[patates]

I'm not a security expert, but as far as I know, the fingerprint should only be used to identify a user (like a username), not authenticate.

Not sure about how much data any entity could leak but if you want to be sure, perhaps you can use a different method on your phone?

> Even if a third party has my biometric fingerprint details, can I rely on how physical access to my phone is necessary to bypass the fingerprint lock?

I think not, if the third party is a government.

[heads]

Fingerprints alone are simply a number that is generated by your finger on a reader, and then sent to some other system.

Think of a fingerprint reader as a USB keyboard that types out your fingerprint number for you when you touch it. While an attacker can steal the finger and put it on the reader they are more likely to steal the number and type it in with a regular keyboard.

Border controls are about building a (passport, face, fingerprint) tuple under human (or remote human) supervision on trusted hardware to control physical movement. It feels like one of the few cases where fingerprint readers do actually work as an application.

Now that the border police have your magic finger number they can indeed unlock your phone too. It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.

[phh]

> It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.

I'm expecting that if you want to do it at scale (like once a day per airport), you can 3d print them within an hour

[fragmede]

the magic finger number has a challenge response, so they can't do that (to an iphone)

[haarts]

If the third party is a government (any random three letter agency) none of your opsec matters. Move to Russia as Snowden did.

[amenghra]

Just because your government can break your opsec doesn’t imply it’s not worth doing your best. Maybe you’ll avoid being caught in a lower-cost/mass surveillance system and you might not do anything to attract a more dedicated attack.

Re fingerprint: there’s risks around having your fingerprint lifted from something you touch (eg a glass). It’s a movie trope but it’s not that far fetched from being doable. Eg from 20 years ago: https://www.theregister.com/2002/05/16/gummi_bears_defeat_fi...

[zahllos]

Just want to point out that foreign nationals are apparently sometimes fingerprinted and their DNA swabbed too on entry (according to the travel advice of several governments) - and electronic devices are sometimes searched at the border too. Biometrics are routinely taken for longer stays according to: https://www.themoscowtimes.com/2021/07/01/russia-imposes-bio...

[pointlessone]

In Russia they don’t use harvested fingerprints to unlock phones. They use wrenches and flat irons to get info and bad windows on higher floors and polonium tea to prevent anyone else getting info.

[underdeserver]

Not only in Russia.

[RamblingCTO]

Yes. You might just accidentally fall out of the window, no problem.