this post was submitted on 21 Feb 2026
430 points (100.0% liked)

People Mastodon

355 readers
13 users here now

People tooting stuff. We allow toots from anyone and are platform agnostic (Mastodon, BlueSky, Twitter, Tumblr, FaceBook, Whatever)

founded 4 months ago
MODERATORS
Deceptichum@quokk.au
430
get facial surgery (quokk.au)
submitted 2 days ago by Deceptichum@quokk.au to c/peoplemastodon@quokk.au
23 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] Zorcron@lemmy.zip 12 points 2 days ago (1 children)

As far as I understand, fingerprint data for at least the flagship smartphones is not even stored on the device itself, just what amounts to a hash of it. I haven’t heard of any vulnerabilities of these systems that allow your fingerprint or facial information to be extracted from the device, only bypassed by some tools like the password.

I’d be interested if you have info that suggests otherwise.

[–] Maxxie@piefed.blahaj.zone 2 points 1 day ago* (last edited 1 day ago) (2 children)

That's correct, no sane implementation of biometrics stores your actual data. Its hashed when you log in to compare with the stored hash, then deleted.

It can leak if the server is compromised or misconfigured, so it is still worse than a password.

[–] Zorcron@lemmy.zip 1 points 1 day ago (2 children)

How is it worse than a password in that way?

[–] anton@lemmy.blahaj.zone 1 points 1 day ago

You can't use a cryptographic hash, as small changes in a password means it's wrong, but in biometrics it needs to be allowed to account for different angles/lighting/mood. This means there must be more accessible information on the device.

[–] rapchee@lemmy.world 1 points 1 day ago (1 children)

you can't change your fingerprint, unlike a leaked password

[–] Zorcron@lemmy.zip 1 points 1 day ago

My understanding is that your fingerprint cannot be recreated from the data on the iPhone at least, and that it never leaves the touchID module. Is that wrong?

[–] Nomad@infosec.pub 0 points 1 day ago (1 children)

So right and so wrong at the same time. A hash loses be by definition information. So you can compare it to a fingerprint and decide if it matches. It can't be used to reconstruct a fingerprint due to complexity of fingerprints and the complexity. So you can't reuse the hash to authenticate anywhere, so stealing it has only reduced benefit. Maybe a mass surveillance state might want that to find your finger prints where you have been but this is a lot more work than just confirming your phone identifier and forcing the cell company to reveal you whereabouts.

[–] Maxxie@piefed.blahaj.zone 2 points 1 day ago* (last edited 1 day ago) (1 children)

which part was wrong?

Because the hashing happens server-side, it still has access to the original data. Which is why I said

It can leak if the server is compromised or misconfigured

[–] Nomad@infosec.pub 1 points 1 day ago

The hash for a password is not that secret. For a strong password it can't be used for anything bad really.