In article <t34782$55j$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> Not sure about the Pixel 6, but I suspect that it's got the same
> protection against brute force attack as the iPhone. You can't just keep
> entering the wrong pass code.

you suspect wrong. hacking a passcode on android is quite a bit easier
than on an iphone, including the pixel 6.

nospam wrote:

> you still have not answered what they could have done better.

FaceID is a gimmick, much like putting a dozen locks on your front door
might be if your house happened to be surrounded by inner city projects.

It keeps your friends out but it doesn't do anything for the windows.

Still... most Android phones support all the standard unlock mechanisms:
a. Pin
b. Pattern
c. Fingerprint
d. Face
e. App-specific locks (that are part of the app, e.g., keepass)
f. App-specific locks (which are add ons to any given app)

The real threat is Apple adds more than a zero-day vulnerability a month.

It's like Apple builds homes with huge holes in the side of the building.
And yet, they advertise their faceid gimmick which works on the front door.

nospam wrote:

>> Not sure about the Pixel 6, but I suspect that it's got the same
>> protection against brute force attack as the iPhone. You can't just keep
>> entering the wrong pass code.
>
> you suspect wrong. hacking a passcode on android is quite a bit easier
> than on an iphone, including the pixel 6.

Your security is not only what Apple advertises as their latest gimmick.

Since Apple has so many zero-day bugs in the iPhone that hackers stopped
accepting them for testing, why even bother hacking an iOS passcode?

Your real threat is Apple adds at least one zero-day hole a month to iOS.
(Many of these Apple holes are zero-click full-access zero-day holes!)

What good is an iPhone with _only_ a strong front door & nothing else?

On Sat, 9 Apr 2022 17:21:28 +0200, Joerg Lorenz wrote:

> My Pixel 4 recognises my face. Still the fastest way to identfy a person.

Does it work with a photo of your face?

--
s|b

In article <jbm1goFp70cU1@mid.individual.net>, s|b <me@privacy.invalid>
wrote:

>
> > My Pixel 4 recognises my face. Still the fastest way to identfy a person.
>
> Does it work with a photo of your face?

no.

the pixel 4 and apple's face id use an infrared dot projector to create
a 3d map of a person's face, which works in complete darkness.

<https://cdn.arstechnica.net/wp-content/uploads/2019/10/4-2.jpg>

unlike face unlock on other android phones, a photo will *not* work.

there was an issue with google's implementation where it unlocked if
the user's eyes were closed but they eventually fixed that.

On 4/12/2022 10:28 AM, nospam wrote:
> AJL <noemail@none.com> wrote:

>> I use a 6 digit pin

> a 6 digit passcode [can be cracked] in less than about 22 hours

Unless the perp is a good guesser I doubt he would be successful at
getting any information from my phone.

I found the setting. It's called Auto Factory Reset. It says: "After 15
incorrect attempts to unlock the phone it will be set to factory default
settings and all data will be erased including files and downloaded
apps". I already had it turned on but had forgotten about it in the
years since I set it when the phone was new.

Course on the other hand with 15 bad tries he apparently now has a
usable phone which is probably all he wanted in the first place...

On 4/12/2022 1:23 PM, AJL wrote:
> On 4/12/2022 10:28 AM, nospam wrote:
>> AJL <noemail@none.com> wrote:
>
>>> I use a 6 digit pin
>
>> a 6 digit passcode [can be cracked] in less than about 22 hours
>
> Unless the perp is a good guesser I doubt he would be successful at
> getting any information from my phone.
>
> I found the setting. It's called Auto Factory Reset. It says: "After 15
> incorrect attempts to unlock the phone it will be set to factory default
> settings and all data will be erased including files and downloaded
> apps". I already had it turned on but had forgotten about it in the
> years since I set it when the phone was new.
>
> Course on the other hand with 15 bad tries he apparently now has a
> usable phone which is probably all he wanted in the first place...

It depends on the phone and the version of the OS. In some cases it's
only ten attempts. You'd have to be a pretty good guesser for even a
four digit pass code with 10,000 different possibilities, with six
digits it's a million different possibilities.

The most secure biometric is iris scan, followed by 3D fingerprint
scans. 3D FaceID is secure except in cases of siblings and child/parent
where it has been shown to be compromised.

In article <t34n4u$e47$1@dont-email.me>, AJL <noemail@none.com> wrote:

> >> I use a 6 digit pin
>
> > a 6 digit passcode [can be cracked] in less than about 22 hours
>
> Unless the perp is a good guesser I doubt he would be successful at
> getting any information from my phone.

a good guess certainly works, but that's luck.

111111 and 123456 are two of the most common passcodes.

many people use birthdays, anniversaries, phone numbers, etc., so
finding out a little bit about the person who owns the phone helps for
choosing some likely guesses.

> I found the setting. It's called Auto Factory Reset. It says: "After 15
> incorrect attempts to unlock the phone it will be set to factory default
> settings and all data will be erased including files and downloaded
> apps". I already had it turned on but had forgotten about it in the
> years since I set it when the phone was new.
>
> Course on the other hand with 15 bad tries he apparently now has a
> usable phone which is probably all he wanted in the first place...

worst case, it can be flipped for parts.

In article <t34nte$jr8$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> It depends on the phone and the version of the OS. In some cases it's
> only ten attempts. You'd have to be a pretty good guesser for even a
> four digit pass code with 10,000 different possibilities, with six
> digits it's a million different possibilities.

it's not done using random guesses.

> The most secure biometric is iris scan, followed by 3D fingerprint
> scans.

not even close to correct.

the most secure biometric is apple's existing face id and google's now
discontinued face unlock on the pixel 4. nothing else comes close.

'3d fingerprint scans', your term for an under-screen fingerprint
sensor, as well as iris scans, can easily be spoofed, making them *not*
secure at all, let alone 'most secure'.

<https://www.theguardian.com/technology/2017/may/23/samsung-galaxy-s8-ir
is-scanner-german-hackers-biometric-security>
The iris-recognition feature in Samsung¹s new Galaxy S8 smartphone
has been defeated by German hackers, less than a month after it hit
shelves around the world.

> 3D FaceID is secure except in cases of siblings and child/parent
> where it has been shown to be compromised.

identical twins is a known shortcoming, however, that has been greatly
improved to where it's unlikely, other relatives are highly unlikely to
work, nor is any of that a significant threat model, largely because
families normally know each other's passcodes.

Am 12.04.22 um 21:16 schrieb s|b:
> On Sat, 9 Apr 2022 17:21:28 +0200, Joerg Lorenz wrote:
>
>> My Pixel 4 recognises my face. Still the fastest way to identfy a person.
>
> Does it work with a photo of your face?

Face recognition is more secure than finger print by factors.

--
De gustibus non est disputandum

Am 12.04.22 um 21:43 schrieb nospam:
> In article <jbm1goFp70cU1@mid.individual.net>, s|b <me@privacy.invalid>
> wrote:
>
>>
>>> My Pixel 4 recognises my face. Still the fastest way to identfy a person.
>>
>> Does it work with a photo of your face?
>
> no.
>
> the pixel 4 and apple's face id use an infrared dot projector to create
> a 3d map of a person's face, which works in complete darkness.
>
> <https://cdn.arstechnica.net/wp-content/uploads/2019/10/4-2.jpg>
>
> unlike face unlock on other android phones, a photo will *not* work.
>
> there was an issue with google's implementation where it unlocked if
> the user's eyes were closed but they eventually fixed that.

The process was improved over time. Today even a dead person cannot be
misused to log into the phone anymore AFAIK.

--
De gustibus non est disputandum

Am 12.04.22 um 22:37 schrieb sms:
> The most secure biometric is iris scan, followed by 3D fingerprint
> scans. 3D FaceID is secure except in cases of siblings and child/parent
> where it has been shown to be compromised.

You choose: Either you are lying deliberately or you are years behind
the curve.

--
De gustibus non est disputandum

On 4/12/2022 1:59 PM, nospam wrote:
> AJL <noemail@none.com> wrote:

>> Unless the perp is a good guesser I doubt he would be successful at
>> getting any information from my phone.

> a good guess certainly works, but that's luck.

> 111111 and 123456 are two of the most common passcodes.

> many people use birthdays, anniversaries, phone numbers, etc., so
> finding out a little bit about the person who owns the phone helps
> for choosing some likely guesses.

I wonder how many choose a pin for it being easy to stroke? I use a
combination of 3, 6, and 9 since they're on the right side of the pad
and within easy reach of my thumb. One number gets hit once, one
twice, and one 3 times. Darn did I say too much...

In article <t34pkk$rc6$3@dont-email.me>, Joerg Lorenz <hugybear@gmx.ch>
wrote:

> The process was improved over time. Today even a dead person cannot be
> misused to log into the phone anymore AFAIK.

face id has always required a live person. a dead person does not work
unless it was moments after death.

In article <t34ptg$rc6$4@dont-email.me>, Joerg Lorenz <hugybear@gmx.ch>
wrote:

> Am 12.04.22 um 22:37 schrieb sms:
> > The most secure biometric is iris scan, followed by 3D fingerprint
> > scans. 3D FaceID is secure except in cases of siblings and child/parent
> > where it has been shown to be compromised.
>
>
> You choose: Either you are lying deliberately or you are years behind
> the curve.

both can be true.

In article <t34q4k$5k6$1@dont-email.me>, AJL <noemail@none.com> wrote:

>
> I wonder how many choose a pin for it being easy to stroke?

many do.

nearly all of the most common pin codes have easy to remember patterns:
<https://www.pocket-lint.com/phones/news/148224-these-are-the-20-most-co
mmon-phone-pins-is-your-device-vulnerable>

> I use a
> combination of 3, 6, and 9 since they're on the right side of the pad
> and within easy reach of my thumb. One number gets hit once, one
> twice, and one 3 times. Darn did I say too much...

yes, you did :)

Am 12.04.22 um 23:30 schrieb nospam:
> In article <t34ptg$rc6$4@dont-email.me>, Joerg Lorenz <hugybear@gmx.ch>
> wrote:
>
>> Am 12.04.22 um 22:37 schrieb sms:
>>> The most secure biometric is iris scan, followed by 3D fingerprint
>>> scans. 3D FaceID is secure except in cases of siblings and child/parent
>>> where it has been shown to be compromised.
>>
>>
>> You choose: Either you are lying deliberately or you are years behind
>> the curve.
>
> both can be true.

This were also my thoughts ...

--
De gustibus non est disputandum

On 12/04/2022 15:40, nospam wrote:
> In article <t33gd9$lke$1@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>>>>>>>> the fact is that apple addressed the issue.
>>>>>>>>
>>>>>>>> They've *tried* to address the issue. It is still a problem for many.
>>>>>>>
>>>>>>> they more than tried. they completely reimplemented face id using a new
>>>>>>> neural engine to work with masks.
>>>>>
>>>>> how would you have dealt with face id and masks?
>>>>>
>>>>> since you don't think apple properly resolved it, what's your solution?
>>>>> be specific.
>>>>
>>>> lol. from the master non-specific generalisations.
>>>>
>>>> I don't need to come up with a solution in order to be able to complain
>>>> about FaceID.
>>>
>>> you're avoiding answering the question because you know that apple did
>>> everything they could,
>>
>> Possibly.
>
> they very definitely did, having released *three* updates that directly
> improve face id with masks, each successively better than the previous
> ones.
>
> you still have not answered what they could have done better.
>
>> However, you're claiming that they've dealt with the issue. They
>> haven't.
>
> they have. see above.
>
> again, how would *you* have dealt with the issue? be specific.
>
>> It's a bit better for some. That's it.
>
> which means they dealt with it.

Nope.

> face id with masks is more compute intensive, which means it's not
> possible for it to work with older iphones where it can't reliably work
> and without excessive delays. that's just reality.
>
> what do you suggest they could have done to make it 'a bit better' for
> most, or perhaps even everyone? again, be specific.
>
>> Many (most?) still have to
>> resort to insecure passcodes.
>
> some do, and passcodes are as secure as the user wants them to be, the
> longer the better, with letters and symbols mixed in being the most
> secure.
>
> a good tradeoff is a long numeric passcode (10+ digits) which is easy
> to tap and long enough that the usual brute force attack is going to
> take a *really* long time, far longer than the lifetime of anyone who
> is interested in cracking it.

You're never going to persuade the average punter to plugin a 10-digit
passcode. Many people struggle with 4-digit PINs.

You are not in touch with reality.

>>> first with mask detection, then apple watch
>>> unlock and finally face id that works with masks.
>>
>> "works" lol. I've watched my kid and wife both with iphone 12s not seeing
>> any change with iOS 15.4.
>
> did they set it up correctly?

Are they holding it wrong? ;)

> face id with masks actually works quite well. it's not perfect all of
> the time, nor would anyone expect it to be.
>
>>> you said that was only 'trying', so again, how could they have done
>>> better? be specific.
>>
>> I've never been a fan of FaceID. TouchID is better for many reasons.
>
> and touch id is worse for others.
>
> touch id doesn't work at all with gloves, which are common in colder
> climates.

Touch screens don't work with gloves either. Those "smart" gloves allow
you to do some very basic things, but typing or accessing app functions
is essentially impossible. So most people end up taking their gloves off
if they're going to be using a phone for anything more than opening a
news app. Like on a bus; see below.

> it also doesn't work with wet or dirty fingers. some people
> have fingerprints that are not readable and can *never* use touch id.

FaceID doesn't work if you're too far away - but still within arms
length - or the phone is not at the right angle. A clear example is flat
on the table next to you - this happens ALL the time. You have either
leer over the phone or pick it up to point it at your face.

A real drag when you want see your notifications. Simply resting your
finger on TouchID was far more usable.

> no system is perfect.

Correct.

> the reality is that touch id has problems in many more situations than
> face id,

Disagree

> with the sole exception of the pandemic, something that was
> unexpected when face id was developed.

Disagree.

>> If
>> they had stuck with it the pandemic would have been a non-issue for *all*
>> iphone users.
>
> right, because apple has this magical crystal ball that can see into
> the future. are you daft?
>
> there was *no* way to know back in 2013, when face id began life in
> apple's labs, to later be introduced in 2017 with the iphone x, that a
> pandemic was coming in 2020 where masks would be common.

There has been warnings of a global flu pandemic for decades. Plus SARS
and MERS were good warnings of something like COVID could happen.
Apple's horizon scanning team should have picked that. They may have done.

>>>>>> Public transport is more commonly used in this
>>>>>> side of the pond than the US and masks are still required. So on journeys
>>>>>> there's many times you need to unlock your phone or access apps.
>>>>>
>>>>> express transit doesn't require authentication and even works if the
>>>>> battery is too low for the phone to be powered on.
>>>>
>>>> Who said anything about express transit? I'm talking about while sitting in
>>>> my seat and using my phone.
>>>
>>> you're the one who mentioned public transit.
>>>
>>> not only is no mask required for express transit, but the phone can
>>> have a dead battery and not even be powered on.
>>
>> Whoosh!
>
> whoosh right back.
>
>> Transport ‚ Transit.
>
> the feature known as express transit is used on public transport (also
> called public transit), thus its name.
>
> it's part of express mode, which allows for additional use cases where
> authentication is not required and even if the battery is dead.

Are you being intentionally dumb? I'm *NOT* taking about boarding a bus
or entering the transport system. I'm perfectly capable of using my
contactless debit card for that - no mask issues.

I *AM* talking about when I am sat on the train/bus and I want to use my
phone whilst wearing a mask. That's when FaceID is a real PITA.

>> Nowhere here uses express transit.
>
> how is that apple's fault?

Stop making up strawmen. Where did I say it was?

> apple provided a solution, however, they can't force everyone to adopt
> it.

Again, express transit is not the issue.

>> Try reading what I
>> wrote.
>
> i did.

Try again. Slowly.

On 12/04/2022 18:28, nospam wrote:
> In article <t345ng$s02$1@dont-email.me>, AJL <noemail@none.com> wrote:
>
>>
>>> passcodes are as secure as the user wants them to be, the longer the
>>> better, with letters and symbols mixed in being the most secure. a
>>> good tradeoff is a long numeric passcode (10+ digits) which is easy
>>> to tap
>>
>> I use a 6 digit pin which is much easier to tap than 10+ digits and I
>> can do it automatically in a second or so without thinking as
>> it becomes automatic.
>
> it's easier, but less secure. there's a tradeoff between security and
> convenience. different people have different threat models.
>
>>> and long enough that the usual brute force attack is going to take a
>>> *really* long time, far longer than the lifetime of anyone who is
>>> interested in cracking it.
>>
>> I don't need a lifetime, just a few hours to change passwords and
>> disable the phone. YMMV...
>
> you don't, but someone trying to crack it might.
>
> a 4 digit passcode can be cracked in less than about 13 minutes, a 6
> digit passcode in less than about 22 hours and a 10 digit passcode will
> take around 25 years.

That's why there are lockouts. A cracker doesn't have unlimited chances.

> alphanumeric passcodes push the amount of time into thousands or
> millions of years,

And utterly unnecessary.

On 12/04/2022 21:59, nospam wrote:
> In article <t34nte$jr8$1@dont-email.me>, sms
> <scharf.steven@geemail.com> wrote:
>
>> It depends on the phone and the version of the OS. In some cases it's
>> only ten attempts. You'd have to be a pretty good guesser for even a
>> four digit pass code with 10,000 different possibilities, with six
>> digits it's a million different possibilities.
>
> it's not done using random guesses.
>
>> The most secure biometric is iris scan, followed by 3D fingerprint
>> scans.
>
> not even close to correct.
>
> the most secure biometric is apple's existing face id and google's now
> discontinued face unlock on the pixel 4. nothing else comes close.

Got an independent source to support that assertion?

> '3d fingerprint scans', your term for an under-screen fingerprint
> sensor, as well as iris scans, can easily be spoofed, making them *not*
> secure at all, let alone 'most secure'.
>
> <https://www.theguardian.com/technology/2017/may/23/samsung-galaxy-s8-ir
> is-scanner-german-hackers-biometric-security>
> The iris-recognition feature in Samsung¹s new Galaxy S8 smartphone
> has been defeated by German hackers, less than a month after it hit
> shelves around the world.
>
>> 3D FaceID is secure except in cases of siblings and child/parent
>> where it has been shown to be compromised.
>
> identical twins is a known shortcoming, however, that has been greatly
> improved to where it's unlikely, other relatives are highly unlikely to
> work, nor is any of that a significant threat model, largely because
> families normally know each other's passcodes.

You have such an idealised view of families. People are at high risk of
violent crime from family members and people they know, especially
women. If anything people should secure their phones primarily from
their relations, not random people.

On 4/13/2022 1:36 AM, Chris wrote:

<snip>

> That's why there are lockouts. A cracker doesn't have unlimited chances.

Precisely. Not just on phones and tablets, but on computers, ATM
machines, home safes, garage door and entry door keypads, and many web
applications.

Still, a fingerprint reader on a phone is a lot more convenient, and
more secure than a PIN code. I can't unlock my someone else's phone with
my fingerprint unless I program my fingerprint in. But PINs are often
written down somewhere or are based on guessable criteria if you know
the person.

In article <t361s2$1im$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >
> >> However, you're claiming that they've dealt with the issue. They
> >> haven't.
> >
> > they have. see above.
> >
> > again, how would *you* have dealt with the issue? be specific.
> >
> >> It's a bit better for some. That's it.
> >
> > which means they dealt with it.
>
> Nope.

wrong. they *did* deal with it.

still waiting for you to tell us what they could have done better.

> > face id with masks is more compute intensive, which means it's not
> > possible for it to work with older iphones where it can't reliably work
> > and without excessive delays. that's just reality.
> >
> > what do you suggest they could have done to make it 'a bit better' for
> > most, or perhaps even everyone? again, be specific.
> >
> >> Many (most?) still have to
> >> resort to insecure passcodes.
> >
> > some do, and passcodes are as secure as the user wants them to be, the
> > longer the better, with letters and symbols mixed in being the most
> > secure.
> >
> > a good tradeoff is a long numeric passcode (10+ digits) which is easy
> > to tap and long enough that the usual brute force attack is going to
> > take a *really* long time, far longer than the lifetime of anyone who
> > is interested in cracking it.
>
> You're never going to persuade the average punter to plugin a 10-digit
> passcode. Many people struggle with 4-digit PINs.

nobody said anyone was required to use 10 digit passcodes.

you said people had to resort to insecure passcodes. they are as
insecure as the user wants them to be.

those who want more security can choose a longer passcode, while those
who want convenience can choose shorter passcodes, with the tradeoff of
less security. the choice is entirely up to the user based on their own
threat model.

> You are not in touch with reality.

that would be you

>
> > face id with masks actually works quite well. it's not perfect all of
> > the time, nor would anyone expect it to be.
> >
> >>> you said that was only 'trying', so again, how could they have done
> >>> better? be specific.
> >>
> >> I've never been a fan of FaceID. TouchID is better for many reasons.
> >
> > and touch id is worse for others.
> >
> > touch id doesn't work at all with gloves, which are common in colder
> > climates.
>
> Touch screens don't work with gloves either. Those "smart" gloves allow
> you to do some very basic things, but typing or accessing app functions
> is essentially impossible.

get better gloves.

many gloves work quite well for nearly everything that can be done with
a bare finger.

> So most people end up taking their gloves off
> if they're going to be using a phone for anything more than opening a
> news app. Like on a bus; see below.

many people take off their gloves on a bus even without using a phone.

around here, busses have heat and gloves are not needed.

> > it also doesn't work with wet or dirty fingers. some people
> > have fingerprints that are not readable and can *never* use touch id.
>
> FaceID doesn't work if you're too far away - but still within arms
> length

yes it does.

> - or the phone is not at the right angle. A clear example is flat
> on the table next to you - this happens ALL the time. You have either
> leer over the phone or pick it up to point it at your face.
>
> A real drag when you want see your notifications. Simply resting your
> finger on TouchID was far more usable.

you have to point it at your face to be able to use the phone, so
that's not in any way an issue.

that said, off angle has been improved since the original face id
implementation.

>
> >> If
> >> they had stuck with it the pandemic would have been a non-issue for *all*
> >> iphone users.
> >
> > right, because apple has this magical crystal ball that can see into
> > the future. are you daft?
> >
> > there was *no* way to know back in 2013, when face id began life in
> > apple's labs, to later be introduced in 2017 with the iphone x, that a
> > pandemic was coming in 2020 where masks would be common.
>
> There has been warnings of a global flu pandemic for decades. Plus SARS
> and MERS were good warnings of something like COVID could happen.

those were contained and did not turn into anything close to what covid
did.

> Apple's horizon scanning team should have picked that. They may have done.

because they have a crystal ball for such things.

> I *AM* talking about when I am sat on the train/bus and I want to use my
> phone whilst wearing a mask. That's when FaceID is a real PITA.

so tap in a passcode after taking a seat. no big deal.

if that's the worst of your day, then you have it easy.

In article <t3622d$2vl$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >
> > a 4 digit passcode can be cracked in less than about 13 minutes, a 6
> > digit passcode in less than about 22 hours and a 10 digit passcode will
> > take around 25 years.
>
> That's why there are lockouts. A cracker doesn't have unlimited chances.

yes they do, because they bypass the limit for attempts.

