Just a pet peeve with passkeys (and other authN) that presses users towards biometrics -
In the US, because the Fifth Amendment Self-Incrimination Clause, passwords cannot be demanded. Passwords are testimonial evidence. [United States v. Hubbell (2000); re Grand Jury Subpoena Duces Tecum (11th Cir. 2012)]
Biometrics on the other hand are not. The court ruled that a defendant could be compelled to unlock a phone with biometrics because it is not testimonial. [Commonwealth v. Baust (Virginia, 2014); State v. Diamond (Minnesota, 2017)]
Basically, passwords cannot be compelled to be disclosed, while biometrics can.
There is similar legal stance in Canada, UK, Australia, India, Germany, and Brazil to name a few.
Finally, under duress, passwords can be held, while biometrics cannot, without self harm.
> There is similar legal stance in Canada, UK, Australia, India, Germany, and Brazil to name a few.
There is not a similar stance in the UK. You can be compelled to provide a password. Section 49 of the Regulation of Investigatory Powers Act 200 (RIPA and let that doublespeak sink in a second) allows the police to compel it subject to a warrant from a judge.
The sentence (subject to sentencing guidelines) is up to two years in prison or 5 years for national security / child indecency cases.
You can claim you don't remember/know it as a defence, but in most cases that's not going to be believed by a jury.
In theory once you got out you could be re-served with the notice and face another 2-5 years. Rinse and repeat.
>but in most cases that's not going to be believed by a jury.
Is there are least some argument of reasonability? I have an old Runescape account I would love to be able to get back into, but I don't even remember the email it was tied to, much less the password. I was a kid back then so even the card that paid for membership was my parents. Is there some expectation that the prosecutor has to show the account was accessed in the last X years, or is this effectively a backdoor to keep someone in prison indefinitely?
A jury is gonna believe you forgot the password for an account you haven't accessed in X years. They're not gonna believe, without a lot of evidence, that you forgot the code to the smartphone you use every day.
And that's assuming that the judge even considers it reasonable.
There's no doublespeak there. To regulate just means to make regular. If they make the reprehensible the regular way of doing things then they've still done the job they're nominally supposed to do. They could say all investigations have broad sweeping powers going forward and they would still be regulating investigatory powers.
We want regulation to be for the benefit of all so we attach an emotional meaning to it but nothing about the word says it has to be beneficial.
What happens in the case of plausibly-deniable keys? Say someone has an encrypted drive with a hidden volume, one key decrypts decoy files and one decrypts the true files. If the person gives up the key to the decoy files, is the onus on the prosecution to prove additional keys exist or on the defence to prove they don't?
Not a lawyer but I expect it would be on prosecution to convince a jury that they had failed to make "a disclosure of any key to the protected information that is in his possession"
as per RIPA 2000 Section 50, 2 a)
To do this, they'd likely need some evidence to persuade the jury, beyond reasonable doubt, that the encryption system had such a feature.
Not from the UK and not a lawyer, but if a new warrant was served, then not providing the password would be a new offense and double jeopardy would not apply
You can’t unlock your iPhone with biometrics at first boot, and holding down the two side buttons will make it so your phone immediately disables biometric unlock, and instead requires your passcode for the next unlock.
But none of this has much to do with the biometric auth you do with passkeys, because passkeys are used in places passwords would be used — logging into apps and websites. Which you see only doing when your device is already unlocked and you are actively using it.
Biometrics then need a mix of non-testimonal and testimonial input. ie it only unlocks when it sees it is your face and your face blowing a rasberry. Can you be compelled to blow a raspberry?
What I'd recommend is if you're worried about this (or worried about it in certain instances), disable biometrics to unlock the device itself. Then, passkeys on it don't really matter anymore.
On iPhone, you can quickly do this by holding down the lock button and either volume button until the shutdown screen appears. Once it appears, your phone is now locked and it will only accept the PIN (you don't need to actually shut down).
Thankfully, it doesn't. It asks you to confirm by sliding some on-screen control, and then dials 911 / 112.
If it dialed immediately, I'd be in jail already, going by the amount of times I managed to trigger the "call 911?" screen by accident in the last year or so.
I beg to differ to those who write that such events are expected, just press a few buttons, disable, or something similar.
Imagine you are not in a a relatively "democratic" nation.
(0) You are asleep. You phone is on the nightstand. At 4:00 in the morning, you wake up with a rifle stuck in your face.
(1) You are walking down the street, middle of the day. Your phone is in you jacket inside pocket. Two burly individuals grab each of your hands, tie them and then toss you into a van that just pulled up.
(2) You are walking around, let wind on your face and feel it in your hair. Your cell phone is in your jilbab or burqa, you changed out of. A rock hits your head and you black out.
(3) you walk into the public WC/bathroom in the bar, but you do not take your phone in with you because it is just ... ick. You come back out and the phone is in the hands of a local law enforcement agent.
Each one of these have happened in real life. There are just a myriad of real scenarios where someone is not in reach of their cell phones.
You have already described prerequisites. It is unwise to use biometrics if you are a person of interest in a "not so democratic country". And to get a riffle to your face they should demolish a door which is commonly steel in a "not so democratic country". This is loud and gives plenty of time.
Nothing happens out of the blue. People don't get searched randomly except some rare places where an iPhone is the source of danger itself being a valuable possession.
If someone feels that such events could happen it is mandatory to do OPSEC. If not, bad for this someone. Anyway, a proper torture will reveal the password in a "not so democratic country". Which also happens in the real life.
On my android phone, if I hold the power button I get the option to "lockdown", which immediately locks the phone and disables biometrics for the next unlock, requiring the PIN/password.
I assume that would work for the situations you have in mind.
The event itself is often expected. Nothing happens out of the blue. The exact time of the event is unknown. So, extra precautions like disabling biometrics before leaving home is a normal risk mitigation practice.
On my android phone, if I hold the power button I get the option to "lockdown", which immediately locks the phone and disables biometrics for the next unlock, requiring the PIN/password.
I assume that would work for the situations you have in mind.
I wonder what would happened if you willingly keep providing a wrong password. The possibility of your device malfunctioning IS and always will be > 0.
Can the judge really throw you, and re-throw you multiple times to jail because the password you keep providing did not work?
I agree, and I wish there was an option to always require both a passcode/password AND biometrics in iOS and MacOS. While it would become a hassle having to do it every time, it would at least guarantee that one could retain their 5th Amendment rights if the device were seized.
Having no backup to biometrics could lock you out permanently if it stops recognising you for some reason, so it would need to accept just the password, and at that point you can just turn biometrics off entirely
I've always thought of passkeys as a good 2nd factor in conjunction with a password. Similar to the way you'd use a Yubikey or anything else with FIDO2/WebAuthn.
Seeing passkeys as a dedicated login on their own is...strange. For all of the reasons that you indicate.
Would you happen to know what the rule is on Yubikeys and the like? I assume if it's PIN-protected, it counts as a password but what if it's just set up for tap-to-unlock?
I extrapolated this as anything that is in the mind (PIN, password, some secret) cannot be demanded, while anything outside of the mind, biometrics, geolocation, physical object (key) can.
Again, I am just a hairless monkey smashing rocks together. Consult experts.
Of course they can use that. The Fifth Amendment protects the right to not testify against yourself. You can keep silent. That's it about self-incrimination. The government can seize any physical object and do essentially anything it wants with it with a warrant. They can physically decap a TPM and read the security key if they really want to.
In the US, because the Fifth Amendment Self-Incrimination Clause, passwords cannot be demanded. Passwords are testimonial evidence. [United States v. Hubbell (2000); re Grand Jury Subpoena Duces Tecum (11th Cir. 2012)]
Biometrics on the other hand are not. The court ruled that a defendant could be compelled to unlock a phone with biometrics because it is not testimonial. [Commonwealth v. Baust (Virginia, 2014); State v. Diamond (Minnesota, 2017)]
Basically, passwords cannot be compelled to be disclosed, while biometrics can.
There is similar legal stance in Canada, UK, Australia, India, Germany, and Brazil to name a few.
Finally, under duress, passwords can be held, while biometrics cannot, without self harm.