back to article Smartphones' security enhancements just make them more dangerous

Over the holidays I bought Apple’s newest, shiniest face scanner. For the first fortnight - and periodically since then, that constant lift-and-scan felt weird. As though my smartphone had suddenly become too intimate, too familiar. This is hardly the thin end of the wedge. It started with passcodes - which many people didn’t …

  1. John Smith 19 Gold badge
    Coat

    "a rapid DNA analyzer a la GATTACA -"

    I was thinking "La Femme Nikita"*

    *But only for the highest security secrets.

    1. Norman Nescio Silver badge

      Re: "a rapid DNA analyzer a la GATTACA -"

      It's not here yet, but it might be closer than you think.

      Oxford Nanopore's MinION "works by pulling DNA through around 500 nanoscopic pores and reading it as it passes through by measuring an electrical signal produced by each nucleotide" [Product details]

      What that article doesn't say is that the sample requires some rather involved pre-processing first [pre-processing kits], and the disposables are 'a bit' expensive....but they are working on the pre-processing bit.

      As for the size, the MinION is 'mobile phone sized', but they plan a sequencer that is smaller - the SmidgION.

      I know this seems like a product placement advertisement for Oxford Nanopore, but I have no connection, and I don't even use their products. It just looks like interesting technology to me - I found it when reading about it in 'The Economist' in an article about the Cassava Virus Action Project

      1. Anonymous Coward
        Anonymous Coward

        DNA scans would be no better

        You leave DNA all over the place. Someone just needs to grab the straw you've been drinking out of, your lipstick, your hairbrush (yeah it sounds like women would be easier targets here...) or whatever along with your phone. Just like someone could get accurate scans of your face to produce that 3D model, or snag your fingerprints off a glass or your phone itself, and so forth.

        Maybe if they embed a THz scanner it could map the blood vessels in your brain, though you might need to swallow something for contrast first...

        1. eldakka
          Coat

          Re: DNA scans would be no better

          > drinking out of, your lipstick, your hairbrush (yeah it sounds like women would be easier targets here...)

          >...

          > though you might need to swallow something for contrast first...

          So still targeted mostly at women then?

  2. Charles 9

    But what if it's not temporary safety we're buying but safety full stop (IOW peace of mind) without which we'd drive ourselves crazy living like Damocles and start wondering if civilization is worth all this?

    IOW, if Franklin really is right, then human civilization is essentially doomed.

    1. MacroRodent

      Muddle through

      IOW, if Franklin really is right, then human civilization is essentially doomed.

      He is both right and wrong. These things are not absolutes no matter what the extremists say. Civilization will just muddle through in the middle, as it has always done.

    2. wolfetone Silver badge

      "Safety full stop" would begin by not buying them at all.

      1. Charles 9

        I disagree. Not buying them means living under the Sword of Damocles, which by definition means "you're NEVER safe." Which means no peace of mind. Which is why I'm saying if the ONLY way to get ANY measure of safety is to give up your liberty, then what's the damn point of civilization at all? You're basically back to The Jungle.

        1. israel_hands

          How the hell does not buying a smartphone leave someone under under the Sword of Damocles? If you don't rely on a single device to hold almost your entire life then by definition all your private data is spread between disparate systems and so not vulnerable to being compromised by a single strategic security mistake, regardless of whether you're advocating passwords, biometrics or anything else.

          It's the very fact that smartphones hold so much in a single package that makes them so dangerously vulnerable and also so valuable if compromised.

          Also, try to avoid randomly capitalising so many words. It's like you're channelling the keyboard mashing of the Bombastic Knob.

          1. Charles 9

            Not buying a smartphone; buying a little peace of mind. What price peace of mind?

  3. redpawn

    Keeping Honest People Honest

    That's what a lock does. It keeps your spouse and children honest.

  4. Anonymous Coward
    Anonymous Coward

    A numerical pin code with a randomised layout is all you ever need in my opinion. I'm not paranoid but I would never give a phone (corporation) my fingerprint, face and certainly not my DNA.

    1. Sir Runcible Spoon
      Coat

      I'm not sure about anyone else, but I would much prefer not to store my life on a vulnerable device in the first place, that way I don't give a shit (other than the inconvenience) if it gets lost/stolen/hacked.

  5. 45RPM Silver badge

    Since your fingerprint (or face, or (presumably) DNA) is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud, I’m not hugely worried that this represents a security loophole. It might be a security hole, of course, but it’s insignificantly small compared with the massive security error that social networks represent.

