[xoa]

No, that is just not how "secure" works, you need to take into account all the details of the system in question and the threat model. Usually biometrics is not being used alone, there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy. Someone "getting ahold of your [fingerprints|eyeballs|face|internal chip|whatever]" and the physical "token" (smartphone being the most common) amounts to a targeted physical attack, which is a very difficult class to deal with but also not scalable. Don't count on any naive or technical only method to defeat this: passwords may well be worse because in any non-physically secure setting it's far more trivial to shoulder surf a passcode entry then to grab biometrics and seize the token. Furthermore most people are simply unwilling (with good reason) to deal with an appropriately complex passcode in constant usage on the go, so it's a case of biometrics+complex password taking the place of say a 6 digit PIN.

It seems like every single HN thread on biometrics somebody comes in to proclaim for the nth time that "finger prints aren't passwords!!" or something of that nature, as if "something you know/something you have/something you are" haven't long been known and considered as basic building blocks of authentication with various tradeoffs vs different threat scenarios. Your kind of oversimplification is not helpful given that it can actively harm real world security, which requires amongst other things actually working with how actual humans really are and making the right economic tradeoffs.

[wlesieutre]

I would say biometrics is “usually” used in phones where it’s used completely on its own to unlock them.

You might still need a PIN to install an OS update, but that won’t keep someone from going through all of your photos and emails.

[xoa]

>I would say biometrics is “usually” used in phones where it’s used completely on its own to unlock them.

So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.

>but that won’t keep someone from going through all of your photos and emails.

Neither will a PIN in a targeted physical attack. The long, good master password can defend against offline attacks (including most particularly backup data stores off of any specific device), serve as a line of defense against lower level modifications, etc. You keep "someone" from going through device data through physical defense of the device, difficulty of time-to-attack vs methods like remote wipes or physical limits, network reqs, perhaps coercion code/auto sensor limits down the road, and on and on. All within the framework of expected cost/benefit, like all security.

[Retric]

No, because generally the only things of value are protected by a fingerprint.

It's like keeping a safe unlocked while keeping the safes bios protected. It's the content that matters not the OS.

[wlesieutre]

>So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.

I'd say that the fingerprint is the single factor to unlock your phone and access all of your data. Sp I'm not sure I understand your point about a physical token. That the phone is a physical token that you need in order to unlock the phone?

I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.

That feels like saying "My house has two factor authentication, one factor is they key and the other is the house." The house isn't a second factor, it's the thing you're getting access to.

[xoa]

>That the phone is a physical token that you need in order to unlock the phone? I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.

No, it's an important (and interesting I think) difference. Compare to many of the systems you deal with otherwise: with most of them the specific physical thing you're using to access the data isn't that (or at all) relevant. With your HN account for example, if the password were known then it doesn't need to be access from one of your devices. Nothing of yours needs to be physically possessed. You could say storage on one of your computer systems would require more physical access, and that might sort of be true (there are gradients in all these things), but from a pure technical perspective general practice has been, even with full disk encryption, that the password is still the root. For software FDE the password is generally going to go through a key stretching algorithm to turn it into something cryptographically usable and add some resistance to brute force of so-so keys as well as time/memory tradeoff attacks (rainbow tables), but it's a deterministic process. If you know the password, the key can be generated, including if the drive was pulled and put into another system or imaged onto some other piece of hardware entirely. Getting access to the data may present challenges depending on where is (local could be harder then an attached drive which might be harder then a LAN volume, or the reverse). But once that data is acquired, knowledge of the password is sufficient.

But with a good smartphone (and starting to be more in computers via HSMs or built-in like Apple's T-series of chips) it'll instead be that the authentication factors go to a blackbox dedicated security chip, and that then handles keys which are entangled with hard burned-in data specific to that device. You cannot pull the storage or image it then unlock it, knowing the user's password is insufficient. For any data using that phone's hardware security as its root, you must go through that specific, physical chip regardless of any knowledge of biometrics or passwords. It is an integral part of the data security in a way that is not yet typical for traditional systems (let alone online). As far as I know all of those systems still have a password as one way to authenticate to them, with biometrics being another, and in principle they could make use of further automatic sensors too as well as do interesting things like require different authentication factors for different operations, or enable powerful anti-coercion features.

Of course, it also means if that chip ever has any trouble or gets lost better hope to have backups because otherwise you're hosed, no recovery is possible even if the physical storage is completely fine and all the encrypted data is right there.

So "what you're getting access to" is the data and operational capability of the phone, but "how you do so" is going through a "separate physical token authenticated by another a 2nd/3rd factor" (the hardware security chip), no different then if you had a USB HSM you plugged into your PC and made it a blackbox requirement for data decryption or certain operations like signing. Just because the connection between the separate token and what you're accessing happens to be direct solder and traces on a motherboard vs USB or PCIe or whatever doesn't mean it's not a separate factor here. And as it's the physical token intermediating even total compromise of the system to be accessed doesn't by itself mean biometrics or passwords leak either.

[wlesieutre]

I would describe the difference in a much more simple way:

For the security of my Gmail account you need 1) password, 2) TOTP code, 3) an internet connection to Google

For the security of a physical place like my house, you need 1) key, and 2) physically be at my house. The being at my house part is more analogous to having an internet connection than another authentication factor.

The phone as a material object follows a threat model like my house. If someone has a copy of my fingerprint and is physically at my phone that's like having a copy of my house key and being at my house.

It's true that someone in China can't remotely break into my phone with the fingerprint, just like someone in China can't take a copy of my house key and steal my television.

So yes, there's security value in needing physical proximity, but I think it's a stretch to describe it a second authentication factor.

How the secure enclave and encryption works is immaterial to the fact that if I leave my phone sitting on my desk, you only need one thing to get to my data, and it's a fingerprint that for all I know someone pulled off of a Starbucks cup 10 years ago after I tossed it into a rest stop trash can, and my only option to avoid that is "disable the fingerprint scanner" because it's a single authentication factor that I physically cannot change, unlike a leaked password.

Anyway, I think we agree on how it works, we're just arguing over the semantics of how to describe it.