Hacker News new | past | comments | ask | show | jobs | submit login

iPhone biometrics can’t be faked because the sensors can’t be moved between devices, each Face ID sensor uses a different random pattern, etc.

It’s also more secure than a password on a phone because if you’re using it in public someone can watch you type your password in.

Of course, someone might be able to clone your head shape.




> Of course, someone might be able to clone your head shape.

This is from 2005:

> Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

I guess this is a question of threat model. I hope nobody would want to chop of my head just to unlock my iphone. But this always reminds me of the scene in "Demolition Man" where Wesley Snipes spoons out someone's eyeball to open the biometrically locked door of his prison.


What I'm hearing you say is that the hardware has baked-in private keys. That is not biometrics, that's public-private key authentication. People already do this with ssh/pgp private keys on a hardware token. Which is a good idea, but it has nothing to do with biometrics and is not something you need to sell your soul to apple for.

> It’s also more secure than a password on a phone because if you’re using it in public someone can watch you type your password in.

I'd rather hold a hand over a PIN pad than having to wear a mask to prevent my face from being scanned in public.


> What I'm hearing you say is that the hardware has baked-in private keys. That is not biometrics, that's public-private key authentication.

Even if you could write your sensor's face data into someone else's phone, you still wouldn't be able to authenticate with it, because it doesn't have the same sensor. It's not just different keys, the fixed layout of the IR pattern is different.

> I'd rather hold a hand over a PIN pad than having to wear a mask to prevent my face from being scanned in public.

And not sure what the actual threat model here is, but I don't think strangers can scan your face in a way that's useful to Face ID. (Wearing a mask doesn't stop general identification technology, it doesn't even break Face ID anymore.)


I don't think they meant respiratory masks to hide from your head being scanned, especially if the algorithm doesn't look at that part of your head.

> Even if you could write your sensor's face data into someone else's phone,

Since the keys presumably aren't retrievable from the hardware, it doesn't matter if there are random or intentional production flaws in the sensor itself: you need the original hardware anyway. You just need to trick it into doing the authentication. That's the part where biometrics are involved, the part where you present it with a username so to say. The rest is private key authentication.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: