Hacker News new | ask | show | jobs
by bodz 3205 days ago
> They can't be phished because they aren't secrets.

And here lies the problem. Apple treats them as if they are.

"Your fingerprint is one of the best passwords in the world" - Apple during the keynote when they introduced TouchID[1]

"Your face is now your secure password" - Apple during yesterday's keynote introducing FaceID[2]

1: https://youtu.be/X5zt1V7H88I?t=227

2: https://youtu.be/K4wEI5zhHB0?t=109
1 comments
voidmain 3205 days ago
I wouldn't have put it that way, but the claim Apple is making (in baby talk) is that these are good authenticators, not that they are good secrets. I don't think the average person in their audience has a strong reason to understand the difference. If people were used to biometrics and you tried to get them using passwords, then it would be critical to explain the difference (if you tell the wrong person your password, it loses all its security!)

The mistakes you can make by misunderstanding biometrics seem like more of a problem for system designers, who hopefully don't get their whole understanding of security from Apple keynotes.

link
bodz 3205 days ago
> I don't think the average person in their audience has a strong reason to understand the difference.

In my experience as a security consultant, one of the biggest problems (and it's a very big problem) we face is that average users lack training and awareness of good security principles. It's really bad to rely solely on system designers for your security. Even if your system designer is 100% effective, it just takes one unaware user to do something bad such as give their password over to a phishing call and you're screwed. And if for nothing else, training and awareness is necessary because without it, you get users kicking and screaming when they don't understand why you've implemented certain security features, which typically means you end up implementing less security to avoid the kicking and screaming.

And just like in your average security training and awareness session you'll have a lesson on "don't give your password to someone on the phone, even if they claim to be your IT guy", we also have lessons on "fingerprints are not passwords, and you should not use them as such", but this is hard to get through people's heads when Apple's marketing material says otherwise (as shown in my previous comment).

link