Based on the mock ups I think I know the answer but I searched everywhere and found no mention of a finger print reader. Will there be one in librem5?
Wouldn’t quite mesh with the security and privacy focus if there is one. Having any biometric data stored on a mobile device is something a lot of us would prefer to avoid!
I disagree with this logic.
I am not aware of any free/libre Biometric hardware + software which would be a problem; but once there’s free/libre Biometric hardware + software there shouldn’t be an issue with including said hardware; and is likely why there doesn’t appear to be any plans to include Biometrics at this time.
Saying that having biometric data stored on a mobile device doesn’t mesh with privacy/security is like saying you wouldn’t want any PII stored on the device in which case there should be no storage at all, and there clearly is storage in the phone. Now some people may choose not to put PII information onto their librem; just like some people may choose not to use Biometrics even with free/libre hardware + software.
And before someone says hurr biometrics aren’t secure; no one mechanism is. Providing it as an option as another factor is not a bad thing. And if someone chooses that for their situation convenience is more important than security that does mesh with the libre focus of Librem. After all, I could, theoretically, buy a librem 13/15 and put windows on it with no password. That wouldn’t be advised but that very much fits with the concept of the owner should be able to do whatever they want with what they have purchased.
I guess it’s about something legal, in a court you can be forced to use your fingerprint to unlock your smartphone but you can’t be forced to remember your password I read it in a blog some time ago.
Fair point, but doesn’t that only affect the US (and maybe some other countries but not all)? Isn’t the market international and in turn not everyone would be affected by the current US legal system?
I mean I definitely don’t see it as a priority, but I do think it is something that shouldn’t be avoided completely just because it could be a negative thing in some situations.
Except the same laws exist in many, many countries. Not just the US. It’s a privacy hazard that can be simply avoided by not having one in the first place.
There’s also the option for the user to simply not enable it even if it’s there, so I see little point in this argument.
Just give a notice when you register your fingerprint that this is possible in some countries to force the user to unlock the device, if they did so they would both have the functionality for those who do not live in the US to have it as well as give knowledge to those who are unaware of these laws.
The answer is in the FAQ:
Will the phone have a fingerprint reader, or other biometric access?
No, we will not be shipping with any biometric hardware, the reasons for this is because single access via biometrics does not prevent access to your phone the same way a security code or lock does. The US Supreme Court has alluded to biometric access not protecting you the same way that a security code from memory (a security code) does (e.g. You can say “no” to a passphrase, or security code, but you cannot say “no” to biometric (physical) information). So even if in future models of the Librem 5 phone we do include biometric hardware, we will be double-locking it with a security code, to have the best security story we can for users.
and if you live in the UK, Ireland, India, Australia, South Africa, etc., then you can choose to sit in jail instead: https://en.wikipedia.org/wiki/Key_disclosure_law
One problem with fingerprints and security is: you only have 10 fingers. So if they are burned they are burned.
And jep, it’s possible to reproduce working fingerprints from tele photos of your hands.
At first I thought you mean literally burned…lol. Which could also be a problem if fingerprint is the only verfication method…and then you would be happy to be able to use a photo for recreating the fingerprint
And? I have yet to hear of an authentication mechanism that can’t be defeated through surveillance. There is always a tradeoff between security and convenience.
It is way more convenient to not have a front door on your home, but not very secure; there was a while where most homes just locked the knob, more convenient than having a deadbolt but less secure. Now most homes use a deadbolt still more secure than before but also still able to be defeated with a picture of a key (generally speaking). You can also add a security door, similar to a screen door but to keep out humans, that uses the same key as your deadbolt, or a different key.
This security door is how I see the fingerprint reader as being analogous to. Not more secure than the primary method of security, actually less secure, and generally used in conjunction; but if someone wants to only lock the weaker of the two they should have that option. This is especially true to me on the phone since they have the option to put other Linux OS’s that may not be as secure to begin with; the argument about protecting people from themselves I think is less important than the argument of freedom to do what they want.
No one has said fingerprints are the most secure, and I don’t even think anyone has recommended using them as the only authentication method.
And yes, you can defeat biometrics with surveillance, you can also defeat, passwords, physical keys, keycards, etc with surveillance. Each person has their own threat model, let them decide what is appropriate; trying to decide for them is trying to take away their freedom.
the only way i would agree to have my fingerprints scanned by a digital device is if it is 100% Libre software (yes both hardware and software for obvious reasons) and if the said device is not connected to the internet in any way while it does the scan and if it stores the said fingerprint scan only localy and uses it to generate an on the fly password or code to unlock the internet connected device. basically if it acts like an external key rather than something embeded that can be remotely hacked or it’s fingerprint storage scanned and copied remotely. i’m not against any particular thing but the way the technology works has to 100% respect Libre principles.
If a future Purism phone includes biometric sensors, it would need a emergency kill switch or equivalent to ensure you can’t be compelled to use the biometric authentication mechanism against your will, and I personally would have the sensors disabled until either the next full authentication (with a password) or reboot and authentication (with a password)
Similar to what Apple does with SOS mode
Biometry is not suitable for authentication.
I understand your point. Frankly fingerprint readers sound iffy to me (see previous research on spoofing fingerprints) and Face ID et al give me more concern because in theory someone can just take your phone and point it at your face to unlock it. I’m also not a fan of using biometrics for “locking” Android apps (see recent versions of Signal), and it should NEVER be used to retrieve a decryption key from a “escrow” chip for a full disk encrypted device (just a hypothetical scenario I’m sure someone’s thought up)
I think the whole reason Apple invested in implementing biometric (Touch ID, Face ID) based unlock on the iPhone is because they assume their userbase isn’t intelligent enough to handle a separate FDE/preboot and lockscreen password and the biometric unlock is to mitigate having to put in your password many times per day. It goes without saying you should have a long enough FDE password, but if file based encryption to protect data from a decrypted but lockde device is going to be a feature the security of it depends on the complexity of said password as well. I don’t know how Apple handles this with Touch ID, although I suspect its “have the key in a “escrow” chip to “release” the decryption key upon biometric unlock and hope for the best”, so that’s a concern as well.
Android recently found the sweet spot: just have a security mode where you have to enter the full code. Useful when going through airports - or you can just always have the fingerprint function disabled… But don’t make the phone purposefully slow to unlock for most of us… Just unnecessary. Very useful to have a backside fingerprint scanner!
Given the legal powers available, when going through airports what you need is “no particular unlock needed” but entire unlocked environment is a cloak for the real environment i.e. just a few cute photos of “fluffy kittens” in the unlocked environment.
Just giving a scenario when someone might want to force passcode only. Which is does during boot anyway, so you could just power down. At least you would have plausible deniability. “I’m bringing my phone back to my friend who left it at my house during his trip…”
Did Librem really choose not to have the fingerprint reader for security or privacy’s sake?
That kind of deniability could lead to the device’s being confiscated. That’s the legal reality. Don’t take the device through an airport if possible.
A fingerprint reader is fairly poor security in many scenarios (as the FAQ says).
I’m happy for it to be left off. Use the space / power / whatever for something that I would value.