[rodolphoarruda]

> ...you have to have a phone...

And that's a problem if you live in some cities of the so called third world where phones are stolen at the same rate bananas are picked from trees in Congo by monkeys. I don't feel comfortable at all about the "having a phone" part of my authentication process simply because the device can be stolen at any moment. My attorney had 16 phones stolen in the past 5 years. Virtually all the people I know had their phone stolen at least once. And if the idea of regaining access to your account without the phone is "hard" as claimed by Twitter's sec guys... ufff, I won't even bother to install the app thing. I think biometrics is the only security measure that will work in our violent cities here, not only for web services access, but for device usage itself.

[falsedan]

Someone compromising my twitter account does not compared to having my phone stolen! If your twitter account is a significant asset, you could keep a cheap smart phone on your desk as a smart card substitute, or practice strict password hygiene & not enable 2-factor authentication?

[ricardobeat]

Biometrics is not fundamentally different from using a password lock, just stronger. It's virtually impossible to break iOS' encryption with today's technology.

Or you know, just don't use a phone... there are plenty of companies offering password management solutions using browser extensions or desktop software.

[smsm42]

Do you really need to break iOS encryption? I'm not a big pro in iOS but I heard there are many forensic companies which specialize on extracting data from iOS devices, and from their pages[1] it looks like you can extract quite a lot of stuff from somebody else's phone.

[1] http://www.cellebrite.com/forensic-solutions/ios-forensics.h... http://www.elcomsoft.com/eift.html

[ricardobeat]

Doesn't appear to be the case: http://news.cnet.com/8301-13578_3-57583843-38/apple-deluged-...

Their 'physical analyzer' doesn't work from the iPhone4S or iPad 2 onwards (under Click here to view all supported iOS devices).

[smsm42]

Wait, so there's a backdoor, but police doesn't own it? Then I'm pretty sure NSA either has it or has a way to make Apple tell them how to use it, and it is done is some "security letter" manner that doesn't need a warrant and permissions from any non-kangaroo court. This is how these things are done these days. In any case, this confirms the backdoor exists and Apple has official queue for police to use it. One can only guess who else can access it and with which procedure...