[wlesieutre]

>So you'd say that "there is an actual master password and the biometric authentication is being combined with a physical token as a shortcut/proxy" then? Because that's what it is.

I'd say that the fingerprint is the single factor to unlock your phone and access all of your data. Sp I'm not sure I understand your point about a physical token. That the phone is a physical token that you need in order to unlock the phone?

I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.

That feels like saying "My house has two factor authentication, one factor is they key and the other is the house." The house isn't a second factor, it's the thing you're getting access to.

[xoa]

>That the phone is a physical token that you need in order to unlock the phone? I guess that's true, but it's a weird way of describing it versus just calling the fingerprint a single factor used to unlock the physical device.

No, it's an important (and interesting I think) difference. Compare to many of the systems you deal with otherwise: with most of them the specific physical thing you're using to access the data isn't that (or at all) relevant. With your HN account for example, if the password were known then it doesn't need to be access from one of your devices. Nothing of yours needs to be physically possessed. You could say storage on one of your computer systems would require more physical access, and that might sort of be true (there are gradients in all these things), but from a pure technical perspective general practice has been, even with full disk encryption, that the password is still the root. For software FDE the password is generally going to go through a key stretching algorithm to turn it into something cryptographically usable and add some resistance to brute force of so-so keys as well as time/memory tradeoff attacks (rainbow tables), but it's a deterministic process. If you know the password, the key can be generated, including if the drive was pulled and put into another system or imaged onto some other piece of hardware entirely. Getting access to the data may present challenges depending on where is (local could be harder then an attached drive which might be harder then a LAN volume, or the reverse). But once that data is acquired, knowledge of the password is sufficient.

But with a good smartphone (and starting to be more in computers via HSMs or built-in like Apple's T-series of chips) it'll instead be that the authentication factors go to a blackbox dedicated security chip, and that then handles keys which are entangled with hard burned-in data specific to that device. You cannot pull the storage or image it then unlock it, knowing the user's password is insufficient. For any data using that phone's hardware security as its root, you must go through that specific, physical chip regardless of any knowledge of biometrics or passwords. It is an integral part of the data security in a way that is not yet typical for traditional systems (let alone online). As far as I know all of those systems still have a password as one way to authenticate to them, with biometrics being another, and in principle they could make use of further automatic sensors too as well as do interesting things like require different authentication factors for different operations, or enable powerful anti-coercion features.

Of course, it also means if that chip ever has any trouble or gets lost better hope to have backups because otherwise you're hosed, no recovery is possible even if the physical storage is completely fine and all the encrypted data is right there.

So "what you're getting access to" is the data and operational capability of the phone, but "how you do so" is going through a "separate physical token authenticated by another a 2nd/3rd factor" (the hardware security chip), no different then if you had a USB HSM you plugged into your PC and made it a blackbox requirement for data decryption or certain operations like signing. Just because the connection between the separate token and what you're accessing happens to be direct solder and traces on a motherboard vs USB or PCIe or whatever doesn't mean it's not a separate factor here. And as it's the physical token intermediating even total compromise of the system to be accessed doesn't by itself mean biometrics or passwords leak either.

[wlesieutre]

I would describe the difference in a much more simple way:

For the security of my Gmail account you need 1) password, 2) TOTP code, 3) an internet connection to Google

For the security of a physical place like my house, you need 1) key, and 2) physically be at my house. The being at my house part is more analogous to having an internet connection than another authentication factor.

The phone as a material object follows a threat model like my house. If someone has a copy of my fingerprint and is physically at my phone that's like having a copy of my house key and being at my house.

It's true that someone in China can't remotely break into my phone with the fingerprint, just like someone in China can't take a copy of my house key and steal my television.

So yes, there's security value in needing physical proximity, but I think it's a stretch to describe it a second authentication factor.

How the secure enclave and encryption works is immaterial to the fact that if I leave my phone sitting on my desk, you only need one thing to get to my data, and it's a fingerprint that for all I know someone pulled off of a Starbucks cup 10 years ago after I tossed it into a rest stop trash can, and my only option to avoid that is "disable the fingerprint scanner" because it's a single authentication factor that I physically cannot change, unlike a leaked password.

Anyway, I think we agree on how it works, we're just arguing over the semantics of how to describe it.