There are generally two ways to lock your phone: a passcode in the form of a pin or pattern, or a biometric form of authentication, such as a fingerprint or Face ID (in the iPhone.
But which form of authentication is best to keep your phone locked and which is the best option for your overall privacy? Here are the pros and cons.
Until relatively recently, the passcode was most often the only option. To unlock the phone, you would have to input a set of characters or draw a specific kind of pattern on your phone that you previously set. Here’s why we like it.
Pro: You can’t be forced to unlock your phone by law enforcement
When it comes to passcodes and patterns, you’re protected under the Fifth Amendment, which is designed to protect against self-incrimination. This means that law enforcement can’t compel you to reveal your passcode or pattern to unlock your phone. This is a longstanding and compelling reason for keeping a pin/pattern to lock your device. Biometric authentication, on the other hand, has specific peculiarities when it comes to the Fifth Amendment.
However, if you’re worried about someone getting into your phone, there is a glaring downside:
Con: Your passcode/pin can be mathematically solved
Whether you’re using a 4-digit pin, a long passcode, or a pattern, it is mathematically solvable. When it comes to a pattern or a 4-digit pin, the possibilities available aren’t actually that large and if you’re using a pin related to your personal life (say your birthday or wedding date), then you’re even more at risk. If you’re using a passcode, you have to make sure it’s complex enough so that it would be difficult to figure out using some kind of brute-force or automated measure.
In most scenarios, you’re still safe, since phones have a limit on how many attempts you make to gain entry before it locks you out entirely (on iPhones, you’d have to enable this feature). But if your phone has been stolen or otherwise compromised, that limit can be circumvented. For example, the limit resets after a certain amount of time. A criminal who stole your phone can simply wait it out and eventually unlock your phone. Expert hackers and law enforcement also have specialized tools that are dedicated to unlocking phones and figuring out the passwords/patterns for a phone. A petty criminal may face a tougher time.
Biometric Authentication – Touch ID or Face ID
If you use Touch ID or Face ID to get into your phone, that’s biometric authentication. With a bit of set up, your phone will collect and store your biometric data and unlock your phone if it matches with the data you provided it (such as your thumb or face). If someone else tries to use their face or fingerprint, the phone won’t unlock. This is why we like it.
PRO: Your biometric data can’t be ‘solved’
Unlike a pin or passcode, a hacker can’t try and get into your phone by ‘guessing’ or brute-forcing biometric data – that’s not how biometric authentication works. While there have been reports of print outs or photos of a user’s face being used to unlock phones (especially when it comes to non-white users), this technology is still nascent enough that accuracy improvements will come, making it even more safe to use.
CON: The jury’s still out on whether or not law enforcement can force you to unlock your phone
Judges have ruled on both sides of this argument. In the most recent high-profile case, a judge in Oakland, California denied a warrant that would’ve given cops the authority to force the individual to unlock their phone. However, the decision only applied to that case.
As we noted in our last article [LINK], iPhones do provide an easy way to disable Touch and Face ID immediately, which may help you stay private in the face of law enforcement.
CON: Your biometric data is at risk
If you’re using an iPhone, this doesn’t really apply. As evidenced in our article, Apple goes to great lengths to ensure that 1) your biometric data doesn’t leave your device, and 2) the data is completely secure in a separate processor chip on the phone designed solely for privacy and security.
However, other device manufacturers may not take the same precautions. If any of them store the biometric device in the cloud or process the data outside of the device, then that data is at risk.
A quick side note: Google offers fewer details on the fingerprint authentication used on Pixel and Nexus phones but maintains that the biometric data never leaves the device and is never shared with apps or Google itself. Only the fact that an authentication was successful is shared when using fingerprint authentication across apps and services.
The choice is yours
For most scenarios, both options are well-suited to keep your phone private but it’s worth thinking through the scenarios where one option may not serve you as well as the other. Depending on your propensity for privacy and security, what your job is, what your risk tolerance is, and the likelihood that you or your device may be targeted, going through the different possibilities will help you make the choice as to whether biometric authentication or a simple pin or pattern is sufficient for you.