passkeys, facial recognition, and fingerprints: do you trust anyone

cybersecurity! hoping tomboto will weigh in here, as well as anyone else. i guess i'm getting ready to be told i'm wrong, and that's ok.

here's my deal. i use a password manager. i have lots of different passwords. i don't know any of them. only my password manager knows.

but now i'm constantly being asked by private companies to setup passkeys with facial or fingerprint recognition. i don't want to. i don't want to give them my face, or fingerprint, even though i know that at some level the government already has it and that they probably already share it with their corporate "partners". but i don't want to do it pre-emptively. why? because these companies get hacked and bought out and share data without telling people and basically do everything they can to fulfill their most important function in society, which is making money for the people who own them. the more individual companies i give my facial/fingerprint data to, the quicker my face/finger data will be compromised - i see this as inevitable, but something that can be slowed down the less i participate.

what do you all think? when you get asked to create a passkey with your face/fingerprint for some company, do you do it?

passkeys are stored client-side

which companies? maybe it says something weird about me, but Apple products are the only times I've been asked to do this in the private sector. and fwiw I tried the fingerprint thing on my phone and it never worked so I went back to a numerical code; I refuse to voluntarily do facial recognition

hell no

passkeys are stored client-side

right! they work by using a key pair, with a private key (stored on the device, and that device only) and a public key (stored by the company or service).

and when the private key is just a password or something, that doesn't really bother me. i guess my concerns are the stored biometrics the device side - with apple, or microsoft, or whoever runs the biometric check on the personal device to make sure it's really "you". doesn't that mean at some level apple, microsoft (amazon, etc) keeps a copy of your biometrics (face/fingers/etc)? or is the biometric data stored only on the device?

sorry to just ask questions that can be answered by google. BUT (here i try to justify the thread), i figure that, even with perfect explanations of why it's safe to use your biometric data to login to places, a lot of people are very uncomfortable with doing so and figure it will be compromised, eventually.

optional christian evangelical derail: there's also the whole 666/mark of beast/microchips in your wrist angle, which is this funny little side-angle that means a lot to some people. i do think that it serves as an interesting metaphor for our times, like this decision about whether to share your body's info with a soul-less collective capitalism system while being pressured by "society" to do so.

I can unlock my phone with a different finger to the one I've registered. this doesn't seem good. I haven't done anything about it yet though. maybe fingerprint login is unsafe and shouldn't be used and I should turn it off and use a PIN? maybe I'm a freak of nature? (possible)

i figure that, even with perfect explanations of why it's safe to use your biometric data to login to places, a lot of people are very uncomfortable with doing so and figure it will be compromised, eventually.

I'm not necessarily worried about it being compromised — assuming that means it gets hacked or something — but normalizing/routinizing biometric surveillance and identity verification is bad imo

but normalizing/routinizing biometric surveillance and identity verification is bad imo

yeah, it seems like a world that is not very far away at all from minority report / looking up into a eyeball scanner before you do anything important, and then the low-level version is like the grocery store that conveniently scans you when you walk in so it knows what to recommend to you or whatever

anti-mark of the beast luddites convene and comfort

z do you use your face or fingerprint to unlock your phone?

used the fingerprint with apple until recently, when it stopped working and couldn't be buggered to smoosh my fingers on the glass again

my understanding is that the biometric part of a passkey is entirely unrelated to the private side key stored on your device. the biometric verification is just the way your phone knows to authorize the use of the private key, in the same way that the biometric verification is used to unlock the phone etc.

law enforcement can compel you to unlock your devices with biometrics, but not with passwords. i use fingerprint unlock on my phone due to convenience, but i really should start using a long pin

if you are setting up a passkey with your password manager on desktop that otherwise doesn't have a biometric verification step then you are using passkeys without sharing any biometric info

i'm not really worried about this in, like, specific cases, but more in a general epistemological sense. i think that, over time, humans evolve to become sort of a hybrid of their past selves and whatever technology they are inventing to have some sort of effect on their populace and their environment. i see the bible as basically a work of mythic poetry, so the mark of the beast stuff i choose to interpret as a warning against putting too much faith in technology as some kind of redemptive or transformative force. i do think there is an element of willful enslavement in doing so. it's funny to hear people talk about the bible being full of laughable predictions but i actually feel somewhat the opposite - that it's wild that its poetry was so deep it could identify so many fundamental tensions in human society and "progress" that move people thousands of years after its writing.

