Am 13.04.22 um 10:36 schrieb Chris:
> On 12/04/2022 18:28, nospam wrote:
>> a 4 digit passcode can be cracked in less than about 13 minutes, a 6
>> digit passcode in less than about 22 hours and a 10 digit passcode will
>> take around 25 years.
>
> That's why there are lockouts. A cracker doesn't have unlimited chances.

Are you trying to Troll?

>> alphanumeric passcodes push the amount of time into thousands or
>> millions of years,
>
> And utterly unnecessary.

Yes you are really trying to Troll. nospam just gave us a mathematical
consideration.

--
De gustibus non est disputandum

Am 13.04.22 um 10:33 schrieb Chris:
> You're never going to persuade the average punter to plugin a 10-digit
> passcode. Many people struggle with 4-digit PINs.
>
> You are not in touch with reality.

You are Troll. Nobody was ever asked to use such 10-digit-PIN. Nowhere.
In this thread you only present pseudo-arguments.

--
De gustibus non est disputandum

nospam wrote:

> wrong. they *did* deal with it.
>
> still waiting for you to tell us what they could have done better.

Face ID is nothing more or less than a silly marketing gimmick.

And the fact it still doesn't work with masks doesn't matter.

If Apple really cared about security, they'd test their iOS code.
--
Nobody consistently has more zero-day zero-click bugs than does iOS.

nospam wrote:

> look at all of the attempts to spoof the various methods.
>
> apple's face id and the google pixel 4 (which are essentially the same)
> are consistently the most difficult to spoof and it's not even close.
>
> everything else is anywhere from fairly minor effort to almost no
> effort whatsoever.

Faceid is nothing more, nor less, than a very successful marketing gimmick.
The bigger threat to your security is the huge number of iOS zero-day holes.

Apple adds so many zero-day holes to iOS that it's shocking the insecurity.

And yet, Apple doesn't advertise that they have so many zero-day holes.
Apple simply advertises a silly marketing gimmick that doesn't even work.

Chris wrote:

> You have such an idealised view of families. People are at high risk of
> violent crime from family members and people they know, especially
> women. If anything people should secure their phones primarily from
> their relations, not random people.

Chris is, IMHO, correct that an intelligent person assesses their risks.
Most people are not at risk by their family members - but some are.

If _that_ is the case, then, by all means, secure your phone.

The point is that intelligent people assess their risks before resorting to
cumbersome security which _requires_ silly marketing gimmicks to be used.

On 2022-04-13 8:11 a.m., Andy Burnelli wrote:
> nospam wrote:
>
>> wrong. they *did* deal with it.
>>
>> still waiting for you to tell us what they could have done better.
>
> Face ID is nothing more or less than a silly marketing gimmick.

Is this a fact, Arlen?

nospam <nospam@nospam.invalid> wrote:
> In article <t362kk$6r1$1@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>>> It depends on the phone and the version of the OS. In some cases it's
>>>> only ten attempts. You'd have to be a pretty good guesser for even a
>>>> four digit pass code with 10,000 different possibilities, with six
>>>> digits it's a million different possibilities.
>>>
>>> it's not done using random guesses.
>>>
>>>> The most secure biometric is iris scan, followed by 3D fingerprint
>>>> scans.
>>>
>>> not even close to correct.
>>>
>>> the most secure biometric is apple's existing face id and google's now
>>> discontinued face unlock on the pixel 4. nothing else comes close.
>>
>> Got an independent source to support that assertion?
>
> look at all of the attempts to spoof the various methods.

That'll be a no, then. Got it.

>>>> 3D FaceID is secure except in cases of siblings and child/parent
>>>> where it has been shown to be compromised.
>>>
>>> identical twins is a known shortcoming, however, that has been greatly
>>> improved to where it's unlikely, other relatives are highly unlikely to
>>> work, nor is any of that a significant threat model, largely because
>>> families normally know each other's passcodes.
>>
>> You have such an idealised view of families. People are at high risk of
>> violent crime from family members and people they know, especially
>> women. If anything people should secure their phones primarily from
>> their relations, not random people.
>
> you must have a horrible family life.

I'm not naive. The stats speak for themselves.

> face id is *not* designed to protect against an evil twin, which is not
> a common threat model. it's unlikely that both twins are living near
> each other, let alone in the same house, certainly not if they are
> enemies.

No-one mentioned an evil twin.

> here in the real world, married couples share their passcodes and even
> enroll each other's fingerprint so they can access each other's phone.
> face id allows for an alternate appearance, and although it's designed
> for the same person, it generally works for a spouse or partner. they
> also share bank passwords, house & car keys, etc.
>
> parents know the passcode of their kids phones to make sure they're not
> doing things they ought not be doing.

lol. Kids are very capable of hiding things from parents. That's why it's
better to have a relationship based on trust rather than surveillance.

On Tue, 12 Apr 2022 15:43:12 -0400, nospam wrote:

> > Does it work with a photo of your face?
> no.
>
> the pixel 4 and apple's face id use an infrared dot projector to create
> a 3d map of a person's face, which works in complete darkness.
>
> <https://cdn.arstechnica.net/wp-content/uploads/2019/10/4-2.jpg>
>
> unlike face unlock on other android phones, a photo will *not* work.

Awesome!

--
s|b

On Tue, 12 Apr 2022 23:03:30 +0200, Joerg Lorenz wrote:

> Face recognition is more secure than finger print by factors.

