-1

After powering on laptops and desktop computers, you are allowed to use biometrics for login. But, as far as I know, biometrics are not allowed for unlocking phones after powering them on. You are only allowed to use biometrics after you've first unlocked the phone with a PIN/password.

  • Is there any special reason why it is so?
  • Is the biometric authentication on phones more susceptible to tampering?
schroeder
  • 123,438
  • 55
  • 284
  • 319
Charitoo
  • 99
  • 1
  • My phone requires the password to decrypt it and a pin to unlock the SIM card, but allows me to use biometrics to unlock it afterwards (no password required on first unlock). – user2313067 May 01 '20 at 05:36
  • @user2313067 The question was about what is generally the practice and why or how that practice may have come about. Your comment is irrelevant for these reasons: it's about a specific case whereas the question is about a generality. Secondly, the question is about the phone system which with or without a SIM card behaves in the manner I'm seeking to get more information on. Your comment is about the same process of unlocking I spoke about. Either you didn't read the question or you're just looking for something to down vote. – Charitoo May 01 '20 at 12:14
  • I didn't downvote, and my comment was more about whether the phone requires a pin to unlock or to decrypt. Android (at least version 8) makes it clear that the two are not the same while iOS asks for a password after reboot which might seem like simply unlocking, while it is in fact decrypting. – user2313067 May 01 '20 at 12:53
  • OK, the error is mine. – Charitoo May 01 '20 at 15:46

1 Answers1

3

Passwords or even PINs can be used to derive a decryption key, which is important if a device's storage encryption is to be really secure. You can configure PCs this way too, requiring a password to decrypt the OS drive before booting. It's not, as far as I know, currently possible to reliably derive a secure cryptographic key from a fingerprint or other easily-measured biometric (and if it were, anybody who could scan the relevant biometric from you could probably derive the key themselves).

Login security on PCs is less based around "be secure if the device is stolen or physically tampered with", and more around "be secure against a network attack or a random user walking up to the interactive terminal". Phones rarely run network servers in the background, and while they can be stolen easily, they're less likely to be attacked by a random person wandering past your office while you're away. Indeed, until pretty recently, the assumption was that, if a talented attacker got unfettered access to a PC, they could get everything. Thanks to strong full-volume encryption, that's no longer true, but that happens long before the user sees an OS login screen.

With that said, biometrics of any sort found in commodity devices are definitely less secure than a good password. Of course, good passwords are inconvenient - especially on a phone - and people are bad at generating and using them (for example, a password you've used anywhere else is no longer a good password, and people reuse passwords all the time). Thus, phones strongly encourage the use of biometrics, while most PCs still ship without the capable hardware and many corporate policies disable the use of biometrics even when the hardware is present.

CBHacking
  • 40,303
  • 3
  • 74
  • 98