18

This likely stems from my complete lack of familiarity with encryption technology and IT security in general, however it isn't clear to me how biometric authentication (such as Apple's TouchID) makes the data it protects more secure than a simple password.

It's clear to me that, individually, biometric authentication is more secure than a memorable passcode. A fingerprint, face or voice can't really be "guessed", for example, in the same way a password can, and is characterized by something like thousands or millions of datapoints. However, biometric authentication systems such as TouchID often only complement a simple passcode. If, for whatever reason, I'm unable to unlock my iPhone with my face or thumb, I can still unlock it with a 4-digit passcode.

Since e.g. TouchID only adds another way to unlock e.g. an iPhone, isn't the protected data in principle easier to "hack" (and, in practice, something like just as difficult)? There are now two "entryways".

10GeV
  • 291
  • 1
  • 4
  • 5
    *"More secure"* - **citations needed**. Never heard it anywhere before. Like you said biometric authentication often exists as a complimentary, not primary form of authorization. – Artem S. Tashkinov Jul 22 '22 at 08:34
  • Are you asking how it's more secure than password or how does it protect data more securely than password does? – defalt Jul 22 '22 at 14:35
  • 3
    It's just more convenient. BTW: it's actually relatively easy to create a copy of fingerprints. In fact given the current cameras resolution it's possible to take a photo of a politician waving a crowd and build a working copy of their fingerprints (various people have demonstrated this already). So fingerprint alone is way less secure than the average person think it is, however as MFA factor I'd say it is okay. – GACy20 Jul 22 '22 at 15:12
  • 2
    *More Secure* begs the question of *secure from whom* and under what circumstances? For example, *Biometrics* are completely insecure to anyone with physical access to your body. – user10216038 Jul 23 '22 at 21:54
  • 1
    It is worth noting that some jurisdictions permit the police to physically force you to provide your biometric information to unlock a device. They can physically grab your hand and hold it to the device. A good password cannot be defeated so easily. – Tom Jul 24 '22 at 03:20

4 Answers4

35

The main reason for Apple to introduce TouchID was to make people use more complex passwords. For the sake of quick and easy access to their phones, people often used very simple passwords or no passwords at all, because they found it impractical to type in long passwords.

With TouchID, it became possible to use long and thus more secure passwords, while still being able to quickly and easily access the phone with just a finger‘s touch.

So, while TouchID does not add security by itself, its practical use allows to improve the security of the existing protection method.

not2savvy
  • 710
  • 5
  • 12
  • 7
    But they didn't add longer passwords. My iPhone has Face ID but the passcode is still just 6 digits. – Barmar Jul 22 '22 at 15:23
  • 3
    @Barmar That’s configurable. I don’t remember the default configuration, but you can use any length you want, and you’re not restricted to numbers either. – not2savvy Jul 22 '22 at 15:42
  • 2
    @Barmar go into Settings and change your passcode. When it asks for your new passcode, touch Passcode Options. You can choose from Custom Alphanumeric Code, Custom Numeric Code, or 4-Digit Numeric Code. Without going into Passcode Options, it defaults to a 6-Digit Numeric Code. – Jeremy Jul 22 '22 at 15:48
  • @Jeremy Thanks, I didn't know about that, I just updated. – Barmar Jul 22 '22 at 16:38
  • 2
    @Barmar even that's already progress, the first iPhones used 4-digit passcodes. – Tom Jul 23 '22 at 06:11
  • Don’t biometric unlock mechanism also defeat keyloggers and shoulder surfing? – Todd Wilcox Jul 23 '22 at 10:08
  • @Tom 4 digits is still an option – OrangeDog Jul 23 '22 at 11:16
  • 1
    How apple makes long/strong passwords based on biometric data? – Braiam Jul 23 '22 at 11:59
  • 1
    @Braiam Of course, the users still select their passwords, not Apple. – not2savvy Jul 23 '22 at 12:02
  • 2
    @ToddWilcox They do if implemented correctly, though it’s worth noting that it’s not hard with a targeted attack to steal the biometric credentials that typically get used (especially fingerprints, because most fingerprint sensors in use today are extremely low tech and have rather poor scanning resolution, meaning that you just need to get close, not have an identical match). – Austin Hemmelgarn Jul 23 '22 at 12:51
  • Also note that Android limits passwords to 16 characters; which is better @Barmar's 6-digit pin, but not at good as 56 character passphrase – Ian Boyd Jul 23 '22 at 19:09
  • Can you add to your answer *how* TouchID facilitates the use of longer and more complex passwords? – RockPaperLz- Mask it or Casket Jul 24 '22 at 09:23
  • 3
    @RockPaperLz-MaskitorCasket I’m not sure how that is unclear? Can you ask a specific question that seems still open for you? – not2savvy Jul 24 '22 at 10:59
  • This is a similar point to how Windows UAC *increases* security. In reality, UAC *decreases* security by making it easier to elevate privileges. However, by making it easier to elevate privileges *when you need them*, then you are less inclined to needlessly operate with elevated privileges when you *don't* need them. Before UAC, Windows users used to work permanently logged in as administrators because it was so painful to become an administrator temporarily when you needed to. Since UAC, most users are logged in as less privileged users only elevating via UAC when needed. – Jörg W Mittag Jul 25 '22 at 00:40
  • @RockPaperLz-MaskitorCasket Using a long complex password takes time so people simply **won't** use a long & complex password if they need to use it multiple times a day. Having a fingerprint means that the user can choose a long&complex password and use it just once every few days/weeks, while the rest of the time they just use their fingerprint. So you trade the security of the fingerprint with its convenience... A fingerprint is way better than having a 4-digit pin (which 50% of the time is a date or something like that) or a drawing sequence. – GACy20 Jul 25 '22 at 10:32
  • @GACy20 Thanks. Your comment provides the key information that I felt was missing from the answer. – RockPaperLz- Mask it or Casket Jul 25 '22 at 23:57
17

