- not perfect vs imperfect
- not better vs worse
- this surface vs that surface
How can adversaries attack the system?
How will adversaries attack the system?
Useful security proposals
- Threat model (+ motivation)
- Difference in attack surface
- Difference in user experience
- What are you actually going to do?
- Devil's in the details
- What are you protecting against?
- How is this addressed now?
- How will it be addressed afterwards?
Difference in attack surface
- Not always a strict improvement
- E.g., install some new monitoring software
- What about bugs in that software?
- One of the most important aspects
- Usually completely forgotten about
- I'm looking at you, PGP
- Contain everything
- Need to be protected
Clearly better than no lock screen
Options on some other phones
- Patterns (~ passcode)
- Face recognition (~ fingerprint)
- Key rotation?
- Separate capabilities?
- On everything you touch!
- Faking fingers is tricky
- People pick poor secrets
- Shoulder surfing
(Yes, the American one)
(I am aware we're in Canada)
- Not legal advice (IANAL)
- Not opsec advice
[…] nor shall be compelled in any criminal case to be a witness
against himself, […]
Protected from self-incrimination
Can't force the secret out of you
Fingerprints aren't secret
- Police can and does take your fingerprint
- Can force you to unlock your phone
Which one is more secure?
It depends on your threat model!
- Random people? Probably touch id
- Law enforcement? Definitely passcode
Again, not legal or opsec advice
- I know what happens when you restart an iPhone
- I am trying to illustrate threat models