My feeling on this is that it's probably bypassable, albeit with a fair bit of effort and at a cost. However, the bot operators willing to sink that cost into bypassing the system are probably the...
My feeling on this is that it's probably bypassable, albeit with a fair bit of effort and at a cost. However, the bot operators willing to sink that cost into bypassing the system are probably the most nefarious. For this reason, I think it's better to train users to be naturally skeptical rather than lull them into a sense of security that gives the bot operators even more leverage over them.
Yeah, it sounds like they can bypass it, and it's likely that the bypass will cost less than the money they make on the botting in the first place, so it won't mean anything.
Yeah, it sounds like they can bypass it, and it's likely that the bypass will cost less than the money they make on the botting in the first place, so it won't mean anything.
I'm having a hard time understanding this. Is the hardware key the same for all devices of the same type? How is your fingerprint effecting the encryption? Also I'm not that familiar with...
I'm having a hard time understanding this. Is the hardware key the same for all devices of the same type? How is your fingerprint effecting the encryption?
Also I'm not that familiar with fingerprinting, I know everyone's fingerprint is unique, but is our fingerprinting software accurate enough to not mistake another user's fingerprint with mine, for example.
Looking at the current state of the Touch ID/Face ID API, Apple probably wouldn’t let you get control or info that fine-grained. Currently all you can do is get info on whether the user...
Looking at the current state of the Touch ID/Face ID API, Apple probably wouldn’t let you get control or info that fine-grained. Currently all you can do is get info on whether the user successfully authorized or not. This could be with Touch ID, Face ID, or even a passcode if they failed too many attempts at one of the above (I think you can disable the passcode option though). I don’t think the API tells you which they used. So if they expanded it to include public/private keys like is suggested in the article, it’s likely that they wouldn’t differentiate between Face and Touch ID.
My feeling on this is that it's probably bypassable, albeit with a fair bit of effort and at a cost. However, the bot operators willing to sink that cost into bypassing the system are probably the most nefarious. For this reason, I think it's better to train users to be naturally skeptical rather than lull them into a sense of security that gives the bot operators even more leverage over them.
Yeah, it sounds like they can bypass it, and it's likely that the bypass will cost less than the money they make on the botting in the first place, so it won't mean anything.
I'm having a hard time understanding this. Is the hardware key the same for all devices of the same type? How is your fingerprint effecting the encryption?
Also I'm not that familiar with fingerprinting, I know everyone's fingerprint is unique, but is our fingerprinting software accurate enough to not mistake another user's fingerprint with mine, for example.
With touchID and equivalent on Android, the fingerprint isn't sent anywhere. The scanner unlocks a cryptographic keypair instead for authentication.
Interesting. Face ID on the iPhone X would be even better for this. Maybe it could display a 'Verified by Face ID' at the top of the post.
Looking at the current state of the Touch ID/Face ID API, Apple probably wouldn’t let you get control or info that fine-grained. Currently all you can do is get info on whether the user successfully authorized or not. This could be with Touch ID, Face ID, or even a passcode if they failed too many attempts at one of the above (I think you can disable the passcode option though). I don’t think the API tells you which they used. So if they expanded it to include public/private keys like is suggested in the article, it’s likely that they wouldn’t differentiate between Face and Touch ID.
https://developer.apple.com/documentation/localauthentication/