Some phones allow users to use their biometric data as 2FA, or as a password by itself – how does it measure up to PINs?
1) Your Face Looks Like Your Family’s
Every single service using face unlock handles this a different way – they all use different programs, and those different programs handle similarities differently. Apple, which uses state-of-the-art hardware and code to see faces, still sometimes mixes it up. For Apple, the program that reads your features and unscrambles this information is constantly updating itself and adding to its library of what you look like. If it didn’t, a sunburn or a new eyeliner shape would trip it up and lock you out for looking different.
The problem is that it’s allegedly doing that by looking at the person holding the device when it’s unlocked (using a passcode or otherwise), which is usually you but sometimes isn’t. People who look similar enough and who may be holding your phone enough (like family) can sometimes trick FaceID into opening for them by accident. While this is getting better, there’s no way to rule out a twin unlocking your phone without also sometimes locking you out too.
2) Law Enforcement
Most police forces have the right to collect some of your biometric data if you are ever arrested – your face and fingerprints go into their records. The legality of using that to unlock your mobile device pre-subpoena varies from state to state; some states will allow you total freedom to decline an un-subpoena’d unlock request no matter how your device is secured, while others won’t let you decline at all, but some states depend on the type of lock. Certain biometric data is not legally protected in the same way passcodes or PINs are. Look it up for your state!
3) Nefarious Children
A much more common unwanted-unlock scenario is a child getting hold of your phone during a nap and holding it up to your face to buy Robux. While face-unlock adapted, and many smartphones don’t let you attempt an unlock with closed eyes anymore, fingerprints stay the same even if you’re asleep. Still pictures of the target tend to trick older Face ID as well, although that is improving with each new generation of phones.
1) When Done Right, It’s Really Tough to Beat
Barring the similarity issues above, when biometric data is used correctly, it’s pretty darn good at keeping unwanted people out. Collecting fingerprints to unlock a device or account is often more difficult than it’s worth, and deters bad actors from trying. Strangers will generally not have photos of the phone’s owner good enough to unlock it on-hand – more recent phones use infrared too, so pictures don’t even work on new phones anymore. Cracking biometric locks takes a lot of coincidences or a lot of effort, not just a computer stuffing passwords.
You also can’t write down your face and lose it somewhere like you might for a password, and (at least for phones) you can’t have it breached in the same way as a written password.
2) When Done Right, It’s Faster
You’d need to wait for a sent 2FA code, but you don’t need to wait for a fingerprint or a face unlock.
3) As Long As Policies Stay the Same, The Data Doesn’t Leave The Phone
As of the writing of this article, Pixel and Apple devices state that the mathematical representation of your face which the phone uses to unlock will not leave the device it’s being used on. Apple even goes a step further and separates the computer that handles facial recognition from the computer that does everything else inside the phone!