Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think you take the right approach to true security risk analysis.

But there are all sorts of cases you leave out.

Someone might very well have access to your device without having access to your physical person. Because your device was lost or stolen.

Someone may very well not be willing to threaten you with physical harm, but be willing to hack your device. (Not every adversary is from a Hollywood movie either!)

Law enforcement agencies may not be legally allowed to compel you to reveal your password, but legally allowed to hack your device.

Etc.



Perhaps, but I feel that anyone sophisticated enough to replicate my fingerprint perfectly before it reverts to password only, and to do so before I'm able to make a remote wipe, and able to even find my fingerprints (lost phone) and to be lucky enough that the fingerprint is the one I used to secure the device, makes this a sufficiently low risk to the average user in my opinion.

If you're at odds with an American TLA, your 4 digit pin isn't going to slow them down at all.

Besides, the entropy on the average 4 digit pin is really low, it has a greater chance of using 5, 6, 8, and 9 for righties, and 4, 5, 7, 8 for lefties. Combine this with repeated finger grease blobs, and I don't feel anyone can logically argue that a pin is a sufficiently more secure option compared to a fingerprint.


Sorry, I should amend that last statement to be using the model Apple is using with it's touch ID where the fingerprint simply authenticates use of a high entropy password stored on the device, and the datum of the fingerprint is in not sent.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: