This article is a preview of The Tech Friend newsletter. sign up here to get it in your inbox every Tuesday and Friday.
Are fingerprints and face scans safe on my phone?
Many of your questions and concerns fit loosely into two categories:
- Is it really safe to use fingerprint and face scan to lock my devices or online accounts? Short answer: Yes.
- How do I share accounts with a spouse or older relative if we use something other than a shared password to log in? Short answer: It’s complicated.
I asked internet security experts to answer some of your common questions.
Q: No, why would I let a company get a copy of my fingerprint or a scan of my face?
ONE: It is not going to happen.
Security experts told me that fingerprint sensors and facial scans on your phone or computer do not store usable information.
The sensors on the device record the tiny measurements between parts of your fingerprint or infrared wavelengths on your face, convert them into mathematical representations, scramble the results and store them in a secret part of your device.
Apple does not have face scanning. Samsung doesn’t have your fingerprint. And there’s no way to reanimate the silly information stored on your phone back to your actual fingerprint or face.
When I unlock my credit card app with my fingerprint or face scan, that information is not transmitted to Bank of America, said Christiaan Brand, Google’s head of identity and security products. Instead, my phone does the cryptographic equivalent of confirming to Bank of America that this is indeed Shira.
Question: Sorry, no. Why should I trust this?
My colleague Heather Kelly interviewed people several years ago about their reluctance to use fingerprints or facial scans on their phones. Many others shared these concerns with me as well.
We should be reluctant to give away personal information. And there are few things more personal than our fingerprints and faces. If they’re stolen or forged, you can’t get a new fingerprint or face—unless you’re Nicolas Cage in that movie.
But digital security experts said emphatically that using fingerprints and face scans to access your phone, computer or digital accounts does not store actual images of your body.
[The Online Security Reset Guide: Keeping you safe from scammers, hackers and digital threats]
Q: What if a criminal cuts off my finger and uses it to unlock my phone or financial accounts?
Most security experts I asked said this is probably not feasible.
They said fingerprint sensors examine vital signs to ensure the finger is connected to a living person. A security source said it may be possible for a severed finger to unlock a phone.
Although this is a small possibility, it is worth weighing the daily benefits against the risks. The same goes for people who fake your fingerprint or a look-alike who logs into your phone with his face. It’s possible, but most of us have far more likely security vulnerabilities. (If you choose to just use passwords, a crook can also force you to hand them over.)
For almost all people, using a fingerprint or face scan to secure your devices and accounts is much safer than just using a password.
“It’s so much better than the alternative,” said Chester Wisniewski, an Internet security researcher at the firm Sophos.
(The Electronic Frontier Foundation has advice on situations where you might want to turn off fingerprint or face unlock on your devices.)
Q: “I share joint accounts with my spouse with one login and one password,” said William French of St. Paul, Minn. “Fingerprints, etc., just aren’t going to work.”
ONE: Yes, that’s a good point. If you share an account and a single password with someone else in your household, it’s easy for each of you to gain access. Or if your elderly parent dies and you have their passwords, you can get into their phone and Facebook account.
It’s not always that easy if you add an extra step to sign in after entering a password — such as a one-time code to access your account — or if you use your fingerprint or face to sign in your bank account on the phone. If you set up your bank account for two-factor authentication and then the code is sent to your wife’s phone, puppy. It does not help.
Alex Simons, a Microsoft executive who helps oversee digital security projects, said the solution to this is for each company you deal with to offer shared accounts that give each person their own password and the ability to add extra security measures on a secure way, such as two-factor authentication.
Some digital accounts offer these multiple logins for a shared account. Not everyone does.
Our long-term goal should be to kill the entire password system completely. That is why I am encouraged by what are called “passkeys”.
Instead of a password, you’ll use your phone or other device, finger or face scan as the only way to log in everywhere. (You can still use a password to access your device if you prefer.) In principle, sharing accounts should be easier in a password system.
I know that all of this requires trust, and we don’t always trust technology – often with good reason.
It is also important to remember that cyber security is not about eliminating every single threat. It’s about creating a digital system that feels manageable for you and reduces your highest priority vulnerabilities.
This isn’t the advice you’re used to hearing: Don’t bother using WiFi in public places like coffee shops and hotels.
Over the past few years, most of the websites and apps you use have become encrypted, obfuscating everything you do in your email or on Instagram from any snoops peeking into your online activity.
My colleague Tatum Hunter wrote that even if some creep hacks into the airport WiFi network to spy on you, what he or she discovers probably won’t be very risky for you.
It’s not zero risk, and Tatum had more details in her article. But it’s generally safe for most of us to hop online at the local pizza place.
Read or see more from Tatum Hunter: You probably don’t have to worry about public WiFi anymore.