this post was submitted on 21 Feb 2026
427 points (100.0% liked)

People Mastodon

353 readers
104 users here now

People tooting stuff. We allow toots from anyone and are platform agnostic (Mastodon, BlueSky, Twitter, Tumblr, FaceBook, Whatever)

founded 4 months ago
MODERATORS
 
top 23 comments
sorted by: hot top controversial new old
[–] wonderingwanderer@sopuli.xyz 4 points 23 hours ago

Facial recognition scans are so detailed that that data can be used to make highly realistic deepfakes. Deepfakes with higher resolution than an ordinary video recording. And a couple layers of abstraction can obscure the origins of the "video"...

We're entering some truly dystopian times...

[–] Arghblarg@lemmy.ca 63 points 2 days ago (1 children)

.. And importantly, US legal rulings currently state that you can be coerced by law enforcement / border agents to unlock your devices using biometrics (being a part of your body), but NOT coerced to reveal a PIN or password, as that is something you remember -- no forced confessions or something like that.


And if you have a device-wipe 'duress' PIN code, make sure you use it BEFORE being asked to unlock the device, or they'll claim you erased evidence. Better to just not have ANY data you are concerned about on the device while crossing into any country -- carry a blank device, and download it securely after entry.


Never use fingerprint or face unlock on your phone if travelling to the US.

[–] sepiroth154@feddit.nl 55 points 2 days ago (2 children)

I have an even simpler rule. Dont travel to the US. (and Canada does this too)

[–] BarneyPiccolo@lemmy.today 5 points 1 day ago (1 children)

As an American who lives in a major tourist zone, don't visit right now. We'll weather the storm, and you can come back when we get our shit together again. We will.

[–] sepiroth154@feddit.nl 4 points 1 day ago

Yeah as they say, it is always darkest before dawn.

[–] Crackhappy@lemmy.world 9 points 2 days ago (1 children)

Regrettably a lot of people have a requirement to travel to the US and other authoritarian countries.

[–] sepiroth154@feddit.nl 1 points 1 day ago

Yeah I feel for the people who don't have that choice...

[–] hedge_lord@lemmy.world 17 points 1 day ago

Oh no, my face scan was leaked! I guess I have no choice other than to fill myself with estrogen in order to reshape its fatty tissues, something I would absolutely not have done otherwise. Oh no!

(sarcasm disclaimer: this is sarcastic)

[–] karashta@piefed.social 15 points 2 days ago (1 children)

I enjoy that grapheneOS let's me set up a secondary pin to nuke the phone.

[–] whotookkarl@lemmy.dbzer0.com 2 points 23 hours ago

And multiple profiles to further sandbox different uses or types of software (social media, email, games, etc)

[–] AnchoriteMagus@lemmy.world 16 points 2 days ago (2 children)

I have never set up biometric unlocks on any phone for exactly this reason. No one gets access to my fingerprints unless they cuff me and get them the old-fashioned way.

[–] Zorcron@lemmy.zip 12 points 1 day ago (1 children)

As far as I understand, fingerprint data for at least the flagship smartphones is not even stored on the device itself, just what amounts to a hash of it. I haven’t heard of any vulnerabilities of these systems that allow your fingerprint or facial information to be extracted from the device, only bypassed by some tools like the password.

I’d be interested if you have info that suggests otherwise.

[–] Maxxie@piefed.blahaj.zone 2 points 1 day ago* (last edited 1 day ago) (2 children)

That's correct, no sane implementation of biometrics stores your actual data. Its hashed when you log in to compare with the stored hash, then deleted.

It can leak if the server is compromised or misconfigured, so it is still worse than a password.

[–] Zorcron@lemmy.zip 1 points 1 day ago (2 children)

How is it worse than a password in that way?

[–] anton@lemmy.blahaj.zone 1 points 1 day ago

You can't use a cryptographic hash, as small changes in a password means it's wrong, but in biometrics it needs to be allowed to account for different angles/lighting/mood. This means there must be more accessible information on the device.

[–] rapchee@lemmy.world 1 points 1 day ago (1 children)

you can't change your fingerprint, unlike a leaked password

[–] Zorcron@lemmy.zip 1 points 22 hours ago

My understanding is that your fingerprint cannot be recreated from the data on the iPhone at least, and that it never leaves the touchID module. Is that wrong?

[–] Nomad@infosec.pub 0 points 1 day ago (1 children)

So right and so wrong at the same time. A hash loses be by definition information. So you can compare it to a fingerprint and decide if it matches. It can't be used to reconstruct a fingerprint due to complexity of fingerprints and the complexity. So you can't reuse the hash to authenticate anywhere, so stealing it has only reduced benefit. Maybe a mass surveillance state might want that to find your finger prints where you have been but this is a lot more work than just confirming your phone identifier and forcing the cell company to reveal you whereabouts.

[–] Maxxie@piefed.blahaj.zone 2 points 23 hours ago* (last edited 23 hours ago) (1 children)

which part was wrong?

Because the hashing happens server-side, it still has access to the original data. Which is why I said

It can leak if the server is compromised or misconfigured

[–] Nomad@infosec.pub 1 points 21 hours ago

The hash for a password is not that secret. For a strong password it can't be used for anything bad really.

[–] nexguy@lemmy.world 2 points 1 day ago

Or anything you've ever touched

[–] Akasazh@lemmy.world 5 points 1 day ago* (last edited 21 hours ago)

There's burn victim survivors that could get in an awkward spot due to that shit. Fingerprints and facial features seem relatively unchanging unless something very dramatic happens.

[–] apotheotic@beehaw.org 3 points 2 days ago

Damn, bet, time to get ffs