Exactly. It would be great to have a secondary pin (or my middle finger fingerprint, for example) in my phone to enter in a dummy environment with a few games, some family pics and so.
The feature exactly like that exists in Xiaomi phones. It's called Second space, and basically allows you to have second profile with different apps or accounts. Interesting thing is that you can set it up to open when unlocking the phone with specific fingerprint. The idea is to fill that Second space with dummy info, and unlock it with your little finger, for example (or vice versa, use it for sensitive information). Obviously, it wouldn't fool thorough phone scan (and if you dig deep enough in the settings you can see if the feature is enabled) but can be useful at quick cursory scans, like if you need to provide your phone at the border
Why would being security conscious automatically disqualify biometrics?
Security is all about threat models, and I can imagine quite a few scenarios where biometrics might fare better than passwords. Shoulder surfing and trivial passwords/PINs come to mind, for example.
And who said that it's biometrics vs. anything else? It's quite advisable to combine authentication factors.
Shoulder surfing and weak passwords are both something you can control at any time. Biometric identification can be exploited involuntarily by someone literally using force to apply your finger to a device or similar. I shouldn't need to say this, it's so obvious that it's a common plot device in action movies.
If you are so easily swayed, you would probably not be in an adversarial situation with a government anyway.
But this article is about a system for giving up passwords under duress without necessarily compromising all your security, such that your antagonist has no way of knowing or showing that there's another password concealing more important information.
Pretty sure Guantanamo Bay and “enhances interrogation” has shown us that after your antagonist has used the $5 wrench to beat a working password out of you, they then keep on beating you every day for another few weeks just in case there’s more you should have told them.
If “those guys” are your adversary, you were fucked before you started.
> If you are so easily swayed, you would probably not be in an adversarial situation with a government anyway.
Complying in the face of threats of physical violence is equivalent to "being easily swayed"?
You seem to have a pretty specific threat/defense model that you didn't clarify. I wouldn't generalize from that to "biometrics are bad for all users in all situations".
People who realistically anticipate opponents (the state, kidnappers) using force to get at information on a personally targeted basis are likely willing to deal with a degree of real pressure, as shown by the long-term intransigence of many political prisoners through history.
What I'm saying is that if such threats are unacceptable to a person, chances are they are not going to involve themselves in the sort of activities that require keeping secrets in the first place, or are sufficiently disciplined to have weak device security because they don't write anything down.
> Shoulder surfing and weak passwords are both something you can control at any time.
How, exactly? And "require users to watch out for shoulder surfing and use strong passwords" does not count.
Any chance you are thinking about pretty specific circumstances here (security-aware, technical employees generally not having to enter passwords in public spaces)?
I don't understand why you wouldn't think those count. At some point security rests upon the discipline and good judgment of the person with information to secure. I don't believe you can make a technological system which offers perfect security and perfect convenience. Biometrics are very convenient, but can be exploited by force. Strong passwords and environmental awareness (of snoopers) are quite robust, but at a considerable loss of convenience.
Sure, but nobody can pre-emptively mandate you use facial recognition on your personal communications device, and then put sensitive information in there. I can see a situation in a repressive country where if you buy a phone they set it up with facial recognition in the store and make you activate it, but then you know not to store stuff there. You could just physically damage the camera at a later date and claim you weren't able to make use of that any more.
I've a device (Onyx BOOX) which apparently can only be password-secured if I create a vendor-based account on it. (I've been trying to see if this is bypassable, so far, no dice.) That's not biometrics, but it's a case of being strongly limited by a system architecture.
If you're using a device at the obligation of an employer, you may well find that it has, and/or organisational policy requires, biometrics.
It's increasingly difficult to find devices that don't include some form of biometrics-based functionality. The notion that that becomes the primary or only means of securing access is not entirely far-fetched.
Capabilities, possibilities, and dependencies have a really funny way of becoming hard requirements over time.
I could speak the Celtic of my ancient ancestors or communicate in cuneiform or ancient Egyptian hyroglyphics, if really wanted to. My ability to integrate and participate in modern life would be quite limited. The online and digital world are rapidly approaching this state.
You can push the lock button many time (when pulling you phone from the pocket for example) and it will require lock the phone and require to use your passcode
I don't think they hide their existence from each other however. If they're like Unix users, then one might see something like /home/user1 /home/user2 /home/user3, etc. so that all usernames would be clearly visible and the user could be then forced to reveal all passwords. The aim is to obtain plausible deniability, that is logging in as the safest user according to the situation, while at the same time hiding all others.
I'd love that feature (android 9+) if it allowed me to install some of the gazillion apps (e.g. every bloody fast food place that only has deals via their app) but restricts them from accessing my real user contacts, emails, msgs, gps/location, etc.
Blackberry phones had this feature and it was pretty bulletproof.
I believe users cannot access each others' data. So yes you can use it this way. I'm pretty sure it existed at Android 9. Are you running stock Android or some Samsung bull?