In addition to the points made by others, if you use only a PIN then you have to use a PIN to unlock it in public. Each unlock is a chance for someone to see or record in video what your unlock code is. Overcoming biometric authentication if they steal your phone and have never seen you enter your PIN is much more difficult.

Jason Goemaat
  • 592
  • 3
  • 7
2

You are correct that the authentication is only as strong as its weakest method, but there's one more feature that complements raw secret entropy:

Rate limiting

If you have an authentication method that is only used sporadically, you can afford to have extremely strict rate limiting for wrong guesses. The iPhone, for example, locks itself completely on only six wrong guesses.

That's a 0.06% chance of guessing a 4-digit PIN, not to mention that failed attempts will alert the owner about the break-in. And since the guesses are tracked by the phone's Trusted Platform Module, it's exceptionally hard to bypass the rate limiting.

BoppreH
  • 324
  • 1
  • 8
  • 5
    While this is absolutely true, I fail to see the connection to the actual question. – not2savvy Jul 22 '22 at 16:47
  • @not2savvy OP is asking how adding another authentication method doesn't reduce security. My answer is that it allows the authenticator to change the remaining methods to make them safer. – BoppreH Jul 23 '22 at 17:04
  • I don’t think rate limiting was introduced with TouchID or because of it. It existed before, and I think the limits were just the same. But if that’s the connection you want to refer to, you should update your answer. – not2savvy Jul 23 '22 at 17:32
0

I am not sure it is more secure, I would echo what others say about convenience. A couple of real world scenarios;

Fingerprints: if somebody looks over your shoulder and sees what password you enter, they can't do it with a fingerprint.

Password: They can't get into your phone without it, such as tapping your phone onto your fingerprint sensor when you are asleep etc..

It would be more secure if it required both.

moo
  • 67
  • 9
  • FaceID, as a successor to TouchID, is trying to solve the second problem, as it doesn't work with eyes closed. However, no biometric solution is considered unbreakable, AFAIK. – not2savvy Jul 24 '22 at 12:32
  • Another problem is if hackers were to get access to a database of fingerprints in a data breaches, people would struggle to change their fingerprints etc... like they can a password. I think facial biometric data can be bypassed if you point it at a picture of the face it is expecting, at least it used to be able to in 2019, not sure if they fixed that. – moo Jul 24 '22 at 18:33
  • @moo there are lots of "face recognition" technologies which have various degrees of security. Apple's Face ID will not be fooled by a picture because it relies on a 3D scan, not a picture taken with the camera. I'm not aware of any public hack of Face ID (except some story about relatively young twins IIRC). – jcaron Jul 24 '22 at 22:08
  • There is list here, but it is outdated https://www.tomsguide.com/us/phone-face-unlock-photo,news-28969.html – moo Jul 25 '22 at 12:53