    Through tools like Facebook, criminals can fairly easily work out your mothers maiden name, your place of birth, your real birthday (assuming that you haven’t been foolish enough to explicitly tell them), and may even in some cases divulge what you’re spending your money on, when and how much.

    With that little haul a malfeasant should be able to unlock your life without going to the inconvenience of nabbing your phone first. I think that putative problems with (correctly implemented) facial and fingerprint recognition are only worth worrying about once the far bigger security issues that millions face everyday have been resolved.

    1. imanidiot Silver badge

      That's all well and good. It's how it's supposed to work. But how does the average user figure out if that is ACTUALLY how it's implemented? For all we know One or Xaomi or Samsung thought, meh, to hell with all that, and stores them in plain text in the ROM. Someone skilled in phone OSes might figure that out (and lack of news about such stupidity seems to indicate it's done correctly) but "Joe Average" can't.

      And has been pointed out before, fingerprints should be considered a username. Not a password.

    2. DaLo

      "...is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud..."

      But what if, and I know this is pushing bounds of reality, a processor had a flaw that allowed un-privileged access to the secure enclave you mentioned, either by being able to read the encryption keys, the salt or directly from the authentication mechanism.

      However there is not much chance that a processor would have a design flaw like that, is there?

      1. 45RPM Silver badge

        @DaLo - such flaws, as we’ve seen over the past month, are entirely possible - but likely to be devilish difficult to exploit. And, given that there are easier means of stealing someones life (as discussed earlier), why would you bother?

        1. Sir Runcible Spoon

          And, given that there are easier means of stealing someones life (as discussed earlier), why would you bother?

          It used to be the case that we argued against security through obscurity (i.e. it doesn't work) but you seem to be implying that security through ignorance *will* work.

          Seriously, you have no idea whether there is a trivial way to exploit these processor bugs or not, and you also have no idea as to whether someone who wants to access your system will bother or not (assuming it is non-trivial).

          That kind of approach to security leads to moments of regret later on, guaranteed.

          1. 45RPM Silver badge

            @Sir Runcible Spoon

            You misunderstand me, or rather, perhaps I haven't been entirely plain in my meaning. I'm not saying that these security issues in hardware should be ignored, or that they aren't worth fixing. I'm saying that, if you want to steal someones life (bank account details, identity and so forth) there are easier means than trying to bypass biometric security.

            Put another way, I'm not suggesting for one moment that one should ignore flaws in the design of the lock, or put off replacing the lock with one that is more secure, I'm merely saying that a criminal is unlikely to force the lock if the kitchen window has been left open.

            Social networks are akin to an open window. The people who need to concentrate on more secure locks are those who eschew social networks in the first place (a minority these days, it seems). Those who have social network accounts probably need to look to deleting those first before worrying about how secure the biometrics on their phone are - because, realistically, the phones biometrics are going to be considerably more secure that their digital online presence, no matter how badly the phones manufacturer implemented it.

            I'm certainly not arguing for security through ignorance - quite the opposite. I'm suggesting that one should plug the bigger hole before concentrating on the smaller one. But yes, I agree with you entirely that security through ignorance (or obscurity) "leads to moments of regret later on, guaranteed."

            1. Sir Runcible Spoon

              Thanks for clarifying, I thought you were referring to the processor bugs in particular, but that doesn't change anything I don't suppose.

              Totally agree on fixing the most commonly exploitable holes first. Not having a smart phone or social media accounts (apart from this one) I tend to immediately focus on the next line of defense, such as fixing processor bugs etc.

              1. 45RPM Silver badge

                Upvote for dodging the social poison pill!

    3. Adam 1

      > Since your fingerprint (or face, or (presumably) DNA) is stored as a salted hash in the Secure Enclave of the phone

      Disclaimer, it has been a few years since I last looked into facial recognition (wasn't quite up to snuff back then), but I work on systems with deep integration of fingerprint and vein scan as well as regular password authentication.

      Hashed authentication for passwords/passcodes works because you can* store Hash(secret + salt) and later test whether Hash(guess + salt) == stored value without storing the secret itself. You don't need that secret, just statistical proof that it is neigh impossible for the guess to not be the actual secret**.

      Biometric templates are different because you are not able to get an identical scan for verification. Even two photos taken on the same camera on a tripod in a studio seconds apart will have subtle differences. If you were to perform a substraction operation on the bitmaps, it would not be pure black. Because of this, templates are more like a series of measurements of angles and ratios of various features. It can be thought of as a template in the sense that you can't take those numbers and reconstruct the original scan/photo, but the verification logic needs to have those numbers to determine whether the candidate finger/face is "close enough" to the template. (This is why we can meaningfully talk about false accept rate and false reject rate for biometrics). My point is that you can encrypt the template but you cannot hash it.

