Bionetrics are never going to be able to be used to directly produce a strong key, so it always reduces to a question of how secure is the enclave, and bugs in the pattern recognition.
In this case there was no Secure Enclave at all. If you do have a enclave you trust to keep a private key safe, my preference would always be to use a simple (not trivial) password/passcode and depend on strict rate limiting.
The only way to avoid a private key being stored in an enclave is to derive the key from a strong password. This avoids the whole class of key extraction attacks but, now there is a password that can be attacked offline.
If you combine a decent password with an online hardening / rate limiting system then I think you have something which stands a chance. But I’m building a commercial product in exactly this space, so I’m not entirely unbiased.
It's not biometric at all, BlindHash is a way to protect passwords from offline attack. Today we have a service to protect passwords at rest (authentication). We are doing a closed beta now which pairs BlindHash with TrueCrypt/VeraCrypt to protected data at rest.
I mean to be fair all of those appear to be cheap junk. You would probably find better results with something from a reputable brand or that has undergone some kind of third party testing.
They're basically all exactly this though, no matter what you're paying this is generally what is underneath. Competent encryption in hardware is difficult, so everybody is doing it in software, and then why id the software hardware specific to begin with?
I had that story long time ago. I've got A-DATA MyFlash FP1 stick with fingerprint unlock. Somehow it didn't work on Linux. I sniffed the USB and figured out that after fingerprint check it simply sends a fixed 3-byte command to the stick to switch to real storage instead of dummy storage. You don't even need the password to unlock it.
In fairness, I've never known anyone to describe x86 as anything but... idiosyncratic. Its not terrible, and it goes hand in hand with decades of unbroken backwards compatibility, but it really isn't the most elegant thing.
It makes me sad to think of what we could have had if Intel had built a 64-bit CPU with a clean, straightforward ISA and a compatibility mode for x86-64, instead of the monstrosity that was Iranian.
For a project like this to be considered secure, it should have an open, public design to begin with. That's even more important given the fact that they used Kickstarter.
USB drive doesn't have enough processing power so the software running at host implement the iris pattern recognition and authentication.
The problem is, the USB drive store the password and iris pattern value by plaintext and it's readable without unlocking.
Totally useless.