Hacker News new | ask | show | jobs
by domador 732 days ago
My own main objection is to biometric data being used as a password, since it is a publicly-viewable, likely-duplicatable password that can never be changed. My second objection is to the possibility of physical injury to me by someone that really wants to steal my credentials.
2 comments
dfxm12 732 days ago
it is a publicly-viewable, likely-duplicatable password that can never be changed.

Is this true? I mean, you can't really show an iPhone a photo of your face to unlock it, can you? Or are you thinking of a different attack vector?

My second objection is to the possibility of physical injury to me by someone that really wants to steal my credentials.

This possibility exists even if your creds are something you know. It also exists if your creds are something you have, and you happen to have them on your person.

link
domador 720 days ago
> This possibility exists even if your creds are something you know. It also exists if your creds are something you have, and you happen to have them on your person.

I can hand over my credentials or secrets to a thief without injury to myself, but I can't safely hand myself over, or a piece of me.

link
jerbear4328 732 days ago
> Is this true? I mean, you can't really show an iPhone a photo of your face to unlock it, can you? Or are you thinking of a different attack vector?

If you have the information that the iPhone wants to see, it is possible to create a synthetic face matching that data and hold it up in front of the phone.[1] You could also probably open up the phone and hotwire the sensors to give the hardened processor holding your Face ID data the readings it wants.

Both of these things are super difficult to do, and much further out of reach of your average thief than simply printing out a picture of the person's face, but the point remains that it is theoretically possible.

[1] Bkav Corporation has made masks that can fool Face ID for about $150: https://www.pcmag.com/news/researchers-claim-they-can-dupe-i... https://www.bkav.com/top-new/-/view-content/65202/bkav-s-new...

link
Zambyte 732 days ago
For what it's worth, you can be beaten with a wrench until you cough up a password also. Obviously there is a difference, but it's worth considering and understanding that.
link
domador 720 days ago
Or I can cough up my password long before that, but if they need my biometrics, then they'll have to hold on to me personally... or a piece of me.
link