      *But please don't. Google scrypt or bcrypt and use one of them.

      **Aka a collision

  6. RyokuMas
    Stop

    Too late...

    "Or will we be so afraid of our digital selves falling into the wrong hands..."

    They already have - Google, Facebook, Apple, Microsoft, etc., etc...

    1. Anonymous Coward
      Big Brother

      Re: Too late...

      You forgot several governments...

    2. Anonymous Coward
      Anonymous Coward

      Re: Too late...

      We’ve always had to be careful when transporting objects of great value. It may be that we decide the wiser course is simply not to transport them at all.

      Obvious solution then: don't carry your data, put it in The Cloud instead.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too late...

        "Obvious solution then: don't carry your data, put it in The Cloud instead."

        All you have to carry then is effectively the key to the safe. Lose the key - then quickly change the lock after using a spare key.

        However - that assumes that the safe's lock cannot be breached by other means.

        1. Sir Runcible Spoon
          Facepalm

          Re: Too late...

          Obvious sarcasm is obvious.

          1. Charles 9

            Re: Too late...

            The last sentence covers that. Basically, can you trust the safe owners to not possess a skeleton key? Perhaps one mandated by the government and concealed under a D-Notice?

  7. SpammFreeEmail

    Any Biometric is the least secure model I can think of.....

    While it may protect your device if the device is stolen there are far too many ways to collect fingerprint, facial and DNA data metrics to be able to 'spoof' them to fool the device.

    Any security model that relies on anything other then a secret known to and stored in the owners memory is fundamentally a flawed model, convenience is no substitute for a properly implemented strong security model.

    1. Psy-Q

      Re: Any Biometric is the least secure model I can think of.....

      Although it's a different story when the best secret that people can come up with is 123456.

      1. Anonymous Coward
        Anonymous Coward

        Re: Any Biometric is the least secure model I can think of.....

        --->Although it's a different story when the best secret that people can come up with is 123456.

        That's easy to fix:-

        1. It's a training issue and if people don't want to protect themselves that's a personal choice.

        2. 'Force' different levels of password/pin implementation onto the device (i.e. no usage of more then two continuous numbers, no usage of duplicate numbers).

        The reason these things aren't done 'properly' is people bitch about it, then complain when their data gets stolen and they haven't taken sensible simple precautions themselves.

        While I don't believe in the nanny state, I also don't believe that dumb fucks should drive security implementation models, security models should NOT be dictated by the dumbest/laziest common denominator.

        I'm reminded of a conversation I had years back when banks started to implement pin based security for phone banking, I had a multi week stand up argument with an implementation team manager who was happy to use a model that allowed staff to see the WHOLE pin number, rather then have to ask for say digits 3 and 5 of the pin which were then entered into a hidden field system for verification. When I asked what his view was when it was offshore staff doing the security checking and they would also have access to the whole number, he stated that wasn't his problem, that was the offshore contractors problem to manage. How I didn't punch him in the mouth I'm not quite sure to this day,

        1. Sir Runcible Spoon

          Re: Any Biometric is the least secure model I can think of.....

          I downvoted you because you missed an opportunity to lamp one of the fuckers that put us in these kind of messes :p

        2. Charles 9

          Re: Any Biometric is the least secure model I can think of.....

          "While I don't believe in the nanny state, I also don't believe that dumb fucks should drive security implementation models, security models should NOT be dictated by the dumbest/laziest common denominator."

          You MUST. They're the majority, and they outVOTE and outSPEND you. That's why you MUST take the Stupid User into consideration if you want to stay in business long-term.

          PS. Some people really DO have serious memory problems where "123456" becomes "271052" and "correcthorsebatterystaple" becomes "donkeyenginepaperclipwrong". AND they're too proud to ask for help. Yet if you don't deal with these kinds of people, what they house can take other people with them...including potentially YOU thanks to unknown connections.

          1. Anonymous Coward
            Anonymous Coward

            Re: Any Biometric is the least secure model I can think of.....

            Maybe they need to embed an fMRI scanner and have you think of the password. Since my brain presumably looks different thinking of 123456 than yours it might work :)

        3. eldakka

          Re: Any Biometric is the least secure model I can think of.....