> > alphanumeric passcodes push the amount of time into thousands or
> > millions of years,
>
> And utterly unnecessary.

for you maybe. for others, it's required.

different people have different threat models.

In article <t362kk$6r1$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >> It depends on the phone and the version of the OS. In some cases it's
> >> only ten attempts. You'd have to be a pretty good guesser for even a
> >> four digit pass code with 10,000 different possibilities, with six
> >> digits it's a million different possibilities.
> >
> > it's not done using random guesses.
> >
> >> The most secure biometric is iris scan, followed by 3D fingerprint
> >> scans.
> >
> > not even close to correct.
> >
> > the most secure biometric is apple's existing face id and google's now
> > discontinued face unlock on the pixel 4. nothing else comes close.
>
> Got an independent source to support that assertion?

look at all of the attempts to spoof the various methods.

apple's face id and the google pixel 4 (which are essentially the same)
are consistently the most difficult to spoof and it's not even close.

everything else is anywhere from fairly minor effort to almost no
effort whatsoever.

samsung's face unlock was spoofed literally minutes after it was
announced, in the hands-on area at the event, by using a selfie taken
on another phone. samsung knows it's worthless which is why it's not
allowed to be used for financial transaction.

in-screen fingerprint sensors can be spoofed with adhesive tape or
reflective foil in as little as 15 minutes. in samsung's case, applying
a screen protector caused the sensor to verify *any* fingerprint. they
obviously never tested it in the real world.

<https://www.tomsguide.com/us/in-screen-fingerprint-tinfoil-flaw,news-28
574.html>
Chinese researchers at Tencent's Xuanwu Lab discovered earlier this
year that they were able to unlock handsets simply by placing a piece
of opaque reflective material ‹ i.e., aluminum foil ‹ over the
in-screen fingerprint readers.

oneplus publicly stated that their fingerprint sensor is not that
secure and was optimized for speed.

> >> 3D FaceID is secure except in cases of siblings and child/parent
> >> where it has been shown to be compromised.
> >
> > identical twins is a known shortcoming, however, that has been greatly
> > improved to where it's unlikely, other relatives are highly unlikely to
> > work, nor is any of that a significant threat model, largely because
> > families normally know each other's passcodes.
>
> You have such an idealised view of families. People are at high risk of
> violent crime from family members and people they know, especially
> women. If anything people should secure their phones primarily from
> their relations, not random people.

you must have a horrible family life.

face id is *not* designed to protect against an evil twin, which is not
a common threat model. it's unlikely that both twins are living near
each other, let alone in the same house, certainly not if they are
enemies.

here in the real world, married couples share their passcodes and even
enroll each other's fingerprint so they can access each other's phone.
face id allows for an alternate appearance, and although it's designed
for the same person, it generally works for a spouse or partner. they
also share bank passwords, house & car keys, etc.

parents know the passcode of their kids phones to make sure they're not
doing things they ought not be doing.

In article <t364qt$mps$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> > That's why there are lockouts. A cracker doesn't have unlimited chances.
>
> Precisely. Not just on phones and tablets, but on computers, ATM
> machines, home safes, garage door and entry door keypads, and many web
> applications.

unlike you, crackers know how to bypass the limit on phones and tablets.

web apps rely on password dumps, no attempts needed. copy/paste works
quite well.

> Still, a fingerprint reader on a phone is a lot more convenient, and
> more secure than a PIN code.

a fingerprint is more secure than a 4 digit pin code, but less secure
than 6 (or more) digits.

what you fail to understand is that the pin code is always an option,
thus a fingerprint offers *no* benefit over a 4 digit code and actually
makes it *less* secure with longer passcodes.

> I can't unlock my someone else's phone with
> my fingerprint unless I program my fingerprint in. But PINs are often
> written down somewhere or are based on guessable criteria if you know
> the person.

a pin can always be used, regardless of enrolling a fingerprint.

and you're also contradicting yourself again.