Hacker Newsnew | comments | show | ask | jobs | submit login

You see two different classes of responses because there's two different use cases.

There's security that geeks advocate for ourselves and our own implementations (often things we only have to set up and maintain infrequently) and then there's security that normals actually use (often things they have to authenticate with several times a day).

And I must have missed it, if anyone's been arguing this is a serious security mechanism. As far as I've seen, it's been lauded as (not much) better than a passcode, but, primarily, convenient enough to get people to use it instead of nothing, bringing up the relative security of a still-fairly-insecure bunch.

And you may want to re-read the discussion over the faked-print attacks. It isn't about (im)possibility. It's about the time, expertise and equipment involved and the likelihood of success being too expensive to be worthwhile for gaining access to most phones. [1]

And if we're wearing our "serious" security hats, I still don't see any reason to worry too much about print faking, as its core assumption is a skilled attacker who has unfettered physical access to our device, unbeknownst to us and beyond our control. And at that point, the game is already over.

[1] CCC themselves, with ideal source prints, had to significantly complicate their process to generate fakes that worked with a suitable consistency. So even if you think suitable source prints grow on trees, the point of significant skill, equipment, time and resources remains.




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: