The Washington PostDemocracy Dies in Darkness

Can a severed finger unlock a phone? Answers to your security questions.

Tackling your concerns about biometrics and sharing digital accounts with relatives.

This article is a preview of The Tech Friend newsletter. Sign up here to get it in your inbox every Tuesday and Friday.

Whew, you had a bunch of questions and THOUGHTS about last week’s advice on upgrading your digital security, and why the whole password system is broken.

Many of your questions and concerns fit loosely into two categories:

  • Is it really safe to use fingerprints and face scans to lock my devices or online accounts? Short answer: Yes.
  • How do I share accounts with a spouse or an elderly relative if we use something other than a shared password to log in? Short answer: It’s complicated.

I asked internet security experts to help address some of your common questions.

Q: Heck no, why would I let any company have a copy of my fingerprint or a scan of my face?

A: That is not happening.

Security experts told me that fingerprint sensors and face scans on your phone or computer don’t save usable information.

The sensors on your device record the tiny measurements between parts of your fingerprint or infrared wavelengths of your face, convert them into mathematical representations, scramble the results and save them on a secret portion of your device.

Apple doesn’t have your face scan. Samsung doesn’t have your fingerprint. And it’s not possible to reanimate the gibberish information saved on your phone back into your actual fingerprint or face.

When I unlock my credit card app with my fingerprint or face scan, that information is not transmitted to Bank of America, said Christiaan Brand, Google identity and security product manager. Instead, my phone is doing the cryptographic equivalent of confirming to Bank of America that this is really Shira.

Q: Sorry, nope. Why would I trust this stuff?

A: I get it.

My colleague Heather Kelly interviewed people several years ago about their reluctance to use fingerprint or face scans on their phones. Many others shared those concerns with me, too.

We should be reluctant to give up our personal information. And there are few things more personal than our fingerprints and faces. If they are stolen or spoofed, you can’t get a new fingerprint or face — unless you’re Nicolas Cage in that movie.

But digital security experts emphatically said that using fingerprint and face scans to access your phone, computer or digital accounts does not save actual images from your body.

This is not the same as facial recognition used in airports or fingerprint records of government agencies. In those cases, there may be copies saved of fingerprints and face scans that can fall into the wrong hands.

[The Online Security Reset Guide: Keeping you safe from scammers, hackers and digital threats]

Q: What if a criminal cuts off my finger and uses it to unlock my phone or my financial accounts?

A: Yikes, this is grim!

Most security experts that I asked said this is likely not feasible.

They said that fingerprint sensors examine vital signs to make sure the finger is connected to a living person. One security source did say that it might be possible for a severed finger to unlock a phone.

Even if this is a slim possibility, it’s worth weighing the everyday benefits versus the fringe risks. The same goes for people spoofing your fingerprint or a look-alike logging into your phone with his face. It’s possible but most of us have far more likely security vulnerabilities. (If you choose to only use passwords, a crook could also force you to hand them over.)

For nearly all people, it is much safer to use fingerprint or face scans to secure your devices and accounts than using just a password.

“It is so much better than the alternative,” said Chester Wisniewski, an internet security researcher with the firm Sophos.

(The Electronic Frontier Foundation has advice about situations in which you might want to turn off the fingerprint or face locks on your devices.)

Q: “I share joint accounts with my spouse with one logon and one password," said William French of St. Paul, Minn. "Fingerprints, etc., just are not going to work.”

A: Yup, it’s a good point. If you share an account and a single password with someone else in your household, it’s easy for each of you to have access. Or if your elderly parent dies and you have her passwords, you can get into her phone and Facebook account.

It’s not always so simple if you add a second step to sign in after you enter a password — such as a one-time code to access your account — or if you use your fingerprint or face to log into your bank account on your phone. If you set up your bank account for two-factor authentication and then the code gets texted to your wife’s phone, whelp. That’s no help.

Alex Simons, a Microsoft executive who helps oversee digital security projects, said that the solution to this is for every company that you deal with to offer shared accounts that gives each person his or her own password and the option to securely add extra security measures like two-factor authentication.

Some digital accounts offer these multiple log-ins for a shared account. Not all do.

Our long-term goal should be killing the whole password system entirely. That’s why I’m encouraged about what are called “passkeys.”

Instead of a password, you would use your phone or other device, finger or face scan as the sole way you log in everywhere. (You can still use a password to access your device if you prefer.) In principle, it should be easier to share accounts in a passkeys system.

I know that all this stuff requires trust, and we don’t always trust technology — often for good reason.

It’s also important to remember that online security isn’t about eliminating every single threat. It’s about creating a digital system that feels manageable for you and reduces your highest-priority vulnerabilities.


One tiny win

This is not the advice you’re used to hearing: Don’t worry so much about using WiFi in public places like coffee shops and hotels.

Really!

Over the past few years, most of the websites and apps you use have been encrypted, which scrambles whatever you’re doing in your email or on Instagram from any snoops peering into your online activity.

My colleague Tatum Hunter wrote that even if some creep is hacking into the airport WiFi network to spy on you, what he or she discovered probably won’t be very risky to you.

It’s not zero risk, and Tatum had more specifics in her article. But it is generally safe for most of us to hop online at the local pizza place.

Read or watch more from Tatum Hunter: You probably don’t need to worry about public WiFi anymore.

Tech writer Tatum Hunter gets hacked on purpose to figure out what hackers can see and what they can't. (Video: Monica Rodman/The Washington Post)

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.

Loading...