> You presumably need some method to let the device know it's really you.
Enter literally every mobile device unlock/security scheme since this all began.
Which is more secure in the average case today?
A) A password or passphrase, with all of its historical flaws in aggregate.
B) Apple's iOS unlock feature using a recommended/default configuration, and some 256 bit session token tucked away somewhere in secure device storage.
I would personally have a hard time answering this directly. Lots of "it depends", which tells me there are contexts where each scheme can make sense.
If you were to apply the spy movie aesthetic here, you would probably find it much easier to coax a password out of an unwilling participant than it would be to hack open a pile of cryptographic secrets you found laying on the street.
You do realize that B is just something on top of A, and not instead of A, right?
The finger unlock of my iPhone doesn't let me do everything. There are operations for which the password is required even if you have the right fingerprint.
So basically, the "security" of my phone is protected by my password.
If I know the password, but I don't have the fingerprint: I don't care, I can do anything. I can even enroll the finger I have.
If I have the finger but forget the password, I'm going to have a bad day since the touch ID feature requires me to input my password at least once a week and I cannot change the password or do any other sensitive operation.
So how does this scheme replace passwords? Sure, it's more convenient, since people don't have to type the password 500 times a day.
But will they actually use strong passwords? When I've initially set up my iPhone it asked to set up a code in addition to the fingerprint. That default was a 4 digit pin[0]. That's some high security right there.
---
[0] This was some 4-5 years ago, things may have changed. I remember seeing an article grilling Apple over this default. It was fairly easy to switch to a regular password, but we're talking about the default here, which we know is what most non-technical people will use.
Enter literally every mobile device unlock/security scheme since this all began.
Which is more secure in the average case today?
A) A password or passphrase, with all of its historical flaws in aggregate.
B) Apple's iOS unlock feature using a recommended/default configuration, and some 256 bit session token tucked away somewhere in secure device storage.
I would personally have a hard time answering this directly. Lots of "it depends", which tells me there are contexts where each scheme can make sense.
If you were to apply the spy movie aesthetic here, you would probably find it much easier to coax a password out of an unwilling participant than it would be to hack open a pile of cryptographic secrets you found laying on the street.