Two-factor authentication with fingerprint and PIN

by Volker Weber

What I, and many of my colleagues are waiting for (with baited breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger.  Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.

More >


The issue I see with biometric authentication, especially fingerprints, is that you are effectively unable to withhold the credential from law enforcement. You have a right to remain silent and cannot be forced to be a witness against yourself - yet you have no way of not keeping your fingerprints a secret, effectively granting access to all data on your device (and typically much more). Passwords are less convenient, but at least you can keep them to yourself.

Jan Tietze, 2013-09-24 12:52

That is a valid concern.

Volker Weber, 2013-09-24 13:10

Use 5-times the wrong finger and you are "safe" again.

Anyway I wouldn't mind if Apple would allow to set this mark to a lower level depending on someones saftey level. I think with the now known "hack" some would feel safer if this already kicks in with e.g. 3 attempts.

In addition I would love to see the PIN request mandatory after: removing or inserting a SIM card. Which is another action that "might" hint to an unwanted incident.

Harald Gaerttner, 2013-09-24 14:17

Exactly that was our hope here - use a long passcode or an easy one in conjunction with TouchID... Unfortunytely it is not available - hopefully this will change.

Hubert Stettner, 2013-09-24 16:31

In the USA, the right to remain silent does not necessarily cover passwords. There's no definitive ruling on it yet.

In the most recent case that I'm aware of (United States v. Fricosu), the court ruled against the right. There had been previous cases where other courts have ruled in favor of the right. The latest case was resolved without the defendant actually revealing the password, so no appeal is possible. These types of cases are very rare, so the chances of an appeal making it all the to the Supreme Court any time soon are pretty low.

Richard Schwartz, 2013-09-24 20:39

Recent comments

Volker Weber on DNUGcomes2me at 12:05
Henning Heinz on DNUGcomes2me at 10:01
Markus Dierker on DNUGcomes2me at 08:21
Axel Koerv on #dnug45 im darmstadtium at 19:52
Volker Weber on Elgato Eve Flare :: Erste Eindrücke at 19:18
Thomas Cloer on Elgato Eve Flare :: Erste Eindrücke at 17:34
Jochen Kattoll on Sonos, AirPods, Plantronics. Und Podcasts. at 12:40
Stephan Perthes on Elgato Eve Flare :: Erste Eindrücke at 10:49
Oswald Prucker on #dnug45 im darmstadtium at 10:17
Volker Weber on #dnug45 im darmstadtium at 09:44
Ingo Spichal on #dnug45 im darmstadtium at 09:14
Hendrik Brunn on Elgato Eve Flare :: Erste Eindrücke at 23:23
Lewis Turek on Elgato Eve Flare :: Erste Eindrücke at 22:09
Volker Weber on Elgato Eve Flare :: Erste Eindrücke at 21:17
Lewis Turek on Elgato Eve Flare :: Erste Eindrücke at 20:27
Stephan H. Wissel on Sonos, AirPods, Plantronics. Und Podcasts. at 19:33
Dominique Roller on HomePod kaufen? at 13:27
Markus Dierker on HomePod kaufen? at 13:20
Martin Kautz on Computer Kid at 12:09
Volker Weber on Neues Ziel: 100k #dontbreakthechain at 11:31
Karl Heindel on Neues Ziel: 100k #dontbreakthechain at 10:48
Michael Schneider on Neues Ziel: 100k #dontbreakthechain at 10:27
Axel Koerv on Neues Ziel: 100k #dontbreakthechain at 09:27
Bernd Hofmann on Neues Ziel: 100k #dontbreakthechain at 07:42
Volker Weber on Three essentials at 20:58

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter amazon

Local time is 15:23


buy me coffee