I've already circumvented a variety of biometric requirements in various devices in my personal research and just for funsies. FaceID is fooled by a 3D print, and also if you never enroll your face in FaceID but instead use something else that is face-like, the system doesn't care. FaceID is dumb, insecure and doesn't care. TouchID similarly - it just wants to see a squishy thing pressed against it that vaguely resembles a human finger to enroll. It's security theatre. Consumer grade biometric security is as useless as consumer grade paper shredders.

> Consumer grade biometric security is as useless as consumer grade paper shredders.

IIRC, consumer grade paper shredders got pretty good in the past few years. And your examples both rely on the person setting up the security circumventing it by supplying bad training/enrolling. Which makes it bad if you want to guarantee a person is behind it, but fine if you want to treat it as something that belongs to the person doing the enrolling.

You're not wrong, but anything up to DIN P-4 is a couple of evenings of work to defeat with an automated computer vision algorithm. Ask me how I know. Most consumer grade shredders on the market are DIN P-2 and DIN P-5 is where it starts to get really tricky but is still possible to work with.

And I have found that most corporate security, especially in the biometric arena, is sub-par, usually because of the human component doing the enrolling. I am not saying it isn't workable, but that there is a vast landscape between people's perceived utility/functionality of the security and the actual security envelope it provides. Fortunately for me, security is very difficult to get right.

What’s the right way to dispose of paper containing sensitive information?

The NSA recommends P-7 with full incineration. Fellowes has a P-7 model, but do you really want to spend $7,000 on disposing of your credit card statements. P-5 and P-6 are acceptable for home use. P-4 is also acceptable if you aren't really trying to hide anything and just want to dispose of those credit card offers, CVS receipts and that printout you received from your vet. Disposal security sits right alongside digital security in that you have to ask yourself, how much of a target do you consider yourself to be?

I use a P-4 shredder, also from Fellowes, that cost a couple of hundred bucks, that replaced a burnt out P-2 shredder I got for $30 from Staples. I am considering going to a higher capacity P-5 if I can find one at a reasonable price on eBay, mainly for the extra shredding capacity and the hopper feeder than any additional security it provides.

How seriously do I take my disposal security in my home? Well, I'm not a target, and there are other higher value targets with less security, so why would they go after me. I shred any mail or paperwork I don't wish to keep physical copies of, but it sits in the "to be shredded" basket near the shredder for a good six months before I get around to it. There's an oppportunity there, if I were a target. And the "to be shredded" basket will contain bills from my medical insurance provider, phone bills, ISP bills, electricity bills, cheques I've deposited, grocery receipts.

Whilst I practice good op-sec within my house -- no paperwork leaves without being shredded, tightened network security, VLANs for suspicious devices, locked down networks, and 2FA where appropriate -- I'm not a target and I have very little reason to be a target, so I don't need an onerously heavy shield. I'm cautious, not paranoid.

You need to evaluate your disposal security within the context of "what is convenient" rather than "what is best."

Thank you for this detailed response.