I have tremendous respect for Troy Hunt and have learned loads about cybersecurity from him. That's why it surprised me so much to read his recent piece on biometric credentials.

I agree with much of his piece. The password regime has many, many flaws! I agree with Hunt that, right now, for a lot of people, it provides more utility with less downside to use biometric auth to protect their devices than it does to use PINs and passphrases! "And when you do unlock your biometric-enabled device, you can do so in front of people whom you wouldn't want to know your PIN....The risks associated with biometrics can only ever be fairly assessed when viewed alongside the risks of not using biometrics." Agreed.

But it surprised me that Hunt missed two important nuances here since he's usually so sensible; thus this post to add them in.

One has to do with how policing and police-related violence and coercion work, in the United States and elsewhere. "For the vast majority of people, this whole thing about US law enforcement and PIN versus biometrics is a non-event and often ends up with increasingly absurd arguments," Hunt writes. He does say, "if the cops are your threat actor, then don't use biometrics" -- e.g., activists/protesters who are forewarned about a fraught situation -- but he dismisses concerns about police coercion to unlock as more-or-less absurd and unrealistic (and implies that they're US-centric), and ignores or handwaves away those concerns in ways I found unconvincing.

For example, he notes that federal judges have ruled that police are not legally allowed to coerce people into biometrically unlocking a phone. That does not mean that they will not do it! Police routinely do things that they are not legally allowed to do, and -- what with police unions closing ranks against accountability, the qualified immunity doctrine, and so on -- they often get away with it, especially in the US.

He also mentions a scenario in which the user is videorecording a police shooting and "then they demand you hand over your unlocked phone so they can erase the evidence." He calls this scenario unrealistic, and further says that in that case, "They're going to shoot you too and take your phone". This response badly misunderstands the dynamics of police violence in (at least) the United States. Put baldly, cops have an easier time getting away with hurting some people than with hurting others. It is easier for cops in the US to evade responsibility for killing Black, Latino/Latina, and Native American people than to evade responsibility for injuring white people. It is easier for cops to successfully argue in court that they were afraid for their lives, and thus shoot someone 41 times, than to argue that a nearby witness was also a threat to their lives (especially when they're not certain how much surveillance footage will survive and from which angles). Darnella Frazier lived to post her video and Diamond Reynolds lived to post hers.

This is why bystanders, especially those of us whom the cops will hesitate to treat badly, leverage our status and get into the habit of taking a moment to watch and record police interactions when we see them happening nearby.*

Hunt bases his argument on an assumption that a user will rarely be concerned with cops as a threat actor, and that this tiny percentage of people can know ahead of time and configure their phones accordingly. This assumption does not hold.

Second: Even if you completely disagree with me on that point, one other part of Hunt's argument also doesn't make sense to me. Hunt discusses how very difficult it is for nearly any bad actor to obtain and use a fingerprint, and to fool the verifier in biometric authentication. But attacks only get easier. And this is where the "you can't change your fingerprints" problem (which Hunt dismisses early on) gets more dire. Depending on how the manufacturer/platform has configured things, if I sign up for biometric-based auth on a device, I may be irrevocably sharing my fingerprint data into a database that will stick around for long enough for the attacks to get easier -- five or ten or fifteen years from now, when it is easy for neighborhood ne'er-do-wells to reproduce my fingerprint to fool a verifier.

These are two places where the risks of using biometric auth are more complicated than in Hunt's assessment. Knowing the trade-offs helps us make better decisions.

Thanks to Jacob Kaplan-Moss for giving this post a look before I published it.

* Shortcuts make this easier. Also: since, yes, law enforcement might take witnesses' phones away, streaming/backups, crowds of witnesses, and redundancy are also helpful. The Mobile Justice app makes it easier to livestream "to your closest contacts and your local ACLU"; rapid response networks get groups of people to document immigration enforcement actions to monitor for unconstitutional activity.