The PIN is Mightier Than the Face
In “Mission: Impossible Rogue Nation,” Tom Cruise’s Ethan Hunt uses Simon Pegg’s Benji Dunn’s fingerprint to unlock a high-security door. In Fast & Furious 7, Brian O’Connor’s Paul Walker uses a guard’s hand to unlock a phone with his fingerprint, giving him access to sensitive data. In “Ocean’s 8,” Sandra Bullock’s Debbie Ocean and Mindy Kaling’s Amita place a sleeping person’s hand on a scanner, defeating the biometric security device.
In the world of authentication and access control, access tokens typically are divided into categories of “something you have” – a physical device like a thumb drive or a token; something you know (if you remember it) like a password, passphrase, or PIN; and something you are – a biometric like a voiceprint, facial recognition, or fingerprint. While each of these has advantages and disadvantages, a combination of them is considered to be more secure than any one token by itself. Indeed, the “best” security is multi-factor, multi-channel and multi-token. That is, a combination of biometric, password or token, each of which is delivered over a separate communications channel, and verified on different devices. The problem is, people pick weak passwords or reuse them over devices, tokens are lost, compromised or bypassed, and biometrics can be forced, spoofed or bypassed. Additionally, requiring a PIN and a fingerprint is more secure than either separately. Requiring a PIN OR a password is only as secure as either one alone.
In the most recent upgrade of Apple’s IOS 18, they added a new security feature that has an unusual and unexpected legal benefit to device owners. When you reboot an iPhone, it resets the phone into “before first unlock” mode – meaning that, even if you have set up fingerprint or facial recognition to unlock the phone, the phone resets to require the PIN to unlock. The new IOS feature resets the phone to that setting after a specified period of inactivity, even if there has not been a reboot. This means that, if the cops seize your iPhone (or if it is lost or stolen), they cannot simply use your face or finger (irrespective of how they GET your face or finger) to unlock it — they need your PIN or password.
As a technical matter, it is harder to defeat a biometric authentication than it is to defeat a password or PIN. This is partly because, even though a random 4-digit PIN has 10,000 possible solutions, people don’t select random 4-digit PINs. The reuse PINs across platforms (a compromise of one = a compromise of all), they select PIN’s based on ease of use or entry (1234, 2222, 2580), or based on some attribute that makes them easier for the user to remember — last 4 of SSN, last 4 of current or former phone number, high school locker combination number, anniversary or birth date of yourself or close relative, or birth year of yourself or a close relative. A Google search quickly finds the most common 4-digit PINs, and the more you know about your target, the fewer guesses you may need to make. MiTM attacks can also capture PINs, and something as simple as powdered sugar on a keypad or rubbed out numbers can also show the numbers (but not the order) of a PIN. Passphrases are substantially more secure, but because they often require users to remember a long series of characters, users default to well-known phrases — “It was the best of times, it was the blurst of times…”
From a technical standpoint, it is more difficult to defeat a well-implemented biometric gate. My identical twin’s face, fingerprint or iris could likely not unlock my phone. But from a legal standpoint, at least according to some courts, a password is more secure than biometrics.
Compelling someone to unlock a phone with a biometric identifier, like a fingerprint or facial recognition, versus compelling them to provide a password raises intricate legal questions under the Fifth Amendment’s protection against self-incrimination. The U.S. legal system has seen a mix of rulings on these issues, as courts work to define what constitutes “testimonial” evidence, with different treatment often given to biometrics and passwords.
The Fifth Amendment to the U.S. Constitution states, “No person…shall be compelled in any criminal case to be a witness against himself.” Courts have long interpreted this to mean that individuals cannot be forced to reveal knowledge or thoughts that would effectively incriminate them. However, there’s a critical nuance: only “testimonial” communications are protected, meaning statements or actions that reveal the contents of one’s mind. The difference between a password and a biometric identifier largely hinges on this testimonial requirement.
In the case of passwords, courts generally treat the act of revealing a password as testimonial. A password is something a person knows, requiring an individual to actively recall and provide it. In United States v. Hubbell, 530 U.S. 27 (2000), the Supreme Court ruled that the Fifth Amendment protects individuals from being compelled to produce documents if doing so would require the use of the contents of their mind, which also extends to verbalizing or writing down a password.
This reasoning has been echoed in more recent cases. In Commonwealth v. Baust, 89 Va. Cir. 267 (Va. Cir. Ct. 2014), a Virginia court held that compelling an individual to unlock a phone with a password was indeed testimonial and thus protected by the Fifth Amendment. The court reasoned that providing a password requires an individual to reveal knowledge they possess, making it testimonial. However, when the defendant was asked to unlock the phone with his fingerprint, the court reached a different conclusion.
Biometric identifiers like fingerprints and facial recognition present a different challenge. Biometrics are physical characteristics, similar to handwriting, voice, or DNA samples, rather than knowledge-based facts. The act of providing a fingerprint or showing one’s face to unlock a phone does not require recalling or revealing any secret information. Following Schmerber v. California, 384 U.S. 757 (1966), the Supreme Court held that physical evidence is not protected under the Fifth Amendment because it does not involve an individual’s mental process or knowledge.
Indeed, it is not uncommon for agents executing search warrants for the seizure of electronic records (including cell phones) to include the language:
During the execution of the search of the Subject Premises described in the warrant, law enforcement personnel are authorized to (1) press or swipe the fingers (including thumbs) of any individual who is found at the subject premises reasonably believed by law enforcement to be a user of a device found at the location to the fingerprint scanner of the device; or (2) hold a device found at the location in front of the face of those same individuals and activate the facial recognition feature for the purposes of unlocking the device…
In United States v. Dionisio, 410 U.S. 1 (1973), the Supreme Court held that compelling a suspect to provide a voice exemplar does not violate the Fifth Amendment. The Court reasoned that the Fifth Amendment protects against compelled testimonial communication, but not against the compulsion to provide physical characteristics. Since a voice exemplar does not reveal the contents of one’s mind, it was considered non-testimonial. The Court also found that requiring a voice exemplar did not violate Fourth Amendment rights, as the act of speaking is not inherently private and is not subject to the expectation of privacy. Similarly, in United States v. Wade, 388 U.S. 218 (1967), the Supreme Court ruled that forcing a defendant to participate in a police line-up is permissible and does not violate the Fifth Amendment’s protection against self-incrimination. The Court reasoned that appearing in a line-up and allowing witnesses to view the suspect does not constitute a testimonial act, as it merely involves the suspect’s physical characteristics.
This reasoning has been applied to biometrics in cases such as State v. Diamond, 905 N.W.2d 870 (Minn. 2018), where the Minnesota Supreme Court ruled that compelling a suspect to unlock their phone with their fingerprint did not violate the Fifth Amendment. The court considered the act akin to providing a fingerprint or blood sample, both of which have been found non-testimonial under the Fifth Amendment.
However, other courts have started to blur this line, recognizing that the data accessible through a phone may warrant stronger protections. For example, in In re Application for a Search Warrant, 236 F. Supp. 3d 1066 (N.D. Ill. 2017), a federal magistrate judge in Illinois denied a search warrant seeking to compel an individual to unlock their phone using facial recognition or a fingerprint. The court recognized the unprecedented access to personal information that a smartphone unlock provides, potentially making biometric access more invasive than in the past. In United States v. Kirschner, 823 F. Supp. 2d 665 (E.D. Mich. 2010), the court ruled that compelling a defendant to disclose a computer password was testimonial and protected by the Fifth Amendment, emphasizing the testimonial nature of providing a password. But if that same device could have been unlocked by a fingerprint, the outcome might have differed, as we saw in Baust and Diamond.
The key seems to be making the witness “testify” – or speak something. If the witness is compelled to speak (even speak their password), courts tend to think of that as “testimonial incrimination. If they are just compelled to “exist,” then, not so much.
In light of evolving privacy concerns, some recent cases have questioned the adequacy of this distinction. For instance, in United States v. Wright, No. 17-cr-00387-MMC-1 (N.D. Cal. 2018), the court expressed concerns over compelling biometric unlocking, recognizing that modern smartphones contain a wealth of personal information, analogous to “the privacies of life” referenced in Riley v. California, 573 U.S. 373 (2014). In Riley, the Supreme Court held that police generally need a warrant to search a cell phone due to the high volume of personal data it contains.
The new Apple iPhone protocols would require the government to force a phone owner to provide a password to the prosecution. Even if a court was convinced that this was “compelled testimony” in United States v. Doe, 465 U.S. 605 (1984) the Supreme Court held that you could be compelled to provide evidence that could be used against you so long as the government agreed not to use that which is compelled against you. If you are compelled to provide a password, the government could not use the fact that you knew the password to prove that this was your phone, or to imply that you likely knew the contents of the device. But the government could use the contents of the phone later, because you were not compelled to create them.
The real problem for the government dealing with iPhones locked with a password is not legal, but logistical. The government would have to identify the owner of the phone and get a court order compelling the production of the password. It’s much easier to have the defendant give the cops the finger.
