Using a face scan to unlock your phone and log in to accounts is easy to set up, but it's not the best option for everyone. That's because, thanks to a 5th Amendment loophole, law enforcement agents can use your biometric data to unlock your phone. We saw this last month, when a Washington Post reporter's home was raided by the FBI. According to court records obtained by 404 Media, agents were unable to access the reporter’s iPhone because it was in Lockdown Mode, but they got a warrant from a federal judge to compel the reporter to unlock their computer via a fingerprint scan.
So are biometric scans a safe way to lock down your devices? After all, face and fingerprint scans can be used against you, while passwords and passcodes cannot. Let’s talk about why you may want to stop using biometrics to unlock your phone, sooner rather than later.
Biometrics 101: Face ID, Fingerprints, and Passkeys
Biometric data is a fancy term for the face and fingerprint scanning that your computer, phone, or tablet uses to verify your identity. The data can unlock your device or help you log in to sensitive online accounts using a passkey. I’ve written and spoken a lot about passkeys lately, as more websites are offering this option to simplify the login process. You can create a passkey on a lockable device, either with biometric data (such as a face or fingerprint scan) or a passcode, and then use it to access your online account.
I’d love to say that, thanks to immaculate foresight as a cybersecurity industry observer, I noticed growing unease about government surveillance and had a desire to take more control over my personal data, so I stopped using biometrics to unlock my devices. That would be a lie, though. I actually stopped scanning my face during the COVID-19 lockdown period, because I found it too difficult to unlock my phone while wearing a mask and glasses. In other words, inconvenience was my reason for ditching biometric scanning in favor of passcodes. Depending on who you are and what you do, you may have more compelling reasons to stop using biometric data on your devices.
Your Risk Level Determines Your Security Needs
What do you do at work, or during your free time? I ask because not everyone needs to lock down their devices to the maximum level. After all, it’s a lot easier to get into your accounts or unlock your phone with just a glance or a swipe, rather than trying to remember a device-specific passcode.
People with a high risk of surveillance by governments or criminal organizations—such as activists, immigrants, journalists, and politicians—should consider using a passcode or passphrase to protect their devices, since law enforcement officers are not allowed to force you to manually enter your passcode or PIN.
I should point out, if you fit into the categories above, it’s wise to make it harder to access all the private data on your phone or computer. As I noted in an article about securing your devices before crossing the US border, Android and iOS have settings that let you delete all your phone’s data remotely or with a tap.
What Lockdown Mode and Advanced Protection Really Do
(Credit: Apple/PCMag)
If you use Apple devices, you can also do what Washington Post reporter Hannah Natanson did, and keep your device in Lockdown Mode. That’s a setting that blocks attachments in messages, device management configuration installations, and calls or FaceTime connections. Lockdown Mode also enables a very restrictive browsing setting on the device. Lockdown Mode is the reason why FBI agents have not been able to access Natanson’s phone data. To enable this feature on your phone, visit Settings, then browse within the Privacy and Security menu in iOS.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Android devices have a lockdown setting, too, but it’s not as comprehensive as Apple’s feature. Instead, the Android lockdown feature temporarily disables biometric unlocks for your devices so that you can quickly secure your phone if you’re worried about someone holding the front-facing camera to your face to unlock it, or holding your hand over the fingerprint reader.
(Credit: Google/PCMag)
Android also offers a setting called Advanced Protection mode, which requires you to use either hardware security keys or passkeys to protect your Google accounts. This setting blocks harmful app or file downloads and prevents unverified third-party apps from accessing your Google data without your permission. You can enable this setting on the web by logging in to your Google account and visiting the Security and Sign-in menu.
The One Lock Law Enforcement Can't Force Open
When you’re ready to enable passcodes to lock your devices rather than biometric scans, remember to delete your existing biometric data. The good news is that your biometric data is stored locally on your device, not in the cloud, so when you delete it from your device, it’s really gone.
Recommended by Our Editors
If you use an Android device, go to the Security and Privacy section within the Settings menu, and choose Device unlock/Biometrics. Tap the delete icon to remove your biometric data. You can then set up a passcode to unlock your device by visiting the Lock Screen section of the menu.
(Credit: Google/PCMag)
If you’re using devices running iOS, visit the Settings menu, then Face ID/Touch ID & Passcode, and tap either Reset Face ID or Delete Fingerprint. While you’re there, set a passcode to use when unlocking your devices or logging in to your accounts, using a passkey or another passwordless authentication method.
(Credit: Apple/PCMag)
Privacy Doesn't Stop at Your Lock Screen
It’s troubling that a reporter was compelled by her country’s government to give up her right to personal privacy while protecting a source. Maybe you think you don’t have anything to hide, and maybe you’re right, but this incident is a wake-up call to everyone. It’s time to hide your private information from government officials and strangers alike.
Whether you commit to reading privacy policies carefully before signing up for new online accounts, cleaning up your digital footprint by closing old online accounts, or using unique, strong passwords for all of your existing accounts, the power to protect your personal data online is still in your hands.
Check out our cybersecurity checklist for a collection of periodic tasks you can complete to improve your online safety. Finally, when you’re ready to take your digital privacy even further, read our article on how to completely disappear from the internet.
About Our Expert
Kim Key
Senior Writer, Security
Experience
I review privacy tools like hardware security keys, password managers, private messaging apps, and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.
In addition to the categories below, I exclusively cover ad blockers, authenticator apps, hardware security keys, and private messaging apps.