Following the recent deprecation of 2FA over SMS (thread head here[1]), I was interested to note this NPR article[2] (dated 'July 27, 2016 2:34 PM ET'): "Police Use Fingertip Replicas To Unlock A Murder Victim's Phone". Basically, a team @ Michigan State University found a way to replicate a fingerprint good enough to unlock a phone. 3 things I noted: 1. The two-part approach that worked (after 2 previous fails) doesn't seem that hard to replicate. The MSU team enhanced previously-taken, plain-old-fashioned fingerprints, then printed the enhancements with conductive ink. One suspects this will be off-the-shelf before too long. Combine that with the following observations (file under "ISTM/ICBW") that * there's a lot more fingerprinting "going on out there." E.g., I'm pretty sure I was required to give fingerprints as part of my EPA clearance. (I.e., what one does in order to gain access to ... scientific compute clusters.) * fingerprints aren't that hard to take, given an item handled at (e.g.) a workplace or restaurant. 2. What surprised me more is, under current law (sorta--caveat below) something like a password (an "expression") is not subject to "force compulsion," but ... "The Smartphone versus the Fifth Amendment," Berkeley Technology Law Journal, 21 Dec 2014[3] > in the aftermath of Virginia v. Baust, many smartphone users may soon reconsider their reliance on fingerprint ID technology. > In October [2014], a Virginia trial judge ruled [in Virginia v. Baust] that unlike a passcode, the production of one's fingerprint is not "testimonial communication", and therefore, the Fifth Amendment privilege against self-incrimination cannot be invoked. Rather, the government may properly compel the production of a smartphone user's fingerprint to unlock the user's device. This force compulsion would ostensibly extend to any applications within a device that can be opened via fingerprint. However, > As a trial court, the ruling in Virginia v. Baust is not mandatory law. However, as with any early caselaw in a novel and undeveloped area of the law, this opinion will likely be cited as a persuasive authority. IANAL, so I don't know of subsequent use, or even how to search the case law for it. 3. I'd be interested to know is, would a hardware key (e.g., SecurID, YubiKey) be considered compellable or not? Either way, for 2FA purposes currently, 4. ... I'd hafta agree with Ed[4] that password+key beats password+SMS. 5. ... ISTM password+key beats password+fingerprint to the extent that (IIUC) a duplicate key will be harder to hack than a fingerprint for the forseeable future. Am I missing something? FWIW, Tom Roche [1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html [2]: http://www.npr.org/sections/alltechconsidered/2016/07/27/487605182/police-use-fingertip-replicas-to-unlock-a-murder-victims-phone [3]: http://btlj.org/2014/12/the-smartphone-versus-the-fifth-amendment/ [4]: http://lists.phxlinux.org/lurker/message/20160729.055043.2f7884f4.en.html --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss