468
Stop Using Your Face or Thumb to Unlock Your Phone (gizmodo.com)
submitted 6 months ago by return2ozma@lemmy.world to c/technology@lemmy.world
213 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] carl_dungeon@lemmy.world 198 points 6 months ago

Last week, the 9th Circuit Court of Appeals in California released a ruling that concluded state highway police were acting lawfully when they forcibly unlocked a suspect’s phone using their fingerprint.

You can turn that and Face ID off on iOS by mashing the power button 5 times- it locks everything down.

[-] BrianTheeBiscuiteer@lemmy.world 93 points 6 months ago

I've always wanted a setting to create a lockdown key and an unlock key. So something like middle-finger to unlock but index-finger to force it into PIN/password only mode. So you can have some convenience of a quick unlock but if an authority figure asks or forces you to unlock it you can one-tap lock it down.

[-] MostlyGibberish@lemm.ee 54 points 6 months ago

Android has a similar feature. It's called "Lockdown mode" on the shutdown menu. Locks the phone and turns off any biometric unlocks.

[-] Bonehead@kbin.social 37 points 6 months ago

Except it doesn't activate by mashing the power button 5 times. On my Pixel 8, that activates the emergency dialer that will automatically call 911 if you don't cancel the prompt in 5 seconds. I did not know that before. Probably a better use for that feature. It also points out the different ideologies of Apple vs Android.

[-] fahfahfahfah@lemmy.billiam.net 18 points 6 months ago

It does the same thing on iOS, but face/Touch ID is disabled after.

load more comments (1 replies)
[-] AbidanYre@lemmy.world 12 points 6 months ago

My wife's pixel 3(?) with a flaky power button had us wake up to cops knocking on the door because of that feature.

load more comments (2 replies)
load more comments (12 replies)
[-] ShittyBeatlesFCPres@lemmy.world 32 points 6 months ago

In a getting pulled over situation, this works. But do it before you go protest anything. Or better yet, leave your phone at home. You don’t want to be reaching for something while a cop is pointing a gun at you and saying “Hands up!”

[-] devfuuu@lemmy.world 30 points 6 months ago

Not to mention it's pretty regular to track who is participating by checking the towers in the zone all the people are participating.

load more comments (1 replies)
[-] merde@sh.itjust.works 11 points 6 months ago

☞ EFF / Surveillance Self-Defense / Attending a Protest

load more comments (1 replies)
[-] someguy3@lemmy.world 22 points 6 months ago* (last edited 6 months ago)

That's terrifying. So once we have tech to forcibly see inside the brain, that will be legal too?

load more comments (9 replies)
[-] FederatedSaint@lemmy.world 13 points 6 months ago

Do you have to mash it? Or will pressing it normally work?

load more comments (2 replies)
[-] ccunning@lemmy.world 9 points 6 months ago

You can also just long press a volume button with the lock button (with a FaceID phone). I find this harder to mess up under stress.

load more comments (6 replies)
[-] TheFriar@lemm.ee 151 points 6 months ago* (last edited 6 months ago)

Further advice regarding civil disobedience:

LEAVE YOUR PHONES AT HOME. Write down some numbers in case you get arrested—or better yet, memorize them. There are journalists there for documenting. And there will be plenty of other people that don’t follow this advice. Leave anything they could use as leverage over you and your cohorts away. Don’t bring ID. Don’t bring anything except what you need for the action. It’s not worth the risk.

ETA: also, any of you with a new car? DONT DRIVE THAT SHIT TO ANY MEETING OR PROTEST. They’re spying on you. Don’t post about it. Don’t use any unencrypted messaging service to coordinate it—WhatsApp is not safe. Signal and probably some other less common ones are the only ones safe enough. Ride a bike there, stash it in a conveniently hidden spot. Bring a change of clothes, plan escape routes, plant the change of clothes either hidden on your escape route or wear them under your plain clothes. Cover tattoos. Leftist activists are not safe. And literally the rest of your life could depend upon how well protected you have made yourself.

https://www.theguardian.com/us-news/2022/feb/10/felony-charges-pipeline-protesters-line-3

So many states have pretty quietly passed laws to make you a felon for protesting. Even peacefully. And to make you a fuckin corpse. In the south especially, a few states were writing “go ahead, run over any protester in the road” laws.

Be smart. Be safe. Have a plan. Have a contingency plan. This isn’t “fuck around with the blunt end of the justice system and find out” territory, in 2024 US, it’s time to be as safe as you can while doing what’s right. Because doing what’s right is criminalized. Heavily.