          > 2. 'Force' different levels of password/pin implementation onto the device (i.e. no usage of more then two continuous numbers, no usage of duplicate numbers).

          You've just reduced the size (difficulty) of the problem set that has to be solved for a brute-force password attack by including those restrictions.

      2. eldakka

        Re: Any Biometric is the least secure model I can think of.....

        Stop looking over my shoulder when I unlock my luggage!

    2. Anonymous Coward
      Anonymous Coward

      Re: Any Biometric is the least secure model I can think of.....

      'here are far too many ways to collect fingerprint, facial and DNA data'

      Yeah, and another essential part of any lock / key system is the ability to change the lock, if you know that someone has been to Timpson's and had a duplicate key cut. Assuming that it's possible to spoof someone's face / fingerprints / dna.... How can i rescind any of that stuff when it's comprised? Plastic surgery? Using a stanley knife to adorn my fingerprints? Some kind of DNA editing? None of them seem like particularly pleasant options to me.

      1. Sir Runcible Spoon
        Joke

        Re: Any Biometric is the least secure model I can think of.....

        Here's an interesting though exercise: If an individual* cannot remember a password more complex than '123456' etc. what is the statistical likelihood that the data they are carrying will impact anyone other than themselves if the data is compromised.

        *All government employees are exempt

  8. tiggity Silver badge

    DNA

    Might be a bit awkward, you could easily have some other persons DNA on your fingers.

    I imagine p***y grabbing POTUS would be positively disappointed if a day passed where he did not get other DNA on his hands

    Seriously, DNA to unlock a phone is massively insecure (but so are fingerprints, faces so it might happen!)

    Mines the one with the long PIN

    1. Ken 16 Silver badge

      Re: DNA

      POTUS is like a really smart genius, no-one could possibly guess his password

      1. Anonymous Coward
        Anonymous Coward

        Re: DNA

        covfefe

  9. Pat 11

    To know != to be

    Shifting from something you know to something biometric is dumb as fuck. All the enemy need to do is wave your phone in front of your face and they're in. At least with a pin you have to consciously divulge something.

    1. Paul Crawford Silver badge

      Re: To know != to be

      And presumably you could have multiple PINs that unlock the phone in different, possibly partially data-earsing, ways?

      Or is nobody as paranoid / devious as me in the outside world? Or do we simply not put such stuff on our phones because we trust them as far as we can comfortably spit a rat?

  10. steelpillow Silver badge
    Pint

    My old Nokia

    This piece is a great advertisement for keeping my old Nokia another couple of decades.

    Or at least, until I can get a strap-down device (smartwatch?) with strongly encrypted cloud connectivity.

  11. Velv
    Pirate

    Didn't they circumvent the DNA checks in Gattaca quite easily?

  12. israel_hands

    If the author is unconvinced with using his face to unlock his phone why doesn't he just use a PIN? My new phone's got a fingerprint scanner built in but there's no way I'd ever enable it. That sort of idiocy is for people who can't tell the difference between a username and a password and don't know how easy it can be to spoof the biometrics.

    1. Charles 9

      "If the author is unconvinced with using his face to unlock his phone why doesn't he just use a PIN?"

      Perhaps he has a bad head for PINs? Can't use an ATM and so on?

      1. israel_hands

        There are some people who suffer such problems, although I suspect the author would have mentioned it if he fell into that category. They're by far in the minority though. Biometrics are the sort of thing that should be used as a method of last resort for edge cases, if at all, rather than the new default simply because it makes for a flashy sales gimmick and seems to be more secure to the average bloke in the pub who isn't particularly interested in this whole conversation.

        The point I'm trying to make is that companies that tout the security of their products should endeavour to good security practice.

        As ever it comes down to more input from engineers, less input from the clueless fuckwits in marketing.

        1. Charles 9

          Thing is, edge cases don't STAY edge cases for long.

          "The point I'm trying to make is that companies that tout the security of their products should endeavour to good security practice."

          Problem is, security clashes with ease of use, and the prole prefers the latter to the former and is not likely to take training. How do you do a secure solution for someone who doesn't care about security (and yes, you MUST care about their security since they become weak links to compromise others)?

  13. Dave 126 Silver badge

    Using a smart watch (or actually just a wrist-mounted RSA dongle - which could easily be incorporated into a watch - heck, some fella has even built one into a Casio F91W ) isn't a bad approach.

    Rolling codes could be entered manually into one's phone, or else scanned by the phone's camera or otherwise communicated (NFC, IR, sound).

