| I would describe the difference in a much more simple way: For the security of my Gmail account you need 1) password, 2) TOTP code, 3) an internet connection to Google For the security of a physical place like my house, you need 1) key, and 2) physically be at my house. The being at my house part is more analogous to having an internet connection than another authentication factor. The phone as a material object follows a threat model like my house. If someone has a copy of my fingerprint and is physically at my phone that's like having a copy of my house key and being at my house. It's true that someone in China can't remotely break into my phone with the fingerprint, just like someone in China can't take a copy of my house key and steal my television. So yes, there's security value in needing physical proximity, but I think it's a stretch to describe it a second authentication factor. How the secure enclave and encryption works is immaterial to the fact that if I leave my phone sitting on my desk, you only need one thing to get to my data, and it's a fingerprint that for all I know someone pulled off of a Starbucks cup 10 years ago after I tossed it into a rest stop trash can, and my only option to avoid that is "disable the fingerprint scanner" because it's a single authentication factor that I physically cannot change, unlike a leaked password. Anyway, I think we agree on how it works, we're just arguing over the semantics of how to describe it. |