People tooting stuff. We allow toots from anyone and are platform agnostic (Mastodon, BlueSky, Twitter, Tumblr, FaceBook, Whatever)
Facial recognition scans are so detailed that that data can be used to make highly realistic deepfakes. Deepfakes with higher resolution than an ordinary video recording. And a couple layers of abstraction can obscure the origins of the "video"...
We're entering some truly dystopian times...
.. And importantly, US legal rulings currently state that you can be coerced by law enforcement / border agents to unlock your devices using biometrics (being a part of your body), but NOT coerced to reveal a PIN or password, as that is something you remember -- no forced confessions or something like that.
And if you have a device-wipe 'duress' PIN code, make sure you use it BEFORE being asked to unlock the device, or they'll claim you erased evidence. Better to just not have ANY data you are concerned about on the device while crossing into any country -- carry a blank device, and download it securely after entry.
Never use fingerprint or face unlock on your phone if travelling to the US.
I have an even simpler rule. Dont travel to the US. (and Canada does this too)
As an American who lives in a major tourist zone, don't visit right now. We'll weather the storm, and you can come back when we get our shit together again. We will.
Yeah as they say, it is always darkest before dawn.
Regrettably a lot of people have a requirement to travel to the US and other authoritarian countries.
Yeah I feel for the people who don't have that choice...
Oh no, my face scan was leaked! I guess I have no choice other than to fill myself with estrogen in order to reshape its fatty tissues, something I would absolutely not have done otherwise. Oh no!
(sarcasm disclaimer: this is sarcastic)
I enjoy that grapheneOS let's me set up a secondary pin to nuke the phone.
And multiple profiles to further sandbox different uses or types of software (social media, email, games, etc)
I have never set up biometric unlocks on any phone for exactly this reason. No one gets access to my fingerprints unless they cuff me and get them the old-fashioned way.
As far as I understand, fingerprint data for at least the flagship smartphones is not even stored on the device itself, just what amounts to a hash of it. I haven’t heard of any vulnerabilities of these systems that allow your fingerprint or facial information to be extracted from the device, only bypassed by some tools like the password.
I’d be interested if you have info that suggests otherwise.
That's correct, no sane implementation of biometrics stores your actual data. Its hashed when you log in to compare with the stored hash, then deleted.
It can leak if the server is compromised or misconfigured, so it is still worse than a password.
How is it worse than a password in that way?
You can't use a cryptographic hash, as small changes in a password means it's wrong, but in biometrics it needs to be allowed to account for different angles/lighting/mood. This means there must be more accessible information on the device.
you can't change your fingerprint, unlike a leaked password
My understanding is that your fingerprint cannot be recreated from the data on the iPhone at least, and that it never leaves the touchID module. Is that wrong?
So right and so wrong at the same time. A hash loses be by definition information. So you can compare it to a fingerprint and decide if it matches. It can't be used to reconstruct a fingerprint due to complexity of fingerprints and the complexity. So you can't reuse the hash to authenticate anywhere, so stealing it has only reduced benefit. Maybe a mass surveillance state might want that to find your finger prints where you have been but this is a lot more work than just confirming your phone identifier and forcing the cell company to reveal you whereabouts.
which part was wrong?
Because the hashing happens server-side, it still has access to the original data. Which is why I said
It can leak if the server is compromised or misconfigured
The hash for a password is not that secret. For a strong password it can't be used for anything bad really.
Or anything you've ever touched
There's burn victim survivors that could get in an awkward spot due to that shit. Fingerprints and facial features seem relatively unchanging unless something very dramatic happens.
Damn, bet, time to get ffs