    A list of modded F91W features below:

    https://github.com/carrotIndustries/pluto

  14. Charlie Clark Silver badge

    What's this about?

    Author casually spaffs a grand on an expensive toy and then asks himself why he bothered?

  15. Anonymous Coward
    FAIL

    Mos Def

    It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow.It hurts when I do this. Ow...

  16. Steve Graham

    I've never trusted the Android ecosystem enough to put anything sensitive on my phone, nor use it for money-related purposes, so it's not much of an issue for me. I suppose Apple users have absolute confidence in the company's omnipotence.

  17. sitta_europea Silver badge

    'Sfunny, when I ring my auntie in Doncaster I can tell straight away if it's her on the other end of the 'phone or some dumb female burglar who's just pretending to be her.

    Now unless I'm very much mistaken, most 'phones, even mobile ones, have a microphone in there somewhere. You've possibly overlooked it because it's so far down on the list of requirements for a modern mobile.

    Anyway, using this microphone thingy I bet I could tell if it was reall me talking.

    Just sayin'...

    1. phuzz Silver badge
      Megaphone

      Can you tell the difference between your aunt and a recording of your aunt?

      More importantly, could you program a computer to do it?

      1. Charles 9

        I guess you've never seen the spliced "My. Voice. Is. My. Password. Verify. Me." bit from Sneakers.

      2. Jeffrey Nonken

        "Can you tell the difference between your aunt and a recording of your aunt?"

        Hah hah. OK, I have to tell this story. When my voice was changing -- yes, I passed puberty, far too many years ago in fact -- for a while I sounded like Mom. So her friends would call to talk to her, and start chatting away... and when they stopped for a breath I'd say, "Hold on, I'll get Mom."

        Poor ladies were mortified, because they knew how sensitive boys could be about such things. Me? I thought it was funny.

        Anyway, one day I answer the phone and it's my grandmother. Of course SHE could tell it wasn't Mom's voice, but it was still close enough that she said, "Jo?! What are you doing there?!" She thought it was my aunt Johanne, and wondered why Mom's sister was visiting and nobody had told Grandma... it must be a family emergency?

        "Hi Grandma! Hold on, I'll get Mom."

  18. hammarbtyp

    The day is coming...

    The problem is more than just smartphones, it is the fact that all that personal information is stored on the cloud somewhere making it in theory a) accessible to persons other than you and b) Impossible to verify

    One of the consequences of this came home to roost recently when I was required to act as guarantor of my daughters rented house. To do this I needed a utility bill less than 3 months old.

    5/10 years ago this would be easy , as virtually every week a bill would drop through the letter box. Today, it took 2 days of hunting for something that would meet the requirements, with virtually all the providers gone online.

    The question then begs itself is when we will reach the point where the only way we have to identify ourselves and all our information is some bio-metric indicator tied to the cloud, and what happens when either (maliciously or accidentally) this goes wrong . Does it mean you will forever be shut out of your life, incapable of proving your identity to the world that will only believe what the computers say is true and has lost the ability to verify in any other manner?

    1. DropBear

      Re: The day is coming...

      "Does it mean you will forever be shut out of your life, incapable of proving your identity to the world that will only believe what the computers say is true and has lost the ability to verify in any other manner?"

      No idea. Let's ask Doc Daneeka...

      1. hammarbtyp

        Re: The day is coming...

        "No idea. Let's ask Doc Daneeka..."

        Good link. Here's another one

        Brazil

    2. Charles 9

      Re: The day is coming...

      As I recall, Identity Theft was a thing BEFORE the Internet came along.

      1. hammarbtyp

        Re: The day is coming...

        As I recall, Identity Theft was a thing BEFORE the Internet came along.

        It is not so much a question of identity theft, but the a ability to prove your own identity.

        It used to be under your own control with the various forms of physical documentation you held. In the virtual world however you are dependent on 3rd parties to maintain, control and secure your online identity. If this fails, then how do you then correct the issues?

        If anyone seen the film Brazil, you will know what I mean

        1. Charles 9

          Re: The day is coming...

          You were dependent on third parties BEFORE the virtual world, too. Recall stolen snail mail? Corrupt postage and shipping workers? These all occur BEFORE the documentation you state comes into your possession.

  19. Hans Neeson-Bumpsadese Silver badge

    A few months back, as I queued for a flight, I handed the check-in staff my smartphone, expecting they’d scan the QR code representing my boarding pass. They waved it away. “We’d prefer you scan your code yourself - just in case we drop it. People get very upset. They lose their whole lives.”

