[arglebarglegar]

the whole argument is “biometrics are harder than you think to fake, better than nothing, and in a scenario where you’re being physically assaulted a password isn’t much safer”

what’s the issue? he’s not advocating for you to stop using a strong password if you already are, he’s saying people who use nothing should be encouraged to use something… perfect is the enemy of good

[Gargyle]

You miss another part: Normalizing the use of biometrics may create situation where you don't have a choice to use something else. Its similar to phone number verification.

[piaste]

> he’s not advocating for you to stop using a strong password if you already are

Did you read the article? He is exactly saying that acquiring your password (however strong) is in most circumstances much easier than acquiring your fingerprints.

He's not just saying that biometrics are better than nothing, because of course everybody agrees with that - no privacy/security activist ever said 'the police could compel you to unlock your phone with a finger, therefore you should keep your phone unlocked'!

[jrm4]

Correct. I'm not saying he's wrong, I'm saying he's irresponsible.

I absolutely want any so-called security expert to always also include the big picture or shut up forever. There's too much confusion and too at stake for people as big as him to isolate personal security from big picture privacy.

[PeterisP]

I believe that Troy is quite clearly including the big picture, but his assumptions about it may be different than yours - in particular, he's effectively making a point that in the big picture defense from competent adversaries there is no major difference between passwords and biometrics (by providing examples where trying to rely on passwords doesn't help much) and thus discussing those attacks simply isn't relevant for a discussion on "biometrics vs passwords for the common person"; it would be worthwhile to discuss the weakness of biometrics to e.g. state-level actors if and only if the alternative (pin-codes/passwords) is meaningfully different in that regard, and IMHO it isn't as a resourced attacker can e.g. unlock phones without owner's cooperation no matter if you're using a fingerprint or a passcode.