I can clearly remember my first reaction when I heard about fingerprint readers on phones. It was a stream of thoughts along the lines of "I bet that will be broken in an matter of days, biometrics are not ready for prime time", "You don't go around leaving a smudgy copy of your password on every glass you hold" and "You can change your password but good luck resetting your fingerprint after that gets compromised."
But I was falling into a trap that's all to common in information security1 of rejecting an idea because it isn't perfect. When the question that I should have been asking isn't "Is it flawless?" but "Is it better than what we currently have?".
Shortly after my initial reaction I started thinking a little more deeply about the idea and I could think of a number of friends and family that didn't even use a pin on their phone because it was too much effort to unlock every time. I decided that if a fingerprint reader was significantly more convenient and if that was enough to get people to lock their phone then it would be a net win for security.
I recently bought a Nexus 6P and installed CyanogenMod. Now that I've got a fingerprint reader I think it's just brilliant. Previously I used a pattern to lock my screen and for my encryption key because it was quick and easy. Now I use a 16 character password2 which is hard to type for the lock screen and encryption key. Then when I want to unlock it for every day use I just use my fingerprint.
I still need to enter my password to decrypt my phone if I reboot it. And every three days it times out but because I don't have to enter it every single time I unlock it, it's not too much of a hassle so I don't mind having a longer and more secure password.
-
It's not just an issue in InfoSec, comes up in all areas of life. ↩
-
I'd like to use a longer passphrase but unfortunately 16 character is the limit for now. ↩