I’ll just put this here. https://propertools.be/fieldwork/field-note-10-on-trusting-trust-revisited/

basically we have a lot of anxiety about technology which can easily drive us mad if we choose to let it, but there is an element of truth to the anxiety - there are physical limitations everywhere and flying too close to the sun remains a thing that happens to people in every generation, poetically speaking, time and time again. balance and harmony is something we don't seem to believe in anymore and it's gonna bite us in the ass big time. i think the bible, of all the religious texts, is one of the more in-depth and graphic considerations of that aspect of us.

good posts, i think we've ceded our lives completely to technology fwiw. i'm just hoping the reckoning won't come in my lifetime or if it does it'll be at the part where i'll be too old to do anything. hopefully futurama suicide booths will be in plentiful supply then. or there's the michael caine way out in children of men.

going back to the topic at hand, i'm not so concerned about passkeys and biometric stuff for my devices, i don't use passkeys because i've heard implementation is spotty and also often nonsensical (i.e. some companies require passkey + 2fa which is silly because 2fa is not as secured as passkeys supposedly). i can't think of anybody who doesn't use fingerprint or face scanning with their phone.

but in another direction i was thinking these fit the thread too:

-TSA touchless ID https://www.tsa.gov/touchless-id

-clearview AI (the facial recognition tech law enforcement uses, among other things to identify protestors. good primer: https://www.searchengine.show/should-this-creepy-search-engine-exist/ )

-noted sociopath scam altman's iris-scanning side quest has found commercial partners https://futurism.com/future-society/tinder-scanning-eyeballs

and on a personal note

https://img.mlbstatic.com/mlb-images/image/upload/t_16x9/t_w2208/mlb/czlao9knz0iqskgujvav.jpg

:)

i was going into a show at a club a couple months ago and front door people were insisting on taking my picture. i was all "woah, hold up here fellas", insisting it was "for security purposes". I said fuck that. They ended up letting me in without having taken a pic but told me i was not allowed to purchase alcohol? am i alone with this experience?

good posts, i think we've ceded our lives completely to technology fwiw. i'm just hoping the reckoning won't come in my lifetime or if it does it'll be at the part where i'll be too old to do anything. hopefully futurama suicide booths will be in plentiful supply then. or there's the michael caine way out in children of men.

― 龜, Tuesday, April 28, 2026 6:59 PM (thirty-five minutes ago) bookmarkflaglink

haha i mean i don't think anything will ever get so black and white, honestly, and there's always a reason to keep living when you're alive. i think it's more a mythical touchstone that shapes our psyches, which of course shapes how we act and react.

i feel like the most likely "bad outcome" with facial recognition data is that it gets sold at a premium to further deepfake ai subterfuge. and like to the degree that you don't want to participate in that, yeah, it makes sense to stop going to big-money big-ticket kinds of entertainment events. i hope that a requirement to surrender your personal information doesn't eventually become a prereq to fly anywhere. or maybe we're already there and i'm not aware of it.

People need to start demanding data privacy laws and have it become something everyone talks about. Nobody wants all these ID checks and they're not making the world safer, it's potentially dangerous for powerful people too. And then there's crazy stuff like child IDs which give criminals new opportunities. Good data privacy laws would help with the older problems that people have with social media. I think it could easily have legs, easy to chant and plaster "data privacy now!" everywhere.

And we're hearing more and more about how the biggest AI companies cannot realistically make the amount of money they need.

I opt out of the photo at the airport, TSA has always been cool about it. I also turned off my biometric keys because the police can forcibly unlock with those. It's medium annoying but I'll live with it.

I also took a bunch of communication and social media apps off my phone before going through TSA. Better paranoid than...whatever.

i don't have any spare bandwidth to be smart or principled about this stuff, go ahead and take my identity

you have a passport, a credit card, and a driver’s license? Oops.

I am way more worried about the number of things you can access with my phone and a six digit passcode than anything to do with passkeys and generally favour them over any other authentication method.

With the iPhone a 2 second squeeze of the power button and a volume button will lock out biometric login and enforce the passcode is you are concerned about being forced to unlock you phone with biometrics.

I am way more worried about the number of things you can access with my phone and a six digit passcode than anything to do with passkeys and generally favour them over any other authentication method.

With the iPhone a 2 second squeeze of the power button and a volume button will lock out biometric login and enforce the passcode is you are concerned about being forced to unlock you phone with biometrics.

I don’t use biometric stuff because I have seen too many movies and shows where someone’s finger gets cut off or eyeball popped out to access the secret thing.

given I apparently have 2 fingerprints that match (which isn't supposed to happen) I'm wondering how unique fingerprints actually are for the purpose of biometrics? maybe they could even cut someone else's finger off to get in??

an effort to swerve around the concept of government and litigate society completely 'online' has been going on (and succeeding) for awhile so IMO calls for 'improved digital privacy/security' foretell very grim things. i think we all understand the perks of physical media over streaming, etc. that same dynamic is starting to apply to day-to-day life in much deeper ways

like, I've thought about getting a dumb flip phone recently and realized i wouldn't easily be able to park my car. also read about movement towards digital PASSPORTS are you fuuucking kidding me? no fucking way am i ever signing up for that

this shit is kinda unlocking a latent libertarianism deep in me i didn't know i had. like, hey iLok (or whatever), this HARDWARE compressor i bought is MINE, you're never taking it away like you can with this plugin (that i guess i didn't buy, i only bought a license, blah blah blah. fuck off. from my cold dead hands)

the appetite has to be huge at this point for some sort of offline counterculture. emphasis on physical reality, the concept of sharing, community, etc

i also realize my post up there essentially revolves around buying things and spending money, but this is america, so... that basically *is* society

what do you all think? when you get asked to create a passkey with your face/fingerprint for some company, do you do it?

― z_tbd

hell fucking no. it's one of the big reasons i'm such a shut-in. i'm very, very careful about what personal information i give out and to who. the main reason i'm on ilx is because it's _not_ a corporate-controlled site. i don't have much of a footprint elsewhere on the internet. people in my community are _regularly_ targeted for "doxxing". if i was ever thinking of running for public office, which i wasn't, having seen what happens to other people in my community who run for public office, what happens when their personal information becomes public record, would _definitely_ dissuade me.

I hope all the lawmakers with the craziest ideas (ID for public parks and restaurants, cameras in all homes) are named and monitored closely, even if some of their ideas are wildly unrealistic, there should be consequences even if it's just their reputation.

you have a passport, a driver’s license, and a credit card. All of this information is seconds away from belonging to criminals, and it already belongs to the government. Oops.

yes! ^

i mean, in general, this is what i know. i used to be a fed, so i’ve had all my data compromised like a dozen times, i’ve lost count. i also doxxed myself on twitter during the covid era, because i was mad at ted cruz and cryptobros and someone dying. so, i understand that _all_my info is out there for anyone who wants to ruin me, and has been for years.

and of course, the subtext (i think) of “it already belongs to the government” is that the federal government is no longer a reliable steward of personal data, whether from international cybersecurity incidents or just opening the door to DOGE to come in and steal everything and then walk away with absolutely no consequences (or even public awareness/attention/working memory).

What you can do is live your best life and not sweat this shit too hard! If it makes it easier for you to do a thing, like travel or buy stuff, have a good time! You are already basically compromised to hell and back. I personally haven’t set up passkeys for most of my junk because it’s more of a pita than my time is worth. When people in my field start saying “passkeys are the only thing to protect you, authenticator apps are all dead” I will change my mind maybe.

I have 4 authenticator apps between my two phones and that’s already ridiculous. God forbid somebody send me a hundred pizzas or whatever. Most of this shit is to give consumers a warm fuzzy about the service that is relentlessly logging all of the shit they do with their life and cover the corporation’s ass. It doesn’t protect you from anything when a serious breach happens. The thing that protects you when a serious breach happens is that you are aren’t the real target. Don’t mine crypto. Don’t become a C-suite honcho at a company. Never get rich and the bad guys will continue driving right by your apartment building with the shitty front door locks for the rest of your life.

I actually don't think the motivation for all this stuff is about giving consumers the warm fuzzy. As someone who has deep insight here, the problem is more basic:

Companies are seeing tons of abuse from reused passwords that get hacked somewhere else.

This abuse is so rampant that video streamers, delivery services, and even fucking Steam would rather make things harder and more confusing on the (often) paying user than have it continue.

Why do we have these thing?

- SMS challenge on new device signin or first signin after a long time
- Mandatory or strongly encouraged two factor authentication
- Strongly encouraged passkeys (= passwords you can't see and therefore can't share)

It's all because of this

1. people reuse the same email/password everywhere
2. some of those sites get hacked
3. bots try signing in everywhere with the results
4. they sell the accounts on the black market
5. others do per-product scaled abuse

Just use a different password everywhere, try not to get phished, and ignore this.

How do your help your loved ones?

I don't know. There's so many scams and no receipe thats so easy that lazy folks won't skip.

I am somewhat erratic with security stuff. I have unique passwords for things I really care about (my various email accounts, bank accounts, etc.), and a couple-three utility passwords that I use for a bunch of things I don't really care about. I don't use passkeys for anything. Sometimes I'll use one of those utility passwords for something that also requires 2FA, so if it ever got hacked I'd get a text anyway. And my phone requires a code to unlock, no face or fingerprint.

Don’t get me wrong, I hate passwords with a passion and they’re hot trash. And password managers are a tremendous gift. But let’s not kid ourselves - the back end is swiss cheese.

you have a passport, a driver’s license, and a credit card.

― trm (tombotomod), Thursday, April 30, 2026 1:59 AM

I only have one of those. There's been complaints that a large number of people don't even possess some of the things that might become mandatory to login. I think there's been some screwups with phones that can't unlock full capabilities. Or was that gaming systems?

One of my biggest worries right now is the possibility of not being able to login to use the computer at all unless you give them ID (maybe even multiple types of ID). It would be harder to see what strategies other people are using if you can't even get online.

Also: there's been frequent complaints about more data being leaked that you can't even change to protect yourself. Unless it becomes a big enough problem that governments start allowing you to get new national insurance numbers. Can't recall what the other unchangeables are.

With the iPhone a 2 second squeeze of the power button and a volume button will lock out biometric login and enforce the passcode is you are concerned about being forced to unlock you phone with biometrics.

tbf if you reach into your pocket to do this while being confronted by the police it might not go well

You are already basically compromised to hell and back.

yeah, this. i mentioned clearview ai above but they are basically google for faces. they scrape every photo on facebook, instagram, tiktok etc. and so if you upload a photo of someone they are able to match that photo to hits in their database in seconds. they have a contract with pretty much every law enforcement agency out there including ICE.

https://www.livescience.com/technology/artificial-intelligence/id-never-seen-such-an-audacious-attack-on-anonymity-before-clearview-ai-and-the-creepy-tech-that-can-identify-you-with-a-single-picture

In November 2019, I had just become a reporter at The New York Times when I got a tip that seemed too outrageous to be true: A mysterious company called Clearview AI claimed it could identify just about anyone based only on a snapshot of their face.

....

Give Clearview a photo of a random person on the street, and it would spit back all the places on the internet where it had spotted their face, potentially revealing not just their name but other personal details about their life. The company was selling this superpower to police departments around the country but trying to keep its existence a secret.

How do your help your loved ones?

I don't know. There's so many scams and no receipe thats so easy that lazy folks won't skip.

― fajita seas, Wednesday, April 29, 2026 7:12 PM

find ways of doing things that don't involve the public internet?

imo the problem is one of _design_. the internet was not, on a base level, designed for security. it was designed to facilitate the exchange of information. every attempt to keep someone's data "private" goes against that fundamental design principle. of course not using one goddamn "internet" for every single interpersonal interaction would be extremely difficult and time-consuming and messy so we just try to apply various forms of workaround rather than addressing the core issues until eventually the whole thing will just collapse entirely and we'll be _forced_ to find a new way of doing things, with severe negative consequences (including, in the case of the internet, probably mass death) in the meantime. but you know what, it's worth it if i can connect my deodorant to the internet in the meantime.

yes, i have a professional background in IT, how did you guess?

https://www.livescience.com/technology/artificial-intelligence/id-never-seen-such-an-audacious-attack-on-anonymity-before-clearview-ai-and-the-creepy-tech-that-can-identify-you-with-a-single-picture

― 龜, Thursday, April 30, 2026 12:00 PM (two hours ago)

fun trivia - facial recognition software does not recognize me today and me seven years ago as the same person. i haven't had facial surgery. there are some minor shifts in fat distribution, like, maybe a millimeter.

my big fear about this technology isn't that it can do all these things. it's that it _can't_ but people genuinely believe it can. this is a stupid nerd reference, but there's this old doctor who episode called "the ice warriors", where the leader of a group of humans in a base under siege insists on blindly following the incredibly stupid and unhelpful advice the computer gives him. because it's a COMPUTER, you see, it CAN'T BE WRONG. and watching the show in the 90s it seemed hilarious - who on earth would genuinely be that stupid?

well, i mean, i won't say "stupid" but there's this ingrained bias that a lot of us have, that if a machine says it it's "objective", it's a "fact". i mean when i was young there was a well-known saying, "garbage in, garbage out", and it made complete sense to me, and a lot of people just, like, don't seem to grasp that you can't feed a machine garbage data and have it spit out the right answer. i mean i think people were thinking computers could magically transmute bullshit into truth as far back as, like, babbage's difference engine.

