[sjy]

Do you really think it's impossible to "defend a physical device" – prevent an attacker from accessing and decrypting the data stored on it? I believe it is possible, that's the promise of hardware security modules. The article is about a mostly secure physical system that Apple undermines by encouraging the use of easily-cracked numeric PINs. I am not sure if the implementations are there yet, but biometric authentication looks like a promising solution to this problem.

[mcphage]

> biometric authentication looks like a promising solution to this problem

Yep, and if it gets hacked, then all you need to do is change your fingerprints.

[acdha]

You need to think about this a bit more: biometrics are bad if you pass them over the network where an attacker can replay them but it's different in a local context where they never leave the device. You get a high-entropy key and an attacker who can get both your device and a sufficiently high-quality biometric scan can also simply do things like like you in a room until you unlock the device. That seems like a reasonable compromise.

[ColanR]

> it's different in a local context where they never leave the device

Until the next round of FBI tools, where they extract the fingerprints to their database as part of their unlocking process.

[szc]

The handling of biometric data is designed to be secure between the sensors and the secure enclave. For example, data from the fingerprint sensor is encrypted when it is sent over the wires inside the device. The secure enclave does not store images of the fingerprint, but a representation of it which is not enough to reverse back into a fingerprint.

This is covered in the Apple Platform Security Guide.

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/app... (I believe this link can change when the guide gets updated)

[sjy]

I don’t think any of the existing exploits actually involve extracting keys from a hardware security module.

[acdha]

How do they extract fingerprints? All competent biometric implementations store hashes for exactly this reason.

[mcphage]

Fingerprints are famous for being left behind on pretty much everything you touch...

[acdha]

What makes you think that's relevant to the discussion here? The person I replied to was under the incorrect assumption that someone in possession of a phone could extract stored fingerprint images, which is not true of any well-designed biometric system.

If you do a little bit of reading about the topic, too, note how well-designed biometric systems require more than a simple fingerprint or photograph — e.g. Apple's FaceID has liveness checks for eye motion and uses a 3D scan. None of these are impossible for a well-resourced attacker but that's true of the alternatives as well. This is why you need to think in terms of threat models — e.g. the attacker who can get a high-resolution 3d scan of your face can also watch you type your passcode in so the latter isn't more secure in practice.

[rem7]

Biometrics shouldn’t be trusted this way. Biometrics are closer to a username, not a password.

[seanhunter]

Apple specifically uses biometric authentication (faceID and their fingerprint thing) except when the device is first powered on. This is (at least partly) because of US legal rulings that allow LEOs to compel you to provide a fingerprint and similar biometric id but cannot compel you to provide a password.