I can change my passcode but how easy is it to change your fingerprint if it did get stolen?

Yes, getting the initial biometric token might be difficult depending on the technology used, but once compromised, you can’t do anything about it.

If you’re unconscious you can’t enter your password but somebody could use your fingerprint to unlock your device.

The police or courts can force you to use your biometric data to unlock your device. They cannot force you to enter a password/code.

It’s down more to the accuracy of the scanners and stuff.

There’s tons of exploits and approximations, especially for faces, tons of devices will open at a picture of someone’s face or them sleeping or something, or a printed paper version of a thumbprint…

Facial recognition in particular has been called “Security Theater” a lot, it fucks up so much and can be fooled a ton.

Imagine a case where you’re kidnapped or arrested and they want to open your phone… if its biometric it’ll take a few seconds?

It’ll be better eventually, but the type of stuff they were rolling out en masse with laptops and phones and stuff is hot garbage, it’s basically pretend security.

Biometric locks do not have any form of lockouts, since they are prone to read errors. Password locks can have backoffs and lockouts when incorrect entries are made. This means that a password-based lock has a limited number of attempts. Some go so far as to wipe the device when you get too many attempts wrong.

A fingerprint is also very accessible while you’re unconscious, while a password isn’t.

In many jurisdictions around the world, you can be legally compelled to provide a fingerprint, but you are not legally compelled to provide a password.

If a copy of my fingerprint is stolen and can somehow be recreated, I can’t change my combination, but I can change a password.

So yeah, lots of reasons why passwords are superior from a security perspective.

It’s not as black and white as one is better than the other. No security is 100% infallible, and that’s really the crux of the concern with biometrics – if a password is compromised you change it, if I were somehow able to reverse engineer your face from your Facebook photo and use it to fool a facial recognition check, you’d have a pretty hard time changing your face.

Passwords have their own issues, obviously they tend to be simpler and memorable to the user, which leaves them open to being found out or socially engineered etc,

It really comes down to the right tools for the right job, if you’re securing your photos from your last summer holiday password1 may suffice, if you’re talking about nuclear launch codes, you probably want to be adding two factor authentication of some sort.

I can use your dead body to pass any biometric scanner on your phone. Ask me for a randomly generated passcode you memorized? *Dead horse analogy here*

One thing that may be relevant in some cases is that a passcode is looking for an exact match, whereas two pictures of the same face will be different because of lighting, smiles, and so on. Biometrics are usually measured on some sort of “close enough” basis.

One thing that means is that a password can be mashed up with some complicated maths to make an encryption key. That key can be used to keep files on your phone safe from prying eyes. The same sorts of maths doesn’t work for biometrics, because two things which are close but not the same wind up making completely different and very wrong encryption keys.

I see this on my phone, for example, in that I can use my fingerprint to log in normally but I have to use a PIN to log in if the phone restarts. That makes sense because restarting the phone makes it forget the encryption key, and only the PIN is able to tell it what that key was.

There are two aspects to access control. You can either test based off of what/who you are, or what you know.

Who/what you are is hard to copy, but also hard to hide or change. If someone wants to unlock your phone, they only have to physically overpower you and put your face/finger to the phone to unlock it. However, if they don’t have access to your physical self, then they’ll have a very hard time getting it.

What you know is easy to copy, but easy to hide or change. Someone can copy your password any number of ways (phishing, key-logger, simple surveillance, etc.) and then use it easily. However, if you know your password has been breached (or just every once in a while), you can easily change the password and the attacker will be back to square one.

Biometrics provide no protection against someone who is physically interacting with you, while passwords can always provide some level of protection (even if it requires resisting physical injury).

> Wouldn’t it be easier to steal a password than it would be to physically copy someone’s fingerprint?

There was a case where a dude snapped a picture of the German defense minister’s hand during a press conference. He used that pic to pull a viable fingerprint and later challenged her that he could get into her phone. She accepted and indeed he gained access.

For the password though, someone would have to physically intimidate you to get into the phone. The US gov is not allowed to do that. Additionally, the supreme court has ruled the gov can’t compel you to give up your password due to the 4th amendment (unreasonable searches and seizures).