Lots of discussion about the security of Touch ID on the new iPhone 5s. Not surprisingly there are already reports of duplicating fingerprints to trick the Touch ID system. Tim Bray does a good job of giving this some context.
Security is about trade offs, and this one has plenty of variables that come into play. What I haven’t seen much talk about is that this isn’t necessarily a one time decision. Let me give an example. For every day use I may decide that finger print scanning with Touch ID is fine. Then, when I am traveling I may decide that I would prefer to use a passcode instead.
Security isn’t a one time decision, and when variables important to you change then it is reasonable that your security decisions will change as well.
2 replies on “Security Isn’t A One Time Decision”
As you said, security is about trade offs. There is no such thing as 100% secure, which is why revocation of security credentials is important.
The scary thing about biometrics is that they can’t be revoked.
Definitely, the inability to change our fingerprints is good and bad.
The trade off analysis is also relative though. Is having no passcode or fingerprint requirement on an iPhone 5s ( the method most people reportedly use ) better or worse security than just requiring a fingerprint? At a high level I’d usually say worse, but that isn’t always the case. If it leads to an over confidence and poor analysis of the possible trade offs it could be better to go with out.