all of this technology, there ARE some great uses for it, if it's done RIGHT. it's not being done right. the stupidest, most farcical bullshit is being put into prod and treated as oracular wisdom and those of us in tech, "oracle" means something VERY SPECIFIC to us, and it's not good. it's a house of cards, it's people pretending they know things they don't, it's using pseudoscience to justify and perpetuate bigotry. do you know how many people are out there claiming to have tech that can tell whether i'm "really a man"? and it can't. of course it can't. it's more likely to identify a cis black woman as being "really a man" than it is to identify me as a "man".

i don't trust the technology because the people pushing it are lunatics, psychopaths, and congenital liars, and they don't feel the need to actually open up what they're doing to scrutiny. _they_ insist on _their_ right to keep things private.

ok i'm clearly extremely cranky today and i'm gonna take a break from the internet

Keeping my fingers crossed that the people who push all this stuff on us will be the biggest victims of it.

i can't think of anybody who doesn't use fingerprint or face scanning with their phone.

…like you can’t imagine anyone in the world not doing this?

https://www.fierce-network.com/broadband/zainar

Want to track your robot, or other autonomous moving object? Even if it's underground or needs to negotiate reliably around an anonymous white-walled factory?

Location startup ZaiNar said that its new software-based location tracking system uses the 5G network - not GPS satellite tracking or bluetooth - to do that, while being more accurate and fast than current cellular triangulation systems.

"At MWC, you're going to hear a lot about location services that are coming out over the next couple of decades," said ZaiNar CEO Danny Jacker in conversation with Fierce. Indeed, there is already plenty of talk about "precise dynamic positioning down to the centimeter" on 6G networks, which will start to arrive around 2030.

"ZaiNar's technology runs on today's 5G networks," Jacker said. "An infrastructure that carriers already have deployed."

"We deliver sub-10 centimeter accuracy at ranges up to one and a half kilometers with 100 to 500 updates per device versus roughly 1 per second [with cellular positioning]," Jacker added. The software-only network side deployment system is a cellular positioning system that works over GPS, RTK, ultrawideband (UWB) and WiFi.

new company with tech that provides precise positioning using just cell phone signals. ostensibly used to track 'robots', but guess what else is commonly carried that constantly emits a 5G signal?

Haven't read the replies yet, but I will say that I have also been resistant to passkeys, facial/thumb recognition, etc. Maybe some of that is cautiousness about security, though it's actually probably more like I'm old and don't want to bother figuring out how to do it.

Like I don't even really know what a passkey is. I already have a password. Why do I need something else?

...but guess what else is commonly carried that constantly emits a 5G signal?

those damned chips they injected with our COVID vaccines!

you need something else so that you don’t have to keep typing in a password all the time, or have some “autofill” password filling hack. look i don’t really understand it either but anything that gets us closer to a world where we don’t have to think about passwords at all is a step in the right direction imo

but yeah, that’s the mark of the beast thing right there

the deal is, you get a microchip implanted in your wrist (or whatever), and it’s your universal id, and it’s hooked up to the united nations. and obama makes you do it

it’s just funny because i’ve literally been warned about this since before i could read

not with the microchips but the 666/mark of the beast thing, it being a symbol or imprint that wicked humanity not only accepts but asks for

it’s just funny because i’ve literally been warned about this since before i could read

― z_tbd, Friday, May 1, 2026 5:13 PM (yesterday)

yeah, so here's how this works, the people who have been warning you about the antichrist and the mark of the beast in barcodes or whatever are now like, you know what, we need to get implanted with barcodes and tracking chips that are under control of the president, who is definitely _not_ someone who bears a distinct resemblance to the "antichrist" we've been banging on about for the past 50 years, in order to protect us from, i don't know, obama, or mamdani, or whatever person of color is the _actual_ antichrist

in other words, these fuckers been telling on themselves... they're worried about it because it's the shit they do to other people the second they get the opportunity and then are like "don't you see, we have to do it FIRST to PROTECT ourselves"

it's not the technology i'm afraid of, it's the _people_

lol

https://www.euronews.com/next/2026/05/04/children-are-drawing-moustaches-on-their-faces-to-fool-online-age-checks-and-its-working

passkeys are good but the communication about how they are, the security they provide, and how they're used has been abysmal

half of mine don't work properly

also i don't know if i should save to my password keeper (1password) or to my web browser (orion), or both, or what

i thought having TouchID right on my keyboard would essentially render passwords meaningless but we're not quite there yet

Main problem with passkeys is playform lockin.

All your passkeys are on your iPhone. How do you migrate? Guess you don't! iPhone forever!

I am sure twenty years from now there will be rules on this, but not today.

don’t you just get a new one?

I keep them in a password manager.

i keep them all on my touch bar