this post was submitted on 21 Feb 2026
481 points (99.8% liked)

People Mastodon

384 readers
256 users here now

People tooting stuff. We allow toots from anyone and are platform agnostic (Mastodon, BlueSky, Twitter, Tumblr, FaceBook, Whatever)

founded 5 months ago
MODERATORS
Deceptichum@quokk.au
481
get facial surgery (infosec.pub)
submitted 1 month ago by Deceptichum@quokk.au to c/peoplemastodon@quokk.au
23 comments fedilink hide all child comments
top 23 comments
sorted by: hot top controversial new old
[–] Arghblarg@lemmy.ca 66 points 1 month ago (1 children)

.. And importantly, US legal rulings currently state that you can be coerced by law enforcement / border agents to unlock your devices using biometrics (being a part of your body), but NOT coerced to reveal a PIN or password, as that is something you remember -- no forced confessions or something like that.

And if you have a device-wipe 'duress' PIN code, make sure you use it BEFORE being asked to unlock the device, or they'll claim you erased evidence. Better to just not have ANY data you are concerned about on the device while crossing into any country -- carry a blank device, and download it securely after entry.

Never use fingerprint or face unlock on your phone if travelling to the US.

[–] sepiroth154@feddit.nl 56 points 1 month ago (2 children)

I have an even simpler rule. Dont travel to the US. (and Canada does this too)

[–] Crackhappy@lemmy.world 10 points 1 month ago (1 children)

Regrettably a lot of people have a requirement to travel to the US and other authoritarian countries.

[–] sepiroth154@feddit.nl 2 points 1 month ago

Yeah I feel for the people who don't have that choice...

[–] BarneyPiccolo@lemmy.today 5 points 1 month ago (1 children)

As an American who lives in a major tourist zone, don't visit right now. We'll weather the storm, and you can come back when we get our shit together again. We will.

[–] sepiroth154@feddit.nl 4 points 1 month ago

Yeah as they say, it is always darkest before dawn.

[–] karashta@piefed.social 19 points 1 month ago (1 children)

I enjoy that grapheneOS let's me set up a secondary pin to nuke the phone.

[–] whotookkarl@lemmy.dbzer0.com 4 points 1 month ago

And multiple profiles to further sandbox different uses or types of software (social media, email, games, etc)

[–] hedge_lord@lemmy.world 15 points 1 month ago

Oh no, my face scan was leaked! I guess I have no choice other than to fill myself with estrogen in order to reshape its fatty tissues, something I would absolutely not have done otherwise. Oh no!

(sarcasm disclaimer: this is sarcastic)

[–] AnchoriteMagus@lemmy.world 15 points 1 month ago (2 children)

I have never set up biometric unlocks on any phone for exactly this reason. No one gets access to my fingerprints unless they cuff me and get them the old-fashioned way.

[–] Zorcron@lemmy.zip 12 points 1 month ago (1 children)

As far as I understand, fingerprint data for at least the flagship smartphones is not even stored on the device itself, just what amounts to a hash of it. I haven’t heard of any vulnerabilities of these systems that allow your fingerprint or facial information to be extracted from the device, only bypassed by some tools like the password.

I’d be interested if you have info that suggests otherwise.

[–] Maxxie@piefed.blahaj.zone 2 points 1 month ago* (last edited 1 month ago) (2 children)

That's correct, no sane implementation of biometrics stores your actual data. Its hashed when you log in to compare with the stored hash, then deleted.

It can leak if the server is compromised or misconfigured, so it is still worse than a password.

[–] Zorcron@lemmy.zip 1 points 1 month ago (2 children)

How is it worse than a password in that way?

[–] anton@lemmy.blahaj.zone 1 points 1 month ago

You can't use a cryptographic hash, as small changes in a password means it's wrong, but in biometrics it needs to be allowed to account for different angles/lighting/mood. This means there must be more accessible information on the device.

[–] rapchee@lemmy.world 1 points 1 month ago (1 children)

you can't change your fingerprint, unlike a leaked password

[–] Zorcron@lemmy.zip 1 points 1 month ago

My understanding is that your fingerprint cannot be recreated from the data on the iPhone at least, and that it never leaves the touchID module. Is that wrong?

[–] Nomad 1 points 1 month ago (1 children)

So right and so wrong at the same time. A hash loses be by definition information. So you can compare it to a fingerprint and decide if it matches. It can't be used to reconstruct a fingerprint due to complexity of fingerprints and the complexity. So you can't reuse the hash to authenticate anywhere, so stealing it has only reduced benefit. Maybe a mass surveillance state might want that to find your finger prints where you have been but this is a lot more work than just confirming your phone identifier and forcing the cell company to reveal you whereabouts.

[–] Maxxie@piefed.blahaj.zone 2 points 1 month ago* (last edited 1 month ago) (1 children)

which part was wrong?

Because the hashing happens server-side, it still has access to the original data. Which is why I said

It can leak if the server is compromised or misconfigured

[–] Nomad 1 points 1 month ago

The hash for a password is not that secret. For a strong password it can't be used for anything bad really.

[–] nexguy@lemmy.world 2 points 1 month ago

Or anything you've ever touched

[–] Akasazh@lemmy.world 7 points 1 month ago* (last edited 1 month ago)

There's burn victim survivors that could get in an awkward spot due to that shit. Fingerprints and facial features seem relatively unchanging unless something very dramatic happens.

[–] wonderingwanderer@sopuli.xyz 4 points 1 month ago

Facial recognition scans are so detailed that that data can be used to make highly realistic deepfakes. Deepfakes with higher resolution than an ordinary video recording. And a couple layers of abstraction can obscure the origins of the "video"...

We're entering some truly dystopian times...

[–] apotheotic@beehaw.org 3 points 1 month ago

Damn, bet, time to get ffs