    You're going to be flying with an airline whose staff have a track record of letting things hit the ground badly. Enjoy your flight.

  20. Lez

    I'd opt for the brilliant security options proposed in https://xkcd.com/1934. Or anything more mischievous that the Reg lectorate could surely come up with.

  21. Doctor Syntax Silver badge

    "Over the holidays I bought Apple’s newest, shiniest face scanner."

    Boasting, confessing or complaining? My usual reaction to "Posted from my iPhone".

  22. Anonymous Coward
    Anonymous Coward

    random james bond dis

    All security is gradually dumbed down so them that run around with a finger in their ear shouting can easily get into the device which will halt the thing planned by a cross between elton john and hitler.

    Then they wake up and its another desk piled up with funny names to sift through and people to randomly harass.

    Bit of a comedown when you joined thinking you were going to foil plots to strap rockets to the british museum and launch it into orbit for ransom.

    Everything seems to be is good old fashion police work which there are no police available for due to the budget being pushed the way of imaginative fantasists lol.

    1. Sir Runcible Spoon
      Coat

      Re: random james bond dis

      Brought to you by 'Rant-in-a-rush!'

  23. EnviableOne

    Something you are

    Thats all biometric are, a decleration hat the person requesting access is present (or atleast part of them).

    In multi-factor authentication, its about a combination of factors and without one of the other two, biometrics just dont stand up

    Something You Know - shared secret (Unique Static Changeable)

    Something You Have - shared object (Unique Static Changeable)

    Something You Are - further identity (Unique Variable Constant)

    To make a biometric system viable, you have to add other factors, such as pulse, movement, behavior etc that confirm the assertion

    1. Charles 9

      Re: Something you are

      ALL of which can be faked.

      But the trouble is, what if, due to having terrible memory, a tendency to lose things, AND being too proud to ask for help, it's ALL YOU HAVE to work with?

  24. Charlie Clark Silver badge

    That Franklin quote

    I'm by no means an expert in US history but I've always understood Franklin's quote to refer to the fallacy of trying to restrict citizens' rights to improve security. AFAIK Franklin's ideas were key to the protections granted by the constitution. Not only does the comparison with the I-Phone cheapen the debate, it's also completely off the mark because it's about convenience.

    It's been noted elsewhere that biometric systems do not require the person's consent to be unlocked, which makes them per se less secure than a passcode.

    If you are worried about security make sure you don't have anything worth stealing on a device that you have a high chance of losing, forgetting or breaking.

    But Apple's latest "innovation" is really all about reassuring the punters that it was worth spending all that money to stay ahead of the plebs. Apple does make some fantastic products but it's even better an manufacturing demand for them.

    1. Charles 9

      Re: That Franklin quote

      "If you are worried about security make sure you don't have anything worth stealing on a device that you have a high chance of losing, forgetting or breaking."

      Which means you eventually reach a point where you MUST have such valuable information on things easily lost/stolen in order to function AT ALL in modern society. Then you end up asking, "NOW what do you do?"

  25. Anonymous Coward
    Anonymous Coward

    Can anyone answer the question

    Does this face locking / unlocking work good enough for identical and almost identical twins?

    At school the techers and friends had issues even after 5 years there yet our mum can tell us apart instantly

  26. dshaw111

    Samsung already been there and done it!

    Apple pretend they're first but anyone who's not an Apple prisoner will know they are not but want to continue the myth.

    Samsung are ahead of the curve with Iris scanning which is unique. Their Galaxy S8 phone gives security at 4 levels - Iris + Fingerprint + Face + PIN ... you can choose the freedom or stick with with Apple!

  27. Jin

    And, at the end of the day, the security is lower than a PIN-alone login.

    Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection, which demands the co-use of a fallback password. Two entrances placed in parallel provide nice convenience to criminals.

    1. Charles 9

      Re: And, at the end of the day, the security is lower than a PIN-alone login.

      There's really no way to improve the specificity of a test without affecting the sensitivity and vice versa? What gets in the way?

  28. Jake Maverick

    um, idiots really are giving these companies/ the state their fingerprints, face scans....and soon dna? :-( nobody should ever have that kindof power.....especially as the state employs total idiots to enforce said laws....i mean if i was the type to go around raping and murdering people....it wouldn't be my cigarette butts that i 'drop' outside their window now would it? :-(

    what reaally worries me is that this is becoming so embedded in society that at some point it will probably end up being mandated by govt even...or even without it will become impossible to be a functioning member of society without agreeing to it....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like