XPost: alt.comp.os.windows-11
From: mariasophia@comprehension.com
Chris wrote:
> Brian Gregory wrote:
>> On 22/01/2026 15:59, Maria Sophia wrote:
>>> On biometrics, a key point is that they do not protect data at rest.
>>> A fingerprint or face scan unlocks the Windows session, but once the
>>> drive is removed from the laptop the biometric layer is irrelevant. The
>>> data on the drive is readable unless it is encrypted. Biometrics solve a
>>> convenience problem for sign in, not a data protection problem for a
>>> stolen device. That is why I treat them more as a marketing gimmick rather
>>> than a security control for data at rest.
>>
>> Obviously biometrics are not something you add to add protection.
>> They simply avoid you having to type a password or PIN.
>
> Disagree. You can't guess a biometric like you can a PIN. You can't
> shoulder surf someone's biometric like a PIN code.
>
> Biometrics are more secure. If implemented properly, obviously. Some early
> mobile phone implementations were terrible.
Hi Chris,
While OEMs strive to differentiate hype on biometrics, it's my assessment
that the biometrics available to consumers are merely marketing gimmicks.
Even so, on the specific topic of what I've termed "biometric marketing
gimmicks", we are mixing several security layers in this thread discussion.
1. BIOS or UEFI passwords
A. Supervisor or admin password
Controls access to firmware settings. Prevents changes to boot
order, secure boot, virtualization, and other low level options.
B. User or power on password
Stops the machine from booting until the password is entered.
Does not protect the drive if it is removed from the system.
C. Purpose
Protects the boot path and firmware settings. Does not protect
data at rest unless combined with disk encryption.
2. Boot level authentication
A. BitLocker PIN (Windows Pro)
A pre boot PIN that must be entered before the OS loads. This
protects the encryption key. Stronger than relying on TPM alone.
B. BitLocker device encryption (Windows Home)
No pre boot PIN. TPM auto unlocks the drive. Convenient but
weaker against physical theft.
C. VeraCrypt pre boot authentication (see separate thread on this)
Requires a password before the OS loads. Can also use keyfiles.
Protects the encryption key before any OS code runs.
3. Operating system sign in
A. Password
Traditional sign in. Can be long and strong. Does not protect
data at rest unless tied to disk encryption.
B. PIN
Local to the device. Shorter but protected by TPM. Used to
release the encryption key. Still guessable if observed.
C. Biometrics
Fingerprint or face scan. Convenience feature that unlocks the
session after the encryption key has already been released.
Cannot protect data at rest. Cannot replace the encryption key.
4. Application level secrets
A. VeraCrypt keyfiles
Extra factor stored on removable media. Must be present to
unlock a volume. Strong if kept separate from the device.
B. KeePassXC master password
Protects the password database. Strength depends entirely on
the master password. Biometrics do not protect the database.
C. KeePassXC keyfile
Optional second factor. Must be provided along with the master
password. Strong if stored offline.
5. Summary of roles
A. BIOS or UEFI passwords
Protect firmware settings and boot control.
B. Boot level authentication
Protects the encryption key before the OS loads.
C. OS sign in
Protects the active session, not the data at rest.
D. Application level secrets
Protect individual encrypted containers or password vaults.
Back to biometric marketing gimmicks, what they actually can do is...
A. Reduce friction so users actually lock their devices.
B. Prevent casual misuse or shoulder surfing during sign in.
C. Do not protect data at rest. Do not protect encryption keys.
D. Are convenience features layered on top of real controls.
--
My conclusions follow the simplest model that fits every known fact.
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
