I have two phones: one that uses primarily Face ID and PIN to unlock and to do certain transactions, and another that uses a thumbprint and PIN. Which is safer?I have two phones: one that uses primarily Face ID and PIN to unlock and to do certain transactions, and another that uses a thumbprint and PIN. Which is safer?

Identity as password

For feedback or concerns regarding this content, please contact us at crypto.news@mexc.com

I have two phones: one that uses primarily Face ID and PIN to unlock and to do certain transactions, and another that uses a thumbprint and PIN. Which is safer? Which is more secure? And with authorities now requiring banks to end text-based OTP (one-time password) confirmations for financial transactions, which is safer and more secure for customers?

In a recent visit to my bank’s branch, the teller asked for my ID, made me sign forms, and required me to provide my thumbprint through a biometric device on her desk. It was only after all these that she proceeded to finalize my transaction request.

I recall visiting the World Expo in Osaka last year and walking through Kansai Airport with cameras throughout the terminal tracking my family’s movement. With facial recognition, the system was providing directional instructions through monitors scattered throughout.

With banks, back in the day, my signature and ID would have been enough. An addition later on was the use of a PIN, or perhaps a password. Nowadays, my identity has also become my password via thumbprints and facial recognition, among others.

Identity is now the convergence of data privacy, cybersecurity, banking, constitutional law, and public policy. The question in my mind is whether our laws have evolved alongside these developments to consider issues beyond smartphones, banking, immigration, acceptable IDs, and digital identity.

In the United States, the prevailing legal view is that compelling a suspect to unlock a phone using a fingerprint or facial recognition is generally considered the production of physical evidence, akin to providing fingerprints or a DNA sample, and therefore does not ordinarily implicate the protection against compelled self-incrimination. By contrast, compelling a suspect to reveal or enter a memorized PIN or passcode requires disclosing the contents of the mind and is typically regarded as testimonial, triggering constitutional protection.

Locally, while the Supreme Court has yet to rule on a case explicitly involving smartphones, legal doctrines draw a similar distinction. The Court distinguishes between testimonial compulsion and physical compulsion. In Villaflor v. Summers, the Court ruled that forcing someone to provide physical evidence, like a fingerprint, is a mechanical act not protected by the Constitution.

And in Beltran v. Samson, the Court ruled that if an act requires the application of intelligence and attention, like remembering and typing a PIN, then it becomes a testimonial act and is protected by the right against self-incrimination. A court order is thus required.

My argument is that compelling biometric unlocking should also receive constitutional protection because it grants access to vast amounts of private digital information. Should the legal framework continue to distinguish between what you are, meaning your biometrics, and what you know, meaning your password? Should they both not enjoy the same constitutional protection?

As a technical matter, both Face ID and fingerprint authentication are very secure, arguably even more secure than PIN and passwords. Face ID is harder to fool and works even when hands are wet, too dry, or covered. Facial features cannot be lifted from surfaces the way fingerprints can. And yet, the Constitution treats it with less regard.

Given the level of security now required for electronic transactions, it is only normal that people will favor a more secured face ID or fingerprint or eye scan over a PIN or password. But authorities can compel you to unlock your phone via any of these mechanical methods without first going to court.

Under current Philippine doctrine, only a phone PIN or a password is protected from disclosure without a court order. A thumbprint or a Face ID is not. By opting for a more secured protocol, to what extent is my privacy now protected? And to what extent can my own private information, my biometrics, my credentials, be used against me?

The Bangko Sentral ng Pilipinas (BSP) is directing all BSP-supervised financial institutions to phase out SMS-based OTPs. Banks are moving to in-app soft tokens and biometric approvals. Does this mean that banking regulation is compelling people to shift to security protocols that are not constitutionally protected?

Will it make a difference to a bank in deciding on a fraud complaint whether the transaction was confirmed by biometrics or by password or PIN? Biometrics suppose the smartphone is in the hands of the customer. A PIN does not. Biometrics skew the burden of proving the fraud to the customer.

Face ID and thumbprints are permanent credentials. I cannot change them or get new ones. If the servers that keep them — government servers, private servers, banking servers — are hacked and the biometrics are compromised, the stakes are far greater than a forgotten password.

In visiting my bank branch, my IDs, my signature, and my physical presence were no longer enough. The bank wanted physical proof that the customer in front of them was truly me, the account owner. My thumbprint was deemed necessary. The thumbprint was deemed necessary to guard against someone impersonating me with a fake ID and a forged signature.

I understand that this helps prevent fraud. But government servers, immigration and visa servers wherever I have traveled, bank servers, and payment solutions providers all hold copies of my face, my fingerprints, my IDs, and my personal details. These servers can be hacked. My identity can be compromised.

For decades, banking identity relied on passbooks, then IDs and signatures, then PINs and passwords. Now it relies on fingerprints, faces, and iris or retinal scans. This changes the balance between convenience, security, privacy, and government power.

The Constitution protects the contents of your mind. Modern authentication increasingly bypasses your mind entirely. Authorities may not compel you to disclose a password or PIN. But they can compel your face and your fingerprints. Those are already on file somewhere, anyway.

As biometrics become more widely used, should they not enjoy the same constitutional protection as PINs and passwords? As banks, airports, and smartphones replace passwords with biometrics, are we trading a piece of our privacy and constitutional right for greater convenience and security?

The Constitution was written to protect what the state cannot see. It may not have anticipated the day when the state would simply learn to read your face.

Marvin Tort is a former managing editor of BusinessWorld, and a former chairman of the Philippine Press Council.

matort@yahoo.com

Market Opportunity
PinLink Logo
PinLink Price(PIN)
$0.03119
$0.03119$0.03119
+0.22%
USD
PinLink (PIN) Live Price Chart

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact crypto.news@mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.