Two-factor authentication with fingerprint and PIN

by Volker Weber

What I, and many of my colleagues are waiting for (with baited breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger.  Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.

More >


The issue I see with biometric authentication, especially fingerprints, is that you are effectively unable to withhold the credential from law enforcement. You have a right to remain silent and cannot be forced to be a witness against yourself - yet you have no way of not keeping your fingerprints a secret, effectively granting access to all data on your device (and typically much more). Passwords are less convenient, but at least you can keep them to yourself.

Jan Tietze, 2013-09-24

That is a valid concern.

Volker Weber, 2013-09-24

Use 5-times the wrong finger and you are "safe" again.

Anyway I wouldn't mind if Apple would allow to set this mark to a lower level depending on someones saftey level. I think with the now known "hack" some would feel safer if this already kicks in with e.g. 3 attempts.

In addition I would love to see the PIN request mandatory after: removing or inserting a SIM card. Which is another action that "might" hint to an unwanted incident.

Harald Gaerttner, 2013-09-24

Exactly that was our hope here - use a long passcode or an easy one in conjunction with TouchID... Unfortunytely it is not available - hopefully this will change.

Hubert Stettner, 2013-09-24

In the USA, the right to remain silent does not necessarily cover passwords. There's no definitive ruling on it yet.

In the most recent case that I'm aware of (United States v. Fricosu), the court ruled against the right. There had been previous cases where other courts have ruled in favor of the right. The latest case was resolved without the defendant actually revealing the password, so no appeal is possible. These types of cases are very rare, so the chances of an appeal making it all the to the Supreme Court any time soon are pretty low.

Richard Schwartz, 2013-09-24

Old archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe