89 comments

[ 5.1 ms ] story [ 81.3 ms ] thread
There are a lot of good examples why you shouldn't use biometric IDs, not just FaceID
Holding volume up + power for a couple of seconds will disable FaceID and require your pass code to unlock
Really? On my phone, according to the settings in the Emergency SOS settings screen, holding down a volume button + power will call emergency services.

Pressing the power button 5 times while the device is locked disables Face ID. But there's a setting to make that call emergency services instead, so it could be different on other phones.

There are several different configuration options.

A ~3 second hold of vol+power brings up the emergency call screen, and also locks the phone.

If you keep holding for longer, it starts a countdown to call emergency services unless you release in time (I'm not going to test to see what that limit is)

You can also configure so that 5 button presses calls emergency services.

On my phone it’s the standard way to turn off the phone. It also disables Face ID. It also allows you to contact emergency services.

It does a few things at the same time.

If you ever can’t reach your phone to press the power button 5 times (which disables Face ID), just say “hey Siri, whose phone is this?” which will do the same.
It didn’t work, it just showed my contact card

Even hey Siri, lock my phone will unlock it happily with my face

Your iPhone must be locked first. Then it will disable FaceID.
[flagged]
The problem with this xkcd is it often gets used to suggest there’s no point taking security measures. Which is like saying you shouldn’t bother locking your front door because they could just get in by breaking the windows.

A more valid interpretation of this xkcd is that one should be wary of being complacent after implementing a security measure. Or just that nerds can often be unrealistic about the threat models they face.

Being unrealistic about the threat models they face?

You mean like thinking if a cop can't manhandle you into unlocking your phone through FaceTime, the incriminating evidence of criminal behavior on it will simply be ignored? Especially since "bad apples" are so rare and often brought to justice?

You mean threat models like that?

Doesn’t make sense. They sure won’t be unlocking the iPhone now.
* whoosh! *

Yep, the 4,096-bit RSA will be enough to protect you from a rogue cop.

Yes if you are already dead.
Ah, now I understand the miscommunication. Point is the technology, the phone, the FaceID, are immaterial. The ultimate goal is the protection of people. Having evidence of wrongdoing by government agents is important, but it is a means to the ends of a just and equitable society free of folks willing to use their position to abuse you.

The coercion of FaceID is always secondary to the abuse of people. Fixation on the security measures being subverted misses the overall point.

Your face, fingerprint, tokens... they are not good passwords, they are good identifiers. A password should not be public, only you should know and should be easy to replace if compromised. Face or fingerprint don't satisfy any of these properties. They should be used as identifiers, since they are very good for it; but they're far from good passwords.
Biometrics nearly always weaken security due to needing a secondary unlock such as the usual pin code in the event that you can't use the bio-unlock. Getting into an accident and having your finger damaged or face rendered unrecognisable will require some secondary method, so biometrics can't be used as the sole unlock method for a personal device (a shared device can work around that by having multiple people authorised to unlock).
That’s not weakening security – the worst case scenario is that you are no more secure than the password you would have used, and not having to enter the password so frequently improves security both directly by significantly reducing the number of opportunities for someone to watch you enter it and indirectly by removing the incentive to use a weaker password which is easier to enter or having a longer auto-lock grace period. Something like a pass phrase is much easier to sell people on if they don’t have to tap it in 30 times a day.
I consider it weakening security as there's additional ways that can be compromised along with the password. I agree that biometrics can increase convenience and likely reduce the visibility of the secret password, but the trade-off is using relatively public facts such as your public face and/or your fingerprints that are left on most surfaces that you touch.
Your public face isn’t enough: you’d need a 3-D scan. Similarly, fingerprints need more than a single image to pass a modern sensor.

That’s not impossible, of course, but it raises the question of whether the comparison is fair. For example, how likely is it that someone can scan your face accurately at a coffee shop but wouldn’t be able to record you typing your password dozens of times during the same visit? If someone is collecting your fingerprints off of your water mugs, they can also plant cameras or have a drone record you. Very few people have to worry about targeted attacks like that and if they do, neither biometrics nor passwords are sufficient.

I don't use my fingerprint because it's secure, I use my fingerprint because I can have the phone unlocked by the time it's out of my purse or jacket pocket rather than standing trying to unlock via pin unaware of my surroundings, and thus minimise the lack of focus on what is around me
Or why you should know the side-button 5 click shortcut to lock the device’s biometrics.

The problem is that this is all about trade offs with no single optimal choice: for example, this only matters with cops who aren’t willing to threaten violence to get you to unlock your phone, and using a password incentivizes weak ones and gives someone else the opportunity to watch you enter it (say, at the police station when given a chance to call a lawyer).

What’s probably better in this case would Photos having a minimum deletion time like Dropbox, or simply streaming it because then you know it can’t be deleted and control precisely when that’s active because other people would really like to be able to delete their stuff when the secret police break down their doors.

The very first suggestion on mastodon was that and it’s wrong — supposedly that combination is for emergency calling
Just tried it, it locks my phone as expected. Maybe I haven’t configured an emergency’s number to call ?
(comment deleted)
…and it also disables FaceID. Source: just tried it.

Holding the power and volume up buttons also works and is arguably easier.

(comment deleted)
it does trigger a suggestion for calling an emergency number, however when you cancel that suggestion, it locks the phone back in a way that requires the pin to unlock.
Yeah it looks like the more efficient way is to hold power and volume up
Did you try that before saying we were wrong? I verified that both worked before I commented.
Long pressing power and any volume button is the actual combo, which is easy to activate even while its in your pocket.

And I agree, it is a tradeoff. It’s much better than half the people having the password 000000, which would be the alternative.

If you try it, you’ll find both work.
If you look at the settings, you’ll find that they are configurable.
The Emergency SOS setting controls whether actual calls are made. If you try it, it requires you to enter your password in either case but you can choose whether to enable the feature where it calls the local emergency number automatically.
I really miss the power/lock button being on the top. Having to combine is just stupid. Normal devices have a single power button and getting to it should be not confusing based on orientation.
"Well duh just use this button combo nobody knows"

"Well duh just use a strong password instead of abc123"

Yes, that’s the point: real world security often has trade offs where there isn’t a simple option which is universally better. Biometrics are a huge win for most people’s realistic threat models because we have decades showing that when left to our own devices most of us pick easily-entered short passwords because it’s tedious entering longer ones many times a day, especially on a touchscreen, or, worse, people turn off auto-lock or set it for a longer period of time.

The source event here is not something most people have to worry about and the suggested advice only applies to a small fraction of people who do have that risk so I think it’s better to educate people about the trade offs to both options as well as other things to consider like the one I mentioned.

This. For audio/photo/video delete removes it from view but does not delete until a configurable period of time has elapsed--and changing that configuration does not alter the timer on existing stuff. Also, no deletion can actually happen without contacting the associated account which can be set to deny the delete and can be set to upload anything queued for deletion. While this will not stop them from simply smashing the phone that's likely to carry far more consequences.
Better solution: have syncthing rapidly upload new videos when they're taken to a host on the internet. Give someone else access to these files.
You can also ask Siri what your name is or whose iPhone this is while NOT looking at the screen, it will disable Face ID given that the phone is locked
I’ll take the convenience of using FaceID over the possibility of being in a situation where it’s used against me. I don’t think that people should be generally worried about these scenarios.
[flagged]
Why does it excite you that a presumably innocent person doesn’t believe police are abusive?

I’m struggling to understand the gloating — what exactly do you believe that enables?

My interpretation is that police aren’t all abusive to the population, and many are acting as if all cops are. As such, the poster was happy that someone felt most cops weren’t horrible people.

Logically, it cannot be that all police are horrible as there are boat loads of police in the USA, and were all of them horrible, every single person would likely have a tale of abuse at the hands of law enforcement to tell. As that isn’t the case, one can assume most cops are just normal people.

Yet, neither the person he replied to nor I took it that way.

Maybe fewer people would mistrust police if they didn’t make posts that sound threatening?

That poster is obviously just trolling dude, even bad cops don’t believe they are bad
I didn't assume they were even really a cop.

They said "speaking as a cop" and then said something that can't be reasonably interpreted any other way than outlandish. Even a real cop who really liked that, would know enough not to admit it in public. That means it doesn't actually matter if they are really a cop or not, either way they were only illuminating a point, not litteral.

Maybe the world would be a better place if everyone didn't jump to the worst possible explanation, and then act as if that were the fact. There is no reason to believe that an actual cop actually just admitted to enjoying the freedom to abuse innocents, but you just ran with that and amplified it anyway. That's really all on you.

No, I think they were just making a joke. It certainly made me laugh.
[flagged]
Ideally the cop also has a running recording they can’t turn off.
Assuming it ever got turned on. Or it's pointing in the right direction. Or it doesn't get "lost" afterwards. Or any of the other ways cops avoid accountability.
Why the hell would you believe a cop actually just said that?

They are probably not actually a cop, but even of they are, they are only making a point to expose the bad advice of the parent comment.

With TouchID I always like to imagine some drug lord telling his minions that they need to cut off the protagonist's thumb to unlock his phone and get the secrets within. The minions respond, "couldn't we just hold the phone up to his thumb?". And the boss says, "maybe, but I'd rather cut if off anyway".
[flagged]
Would someone mind explaining to this Arab immigrant (since I think I need to state my racial and ethnic background to get answers) why it's seen as acceptable to make broad generalizations based on race and sex in this way?

For what it's worth I'm sitting with two of my asian friends, who agreed with the quoted sentiment, so it's definitely not just "middle-to-upper-class white males" who hold these views.

