jacking your phone and coming up with a complicated finger-print stealing process is the way to go.

>This is not possible on the iPhone,

To unlock the phone. You can add addition layers after the iPhone auths all you want.

>consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck

Heh. If your clients trust Apple's marketing more than their own IT people this again speaks to me of a severe communication problem among the IT people.

>You can steal someone's fingerprint by simply having access to something they touched

Not with high enough resolution to reliably fool TouchID in few enough attempts to keep it from passcode locking you out. You're fixation on worst-case scenarios where your adversaries benefit from multiple passes of blind luck doesn't make for great or realistic risk-assessment.

>Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

And you're not monitoring for suspicious activity or any additional access control on a data source that has all that sensitive information? You're just letting people mosey on into it with just their phones without so much as a warning flag going up somewhere?

>Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

This is both highly simplistic and wrong. For one thing, passwords are also inherently insecure, especially when people write them on sticky notes and put them under their monitors. Secondly, not all accounts need maximal security. Not all activities within an account need to give people access to the maximal extent of their privileges. Insisting on going all out on every single thing people try to do fosters insecure habits and insecure system design. You're making the problem worse.

>Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

None of which is false for the use cases they're talking about. You're talking about access to sensitive PII, which Apple did not tell you to gate behind TouchID. I also have years of experience in Infosec and setting the record straight on things takes all of 30 seconds of explanation and taking the time to understand their business context. All it takes is to not treat your clients with contempt.