I think Touch ID does improve security in practice for most people, because it makes it practical to use a proper password for your phone, rather than a four-digit passcode or no passcode at all, as most people did before.
You have to consider the limitations it has as well. An attacker could potentially lift your fingerprints and use it to unlock your phone. But they only get five chances to fool the sensor before Touch ID disables itself, and they have to do their work within 48 hours of when you last entered your password.
As with all things security, the important question is what sort of threats your defending against. For the scenario where I lose my phone or I get mugged, Touch ID is fine. If I'm defending against police seizing it as evidence, it's probably fine. I'd be surprised if the police could move quickly enough to make the deadline. For police encounters I know about ahead of time (like passing through customs), it's easy to shut the phone off to temporarily disable Touch ID. The only scenario where it likely fails is a targeted attack by someone with sophistication, like if the FBI thinks I'm a terrorist, and I'm not particularly worried about defending against that.
Note that your six-digit PIN doesn't necessarily save you here either, although it would buy time. Whatever the FBI did to the infamous San Bernardino iPhone would probably work on yours in a longer but practical amount of time.
People often say that fingerprints are usernames, not passwords. I don't think that's very useful. A fingerprint doesn't fit inside the old username/password ideas, it's something different from both, with its own unique properties.
That comic is irritating. Most people are far more concerned with lost devices and opportunistic theft than they are worried about targeted theft or malicious actors with wrenches. Encryption reduces the pain of the lost or casually stolen device, it doesn't have to resist a wrench to be useful.
eh, it's a comic, all the nuances of security problem are hard to fit in a two panel punchline - but highlights the same thing, that the threat model is not the same for everyone.
>it's something different from both, with its own unique properties.
No, it's a username that is physically tied to the user. If I can get that data (fingerprint) then I don't need to go through the usual rigmarole of password hacking.
That doesn't mean that they're usernames. You can say this about passwords too: if you can get that data (password) then you don't need to go through password cracking, and they're literally "one factor auth."
Consider an example. Imagine if HN authenticated based only on the username. Could you get into my account? Now imagine if HN used fingerprint authentication. Would that make it harder?
That's my whole point. Usernames are public info, passwords are private, and fingerprints occupy a weird in-between world where they're sort of public but difficult to obtain and difficult to use if you're not the one whose fingers they're on.
You have to consider the limitations it has as well. An attacker could potentially lift your fingerprints and use it to unlock your phone. But they only get five chances to fool the sensor before Touch ID disables itself, and they have to do their work within 48 hours of when you last entered your password.
As with all things security, the important question is what sort of threats your defending against. For the scenario where I lose my phone or I get mugged, Touch ID is fine. If I'm defending against police seizing it as evidence, it's probably fine. I'd be surprised if the police could move quickly enough to make the deadline. For police encounters I know about ahead of time (like passing through customs), it's easy to shut the phone off to temporarily disable Touch ID. The only scenario where it likely fails is a targeted attack by someone with sophistication, like if the FBI thinks I'm a terrorist, and I'm not particularly worried about defending against that.
Note that your six-digit PIN doesn't necessarily save you here either, although it would buy time. Whatever the FBI did to the infamous San Bernardino iPhone would probably work on yours in a longer but practical amount of time.
People often say that fingerprints are usernames, not passwords. I don't think that's very useful. A fingerprint doesn't fit inside the old username/password ideas, it's something different from both, with its own unique properties.