[-] simplejack@lemmy.world 26 points 6 months ago

If you’re going somewhere where you think you might be at risk, IMHO, it’s probably just easier to turn your phone off. Android and iOS both require a non-biometric passcode after boot.

Or, if you want to keep your phone on, enable lockdown mode on Android, or tap power 5 times on iOS to require a non-biometric password at the next unlock.

[-] TheFriar@lemm.ee 46 points 6 months ago

It’s never a good idea to bring your phone with you. It can be used, even while powered off, to track and surveil you. The BLM protests were just the tip of the iceberg. The apps you have on your phone track you. The government is buying that tracking data. Your phone is a massive privacy weak point. It’s basically a bug you carry on you willingly. It’s not safe. Period.

https://theconversation.com/police-surveillance-of-black-lives-matter-shows-the-danger-technology-poses-to-democracy-142194

https://www.vox.com/recode/22565926/police-law-enforcement-data-warrant

Leave your phone at home. It’s not worth it. It may not bite you in the ass the day of, but could very easily come back to haunt you after they investigate, in case anything goes “wrong” in their eyes. It’s just not worth it.

[-] simplejack@lemmy.world 36 points 6 months ago

IMHO, as someone that works in security / privacy, I tend not to view it as a binary thing. It depends on where you live, what you’re protesting, what you look like, who you are, etc.

Are you in Russia or China and are protesting the government? Yeah, I might leave that thing at home. Are you a white lady in San Francisco marching with a pink knit cat hat during brunch hours, then you’re probably well on the other side of the risk spectrum. You might actually be introducing more risk by having less immediate access to communication or a camera.

IMHO, it’s nuanced.

load more comments (6 replies)
load more comments (20 replies)
load more comments (1 replies)
load more comments (7 replies)
[-] IzzyScissor@lemmy.world 73 points 6 months ago

It's frustrating to no end that fingerprints and face ID are treated like passwords when they should be treated like usernames.

load more comments (2 replies)
[-] sramder@lemmy.world 72 points 6 months ago

The article pretty plainly says the guy was coerced into entering his password. So the headline feels a bit manipulative.

[-] RidcullyTheBrown@lemmy.world 21 points 6 months ago

The headline is click-bait. I honestly don’t know why people still read this crap.

load more comments (5 replies)
[-] thorbot@lemmy.world 18 points 6 months ago* (last edited 6 months ago)

It’s Gizmodo. Its all manipulative bullshit.

[-] Emmie@lemm.ee 10 points 6 months ago* (last edited 6 months ago)

Lemmy quality descended quite quickly. What’s the more intelligent tech community alternative besides hacker news?

It seems everything descends into this samey mess of america bad, eat the rich which I don’t dispute with but I am here for tech and not politics honestly. Time and place for everything.

The amount of low effort comments that seem to only be about points/validation which aren’t even visible for some is tiring.

It used to be that you would look into comments for useful information about the posted article. Now you can skip the comments altogether and the posted links quality also became questionable.

I miss times where you could find links to some niche but full of creativity/usefulness websites in the comments or posts. Those juicy gems of the web. Or learn some fact that you had no idea about.

I want to learn something new being here. Not make my brain feel good with the reward of validation.

[-] Lesrid@lemm.ee 12 points 6 months ago

Probably because America bad, eat the rich.

load more comments (12 replies)
load more comments (2 replies)
load more comments (3 replies)
[-] riodoro1@lemmy.world 61 points 6 months ago

Maybe don’t live in a fucking dystopia. The US is a police state and you have no freedom left.

load more comments (2 replies)
[-] friend_of_satan@lemmy.world 60 points 6 months ago* (last edited 6 months ago)

## How to disable Face ID through the Power Off screen

  1. Hold down both the Side Button and either Volume Button at the same time for three seconds.
  2. The Power Off slider should appear. Tap Cancel.

You actually don't need to hit cancel, you can just hit lock, so you can do this whole thing with your phone in your pocket.

https://appleinsider.com/inside/iphone/tips/how-to-quickly-disable-face-id

This is easier and less intrusive than the lock-button-5-times method because it doesn't start making a phone call that you have to quickly cancel.

[-] Shrank7242@lemmy.zip 14 points 6 months ago

This is the advice people (with iOS) should follow, not disabling biometrics altogether. Using FaceID or TouchID prevents shoulder surfing to find out what the password to your phone is. When local passwords have so much control over a device, using biometrics to prevent anyone from seeing what your passcode is is very useful.

load more comments (4 replies)
[-] PresidentCamacho@lemm.ee 50 points 6 months ago

FYI Androids have a feature for this. If you are ever forced to interact with a cop you can press the side button and volume up(might be different on other phones) to select lockdown which will force your phone to only be opened with the password. Its gross that we need this feature, but now you know.

