[acdha]

You need to think about this a bit more: biometrics are bad if you pass them over the network where an attacker can replay them but it's different in a local context where they never leave the device. You get a high-entropy key and an attacker who can get both your device and a sufficiently high-quality biometric scan can also simply do things like like you in a room until you unlock the device. That seems like a reasonable compromise.

[ColanR]

> it's different in a local context where they never leave the device

Until the next round of FBI tools, where they extract the fingerprints to their database as part of their unlocking process.

[szc]

The handling of biometric data is designed to be secure between the sensors and the secure enclave. For example, data from the fingerprint sensor is encrypted when it is sent over the wires inside the device. The secure enclave does not store images of the fingerprint, but a representation of it which is not enough to reverse back into a fingerprint.

This is covered in the Apple Platform Security Guide.

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/app... (I believe this link can change when the guide gets updated)

[sjy]

I don’t think any of the existing exploits actually involve extracting keys from a hardware security module.

[acdha]

How do they extract fingerprints? All competent biometric implementations store hashes for exactly this reason.

[mcphage]

Fingerprints are famous for being left behind on pretty much everything you touch...

[acdha]

What makes you think that's relevant to the discussion here? The person I replied to was under the incorrect assumption that someone in possession of a phone could extract stored fingerprint images, which is not true of any well-designed biometric system.

If you do a little bit of reading about the topic, too, note how well-designed biometric systems require more than a simple fingerprint or photograph — e.g. Apple's FaceID has liveness checks for eye motion and uses a 3D scan. None of these are impossible for a well-resourced attacker but that's true of the alternatives as well. This is why you need to think in terms of threat models — e.g. the attacker who can get a high-resolution 3d scan of your face can also watch you type your passcode in so the latter isn't more secure in practice.

[mcphage]

> the attacker who can get a high-resolution 3d scan of your face can also watch you type your passcode in so the latter isn't more secure in practice

If an attacker watched you type in your passcode, what would you do about it?

[acdha]

Probably not notice because it’s a hidden camera or drone way out of notice?