When you’re setting up your phone, one of the choices that you’ll almost certainly have to make is how to lock it: should you use a fingerprint or a PIN? Going with a fingerprint seems like a really secure idea, because it’s unique and no one could guess it, but is that true? Is a fingerprint really more secure? Or is a PIN a better way to go?
Interestingly, there are a number of factors that go into answering this question. Let’s take a look.
Is a Fingerprint or a PIN More Secure?
You’d be forgiven for thinking that your fingerprint, being totally unique to you, would be totally uncrackable by anyone. It makes intuitive sense. And in a way, you’re right. However, a number of researchers and hackers have come up with ways to get around the fingerprint sensor.
For example, a group at Michigan State University recently took a 300 dpi scan of a fingerprint and printed it with special ink on glossy paper. They were able to use it to fool the fingerprint scanner of a Galaxy S6.
Back in 2013, Germany’s Chaos Computer Club took a high-resolution photo of a fingerprint from a glass and used it to make a latex reproduction of the print that could fool the sensor. Here’s video of this method in action:
It’s likely that other methods are out there that have been less well-publicized.
So how does that compare to a PIN? It partly depends on the security features on your phone. For example, the iPhone at the center of the FBI/Apple spat (the one belonging to Syed Farook, one of the San Bernadino shooters), has a security feature enabled that erases the contents of the phone after 10 incorrect tries at the PIN.
If you have something like this on your phone, anyone trying to crack their way in would have to have some really good guesses to make it work. If not, they’re out of luck unless they can hack it another way.
Without extra security features, cracking a PIN, no matter how many digits are included, is only a matter of time. It could be a very long time, but with an infinite number of guesses, any person or computer would eventually get it, because there are only so many different four- or six-number PINs you can create (though if you can use a password or a pattern lock, the number of options that are available to you is exponentially larger).
Even with protection against a brute-force guessing attack, someone might be able to get in if they’re highly motivated. The device below, for example, cuts the power to the iPhone when it makes a wrong guess so the wrong-guess counter doesn’t increase. This took advantage of an old bug, and wouldn’t work anymore, but it shows that no system is perfect.
The point is, however, that someone could conceivably guess your PIN, whereas no one can guess your fingerprint. They could steal it, but there’s no way to guess it. So in that respect, a fingerprint is more secure. However, there’s a pretty big exception to that rule.
What the Law Says
Whether you choose a fingerprint or a PIN (or even both) to protect your phone also depends on who you want to keep out of your phone. If you don’t want a random stranger to pick your phone up off of the table at a coffee shop and be able to get into it, either will work just fine, and a fingerprint might work better.
But if you’re worried about government access to your phone, you might want to reconsider. Judges in the US have generally held that giving up a PIN or a password could be a violation of the Fifth Amendment, which gives a person on trial the right to not incriminate themselves. Fingerprints, however, have not been given that same protection.
So if you’re in a court case where relevant information could be stored on your phone, the judge could order you to unlock it with your fingerprint. The government is monitoring everything on your cell phone anyway, but if you want to limit knowledge of what you’re doing to the NSA, and keep the local police department out, then locking your phone with a PIN is a good idea.
I’m not sure what the rules are in other countries, but it’s likely that police forces and other governmental organizations would push for the right to unlock suspects’ phones with a court order, especially if put in a situation similar to the one the FBI found themselves in with Farook’s iPhone. If you have any insight into the laws in your country, please share them in the comments!
So What’s Best?
For the vast majority of people, a fingerprint will be the more secure way to go. Even with the 10-attempt erasure feature turned on, it’s possible — however unlikely — that someone could guess your PIN. But they won’t be guessing your fingerprint. And to break either of them with other methods is difficult and expensive, at least for amateurs. (And you can’t forget your fingerprint either. That said, if you forget your PIN, there are some workarounds to try to recover your phone passcode.)
If, however, you’re in the United States, and you’re worried about the government getting into your phone, you may want to stick with a PIN. If you’re an activist, journalist, or anyone else who might have sensitive contact information or communications on your phone, the law will be on your side if a member of law enforcement asks you to unlock it.
If you use an iPhone and decide to stick with the fingerprint, here are some apps that you can lock with Touch ID and Face ID.