[-] PM_Your_Nudes_Please@lemmy.world 12 points 6 months ago

iPhones do this too. Hold the lock and volume down button until your phone buzzes, to get to the SOS/reboot screen. Once that screen is activated, it’ll disable biometrics until the passcode is entered.

You can even take photos/videos with the locked phone, and the recordings won’t be able to be deleted from your iCloud until the passcode is entered. Handy for recording cops. Cuz even if they take your phone and delete the recording, it’ll still sit in your “Recently Deleted” for 30 days. And while the phone is locked, they can’t access that Recently Deleted folder to permanently wipe it. So you can just access your iCloud account from any computer and recover the “deleted” footage.

[-] vermyndax@lemmy.world 12 points 6 months ago

iPhones also have this feature, for a long time now:

https://ios.gadgethacks.com/how-to/keep-law-enforcement-out-your-iphone-your-privacy-intact-0194999/

Rather irresponsible of the article to not point out these features on Android and iPhone. Did a cop or government official write that article?

load more comments (1 replies)
load more comments (11 replies)
[-] hedgehog@ttrpg.network 48 points 6 months ago

Terrible article. Even worse advice.

On iOS at least, if you’re concerned about police breaking into your phone, you should be using a high entropy password, not a numeric PIN, and biometric auth is the best way to keep your convenience (and sanity) intact without compromising your security. This is because there is software that can break into a locked phone (even one that has biometrics disabled) by brute forcing the PIN, bypassing the 10 attempts limit if set, as well as not triggering iOS’s brute force protections, like forcing delays between attempts. If your password is sufficiently complex, then you’re more likely to be safe against such an attack.

I suspect the same is true on Android.

Such a search is supposed to require a warrant, but the tool itself doesn’t check for it, so you have to trust the individual LEOs in question to follow the law. And given that any 6 digit PIN can be brute forced in under 11 hours (40 ms per entry), this means that if you were arrested (even for a spurious charge) and held overnight, they could search your phone without you knowing.

With a password that has the same entropy as 10 random digits, assuming no further vulnerabilities allowing them to speed up the process, it could take up to 12 and a half years to brute force it. Make it alphanumeric (and still random) and it’s millions of years - infeasible within our lifetime - it’s basically a question of whether another vulnerability is already known or is discovered that enables bypassing the password entirely / much faster rates of entry.

If you’re in a situation where you expect to interact with law enforcement, then disable biometrics. Practice ahead of time to make sure you know how to do it on your phone.

[-] ashok36@lemmy.world 11 points 6 months ago

Or they make a copy of your phone, alphanumeric password and all, and just sit on it for ten years until quantum computers make solving the password a piece of cake.

You should assume that any device confiscated by authorities will be copied and broken into eventually. Treat all data on said device as if it's already compromised.

[-] hedgehog@ttrpg.network 14 points 6 months ago

Copying an iPhone isn’t as straightforward as you seem to think. Copying data from a locked iPhone requires either an exploit or direct access to the SSD / memory chips on the device (basically, chip-off forensics, which likely requires bypassing the storage controllers), and I assume the same is true for Android devices.

I’m not saying such exploits don’t exist, but local police departments don’t have access to them. And they certainly don’t have the capability to directly access your device’s storage and then reassemble it without your knowledge.

Now, if your device is confiscated for long enough that it could be mailed off to a forensics lab for analysis? Sure, then it’s a possibility. But most likely if they want your data that badly they’ll either hold onto your device, compel you into sharing the info with them, or try to trick you into giving it to them. Hanging onto your data without a warrant for over a decade is a high risk, low reward activity.

Your data’s more vulnerable to this sort of attack in transit.

load more comments (1 replies)
load more comments (13 replies)
[-] helpImTrappedOnline@lemmy.world 36 points 6 months ago* (last edited 6 months ago)

On pixel, if you ever need to - press and hold the power button, select "lockdown".

(It might apply to other androids too, I don't know.)

You will now need a pin to unlock the phone. This disables the lock screen shortcut (camera, light, etc) as well.

Why disable your convence features for an scenerio that is not likely and can be quickly and easily be prevented.

Universal: You could also just the tap the sensor with a "wrong" finger a few time, and the pin will be required.

Maybe don't do this one in front the cops...if you find your self in a postion where they are trying to unlock your phone, you probably don't want to piss them off. .

Edit: I'm surprised no one called me out on "if you're ever need to". The sentence was going to be "if you're even in a situation that needs...", but that was getting too long. Forgot to change you're to you.

[-] muffedtrims@lemmy.world 12 points 6 months ago

On my pixel 6 it is power + Volume Up to access the power menu with lockdown.

load more comments (3 replies)
load more comments (11 replies)
[-] Boozilla@lemmy.world 33 points 6 months ago

I've avoided willingly using biometrics so far. Though I'm sure our faces, gaits, body shapes, etc, are all stored somewhere, willingly or not.

Say no to biometrics. It's like having a password you can never change.

[-] ricecake@sh.itjust.works 36 points 6 months ago

So, it really depends on your personal threat model.

For background: the biometric data doesn't leave the device, it uses an on-device recognition system to either unlock the device, or to gain access to a hardware security module that uses very strong cryptography for authentication.

Most people aren't defending against an attacker who has access to them and their device at the same time, they're defending against someone who has either the device or neither.

The hardware security module effectively eliminates the remote attacker when used with either biometric or PIN.
For the stolen or lost phone attack, biometric is slightly more secure, but it's moot because of the pin existing for fallback.

The biggest security advantage the biometrics have to offer is that they're very hard to forget, and very easy to use.
Ease of use means more people are likely to adopt the security features using that hardware security module provides, and that's what's really dialing up the security.

Passwords are most people's biggest vulnerability.

load more comments (8 replies)
[-] breadsmasher@lemmy.world 26 points 6 months ago

Password you can never change

Not with that attitude! You can absolutely change your face. its rather inadvisable

[-] tsonfeir@lemm.ee 19 points 6 months ago

Face… off…

load more comments (1 replies)
[-] chrash0@lemmy.world 10 points 6 months ago

it’s not a password; it’s closer to a username.

but realistically it’s not in my personal threat model to be ready to get tied down and forced to unlock my phone. everyone with windows on their house should know that security is mostly about how far an adversary is willing to go to try to steal from you.

personally, i like the natural daylight, and i’m not paranoid enough to brick up my windows just because it’s a potential ingress.

load more comments (10 replies)
load more comments (1 replies)
[-] _lilith@lemmy.world 32 points 6 months ago

https://analognowhere.com/_/ismegh/

load more comments (1 replies)
[-] someguy3@lemmy.world 27 points 6 months ago* (last edited 6 months ago)

A stipulation of Payne’s parole agreement was that he be willing to provide a passcode to his devices, though that agreement didn’t explicitly refer to biometric data. However, the panel said the evidence from his phone was lawfully acquired “because it required no cognitive exertion, placing it in the same category as a blood draw or a fingerprint taken at booking, and merely provided [police] with access to a source of potential information.”

These both seem like bad calls. You have a right to privacy, right? And for police to access your files/home/phone tap requires obtaining a warrant.

Fingerprints at booking gives access to public records. Not your own personal private data. Pretty sure drawing blood is justified suspicion of DUI.

[-] catloaf@lemm.ee 18 points 6 months ago

Yes and no. When you take parole, you agree to give up some freedoms in exchange for getting out of prison early. For example, taking drug tests, checking in with your parole officer, or not leaving the state/country. If your crime was related to using a phone or something, like being a drug dealer, then it can make sense to have to allow your parole officer to check it.

[-] someguy3@lemmy.world 22 points 6 months ago

So after you have been convicted of a crime, you will have restrictions based on that crime. That's a world of difference from pulling over Bob and forcing him to unlock his phone.

[-] AFC1886VCC@reddthat.com 16 points 6 months ago

No.

[-] Juice88@lemmy.world 14 points 6 months ago

I’ve already planned to spam the lock button for a few seconds if something like that came up (iPhone) it triggers the emergency settings and disabled unlock without a passcode.

load more comments (1 replies)
[-] Grntrenchman@sh.itjust.works 12 points 6 months ago* (last edited 6 months ago)

For Android: learn the hard reset combo for your phone, especially if you encrypt it.

After rebooting, pattern/PIN will be required to decrypt the phone. Biometrics won't work for this step. This is what graphene does for security, tries to keep the phone in a "before first unlock" state by rebooting on a timer. You can't even read anything over USB/ADB, it's scrambled until you unlock the phone.

The only drawback to just keeping your phone in this state is none of your apps are loaded, so no notifications/updates/processing at all.

[-] Dkarma@lemmy.world 11 points 6 months ago

Just power down your phone. No phone allows initial unlock with bio data

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 28 Apr 2024
468 points (100.0% liked)

Technology

59517 readers
2797 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world