Will it work if you get punched in the face or have an accident and your
face is all bruised? (I know there's a backup, I'm just curious. ;-)

--
s|b

In article <jbrbcaFq4g4U2@mid.individual.net>, s|b <me@privacy.invalid>
wrote:

>
> Will it work if you get punched in the face or have an accident and your
> face is all bruised? (I know there's a backup, I'm just curious. ;-)

it's adaptive and can handle changes in appearance, such as shaving a
beard (growing one is more gradual), applying/removing makeup,
donning/removing eyeglasses, etc., so it's very likely that bruises
will not be an issue.

it won't work if your head is wrapped in bandages, but in that case,
using a phone is probably not a high priority.

On Thu, 14 Apr 2022 15:48:54 -0400, nospam wrote:

> it's adaptive and can handle changes in appearance, such as shaving a
> beard (growing one is more gradual), applying/removing makeup,
> donning/removing eyeglasses, etc., so it's very likely that bruises
> will not be an issue.

They've come a long way. It's frightening.
> it won't work if your head is wrapped in bandages, but in that case,
> using a phone is probably not a high priority.

You're probably right about that.

--
s|b

In article <t37b17$fek$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >>>> It depends on the phone and the version of the OS. In some cases it's
> >>>> only ten attempts. You'd have to be a pretty good guesser for even a
> >>>> four digit pass code with 10,000 different possibilities, with six
> >>>> digits it's a million different possibilities.
> >>>
> >>> it's not done using random guesses.
> >>>
> >>>> The most secure biometric is iris scan, followed by 3D fingerprint
> >>>> scans.
> >>>
> >>> not even close to correct.
> >>>
> >>> the most secure biometric is apple's existing face id and google's now
> >>> discontinued face unlock on the pixel 4. nothing else comes close.
> >>
> >> Got an independent source to support that assertion?
> >
> > look at all of the attempts to spoof the various methods.
>
> That'll be a no, then. Got it.

it's *not* a no. it's exactly what you requested.

actual attempts to spoof the various options show which methods are
more secure and which are not.

the fact is that apple's face id and google's equivalent are the most
secure, with fingerprint (especially under-screen), face unlock (other
than apple & google), iris scan and gestures being less secure, and in
some cases, laughably bad.

face unlock was spoofed with a selfie on another phone at the product
intro in the hands-on area, just minutes after being announced. iris
scan can be spoofed with a photo and a contact lens. under-screen
fingerprint sensors need little more than reflective foil or adhesive
tape, depending on which type it is.

spoofing apple's face id requires making a 3d head that matches the
owner's face. which you'd need to know who it is to be able to do so,
and somehow make it appear to be 'alive' sufficient to fool the system
into thinking it's not a dummy head.

you would also have to do it within 48 hours (likely less) and make
sure it unlocks within the first 5 attempts, otherwise it will require
a passcode. good luck.

> >>>> 3D FaceID is secure except in cases of siblings and child/parent
> >>>> where it has been shown to be compromised.
> >>>
> >>> identical twins is a known shortcoming, however, that has been greatly
> >>> improved to where it's unlikely, other relatives are highly unlikely to
> >>> work, nor is any of that a significant threat model, largely because
> >>> families normally know each other's passcodes.
> >>
> >> You have such an idealised view of families. People are at high risk of
> >> violent crime from family members and people they know, especially
> >> women. If anything people should secure their phones primarily from
> >> their relations, not random people.
> >
> > you must have a horrible family life.
>
> I'm not naive. The stats speak for themselves.

domestic violence stats are irrelevant to biometrics or passcode
security on phones.

you are as usual, trying to move the goalposts, in addition to avoiding
answering what apple could have done better to deal with the pandemic,
other than the ridiculous and delusional claim that they should have
changed their entire product plans based on the possibility a pandemic
might occur one day at some unknown point in the future.

> > face id is *not* designed to protect against an evil twin, which is not
> > a common threat model. it's unlikely that both twins are living near
> > each other, let alone in the same house, certainly not if they are
> > enemies.
>
> No-one mentioned an evil twin.

apple did.

when apple announced face id, they stated that was a scenario with an
increased possibility of spoofing:
<https://content.fortune.com/wp-content/uploads/2017/09/screen-shot-2017-
09-13-at-11-43-58-am.png>

however, an identical twin (evil or not) isn't necessarily guaranteed
to gain access:
<https://findbiometrics.com/archive/windows-hello-twins-28214/>
Not even twins can fool Windows Hello, the biometric authentication
platform built into the new Windows 10 operating system. In
anexperiment conducted by The Australian with six sets of twins,
the system never falsely granted access to any of the twins trying
to log in under their siblings¹ names.

also,
<https://www.patentlyapple.com/patently-apple/2020/07/apple-wins-an-adva
nced-face-id-related-patent-that-is-evil-twin-proof-using-subepidermal-i
maging-and-more.html>
Apple's granted patent 10,719,692 covers Face ID with Subepidermal
Imaging and Machine Learning that will be able to distinguish faces
even between twins.

In certain embodiments, the captured subepidermal image includes an
image of one or more blood vessels (e.g., veins) in the user's face.
Apple's patent FIG. 9 below depicts a representation of an embodiment
of an image of subepidermal features in a user's face.

> > here in the real world, married couples share their passcodes and even
> > enroll each other's fingerprint so they can access each other's phone.
> > face id allows for an alternate appearance, and although it's designed
> > for the same person, it generally works for a spouse or partner. they
> > also share bank passwords, house & car keys, etc.
> >
> > parents know the passcode of their kids phones to make sure they're not
> > doing things they ought not be doing.
>
> lol. Kids are very capable of hiding things from parents. That's why it's
> better to have a relationship based on trust rather than surveillance.

which is why responsible parents want to know the passcode, who *can*
check it if needed, but trust the kid so that they don't have to.