I also know I'd think very little of someone who tried to dismiss a viewpoint of mine with something that amounted to "of course you'd think that, you're Arab*

> why it's seen as acceptable to make broad generalizations based on race and sex in this way?

In the current climate, it is acceptable to make broad generalizations about white males, however if the same exact generalizations are made about black people, then they will call you racist (Black Lives Matter), or if you make the same exact generalizations about trans or non-binary people, you will also have problems. I don't think they are anti-Arab anymore, they lost interest in the War on Terror because it wasn't working. Instead, it looks like they are moving to demonize the Russians and the Chinese. Obviously, the climate will change at some point.

> Instead, it looks like they are moving to demonize the Russians and the Chinese.

Moving to? You've just described the bipartisan position of the US for the past 20 - 40 years.

You ain't seen nothing yet. It still hasn't reached its peak.
(comment deleted)
[flagged]
(comment deleted)
(comment deleted)
(comment deleted)
(comment deleted)
Buddy I live in a random ass town where basically every cop is considerably meaner than anywhere else I’ve lived (anecdotally), and I go to the big city nearby for work OFTEN, usually in the not so great or industrial neighborhoods. I don’t worry about biometrics because, frankly, I’m my photos app is locked, my text messages are all backed up, all of my storage apps require a pin, and I don’t keep passwords on my phone.

They want me to unlock my phone and give it to them, I do it. I then file a claim with apple care and get a new phone because I pay $10 a month for theft protection.

Use common sense, don’t live your life in fear

Criminals and bad police just love that everyone thinks that.

From your point of view, the logic goes "the chances are low that I'll ever be in one of those situations". Well gee, how nice for you.

But for the bad cop, you created the condition that wherever they go, whoever they DO happen to interact with, they always get away with whatever they want. They swim in a sea of all open book victims. The people they do abuse all think the same thing you do.

You should generally be worried about your house burning down even if your house has never burned down.

This incident does not seem a common-enough occurrence to change my behavior.

That would be like euthanizing every dog on earth because a person might be killed by one.

~30,000 people are killed by dogs every year.

How many times annually do people have their phones unlocked by police without their consent?

This analogy doesn't work because you're comparing euthanizing dogs to using a secure password instead of face ID, one of which ends a life and the other is a mild inconvenience (we all used to use pins before touch ID was normalized, it takes less than a second to enter a password that you've got down to muscle memory). Yeah, we can't make all our choices in life based on an off chance, but when it's this simple it's easily worthwhile
You are assuming evidence obtained from the phone in this manner would be permissible in court. I don't know that this has ever been tried in court. Do you?
I am not assuming anything, and no such assumption is necessary.
https://xkcd.com/538/ is relevant

If you want to be resilient to this stuff, have a program that pretends to delete things, or reveal all your data, but in fact requires far more authentication (and delays) to permanently delete, or reveal additional data. But that means you need the decoys to be very believable. Most of these authorities aren't going to dig further, and anyway they can't make you prove a negative.

For example, TrueCrypt and VeraCrypt have hidden volumes: https://veracrypt.eu/en/Hidden%20Volume.html

Is veracrypt available on iPhone?
Is there no way of recovering deleted photos from IOS? Granted I've only recovered data from camera SD cards but it was pretty painless.
By default all deleted photos/videos go to "recycling bin" for 30 days and then get completely deleted. But one can go there and completely delete it earlier. After that it's most likely impossible to recover it. There's also a chance it might've been uploaded to cloud but deleted only on the device.
iOS has had storage encryption enabled by default since the iPhone 3GS (2009) so you’re not going to be able to recover anything from the hardware and applications have to work at it to retain data unintentionally. This is bad for data recovery and forensics but makes it much safer to sell a device.
Accessing Deleted photos requires FaceID since pretty recent. Perhaps it should require a passcode instead.
Is a fingerprint that much better? I certainly prefer it over FaceID, since my kid can't just hold the phone up to my face, but in a situation like this they could just put your finger on the sensor too...
No. In the US, passwords have been held by courts to be "testimony" which requires a court order to force you to disclose. Fingerprints, gestures and face-id are legally equivalent to keys and any law enforcement agent can order you to use keys to unlock a thing. The difference is that the 5th Amendment prohibits testifying against yourself - therefore passwords are legally safer.
Require Attention for FaceID might be useful. It wouldn't unlock unless you're looking at the phone. So in cases like this just close your eyes unless you can properly lock the phone (e.g. you're already restrained). It's not very reliable for me (sometimes it still works) but seems like it's better than nothing.
That’s how FaceID works.
If you have the feature turned on. I don't remember which way it is by default.
Meta point: thinking about this problem in the frame of “which button combination should the user have known to press” is probably the wrong frame.

Discussion on HN and Mastodon seem to both be quite fixated on a shortcut most regular users probably wouldn’t know

No FaceID: cop grabs your hand, puts your finger on the sensor.

No fingerprint unlock: cop breaks phone, tells the court "It fell out of the person's hand.".

Seems like a no-win situation.