Something I feel that's always missed in these discussions is context: Who is the adversary you're attempting to protect against?
Your kids screwing around with your phone? TouchID does the job.
Random people screwing around with your phone if they find it? Same thing.
Government gets ahold of it? Yeah.. notsomuch.
Considering that the primary adversaries of an average smartphone user are other mere mortals, not dedicated spy agencies, a fingerprint login strikes a very good balance between usability and security.
Consider the alternative - either requiring a standard alphanumeric password on unlock (just about zero usability), or a 4 digit pin code (less usable than the fingerprint while providing identical, maybe slightly less security than that option), or more likely than not, no password of any kind, the whole touch ID thing is a massive jump forward in the security posture of the average iOS user.
Most iOS users I know have it enabled simply because it means they don't have to keep re-keying their app store password.
In the biometrics field we use the threshold that separates an authentic and impostor match score to adjust our system sensitivity - for TouchID it's set such that the false acceptance rate (FAR) is high, while the gov may set it very low (usually the standard for papers is looking at the false reject rate at 0.1% FAR).
So this article is a year old, I don't know if Apple has managed to improve things since then.
But if it were as easy to get access as the article suggests...
I agree you take the right approach by identifying adversaries. And I agree that it's relatively reliable against kids or random people randomly screwing around. And not against governments.
But there's a whole bunch in between that. Business competitors? Ex-partners or personal enemies, motivated enough to hire a private detective or similar that can easily do this?
I think the line of "reasonable defense against" for this technology is actually probably _just barely_ above random people screwing around with your phone because it was just lying there. And there's a whole lot above that but below national intelligence agency.
I remember reading the original article on cracking Apple's fingerprint ID and the crackers mentioned that, while definitely crackable, it requires a certain level of sophistication and thus they considered the addition very worthwhile as a way to protect against robbing, etc.
When you think about security, you should have in mind who you are protecting against, and the same applies to passwords.
Security purists love to advocate that password reuse is evil, but who in the first place is going to be your attacker and for which purpose?
For example, in the context of money (online banking, paypal, ebay, etc.) I completely agree that password reuse is evil.
But when it comes to random websites, or simply to access my devices does it really matter? The first time I saw the Chromebook my first impression was "do I really have to write my entire Gmail password EVERY TIME I want to access this thing???" With my Galaxy S5 I was like "Don't tell me how should I create a password to unlock you!!! If I want to use 0000 it's my problem!!!"
I personally like the approach of FastMail: Different Login methods (like using Google Authenticator to generate random one time use passwords, or the ability to create different plaintext passwords). You decide which login methods allows you to access your account, and which ones allows you to manage it.
> Security purists love to advocate that password reuse is evil, but who in the first place is going to be your attacker and for which purpose?
You don't know, that's why password reuse is evil.
Years ago when I made my Facebook account it used the same password as all my other accounts. Now that I use Facebook as an OpenID provider for pretty much any news site I would be exposing myself and my friends to all sorts of attacks if someone found hacked a phpBB forum that I frequented years ago. You could make the argument that only important sites should have unique passwords, but you, your grandmother, and I all have a different definition of important sites.
OpenID does not provide your password to each site that you use it on... It uses a token that only that site can use, for the permissions that were shown when you created the token. If someone did acquire that token, you could just change your Facebook password and the token would expire
If my Facebook password and some old website's password are the same my Facebook can be compromised. Then the attacker can run around on the net pretending to be me at any OpenID accepting website.
OpenID isn't being attacked or at fault, it's non-unique passwords.
And you don't think your children will try to hack your fingerprint with a gummy bear? A fingerprint makes a poor password and even a worse ysername. So much for asking your spouse to log in and check something for you
I figure a criminal would just rather have you change and disable your password altogether, it takes much less time that way and it's easier to do rather than dealing with carrying around a bloody finger.
Touch ID only works for a minute or two after your finger is cut off. Touch ID reads the blood vessels, not the fingerprint, meaning it only works for a minute or two after the finger is cut off.
Very few thieves would go that far, and they would almost certainly give you an opportunity to unlock the phone for them instead. Most people would take that opportunity.
I always get the sense of cognitive dissonance when I read security researches and advocates write about passwords and fingerprints. If you have access to my device, you have access to my physical person, and my physical person will freely give up any password because no secret I have is worth my life. This isn't Hollywood, I'll give up my password with even the hint of physical violence that could maim or otherwise affect my quality of life.
Fingerprint readers, as Apple uses them per device backed by a strong high entropy password, are good enough for securing the average persons access to a device.
My physical security, something much more dear to me than my secrets, is protected not by keys and tumblers, but by a 1/4 inch of glass that can be cut through in seconds with $5 from the hardware store. Even the key and lock can be circumvented with a rubber mallet and a bump key, or a set of picks. So why use them? Because locks keep honest people honest, and those looking to cause you harm will cause you harm, regardless of what digital security you use.
Jake Applebaum was detained routinely during border crossings in the early wikileaks days. They (FBI?) demanded he decrypt his hard drive for them. He refused. As far as I know they never managed to get inside. This works, at least some of the time.
I think you take the right approach to true security risk analysis.
But there are all sorts of cases you leave out.
Someone might very well have access to your device without having access to your physical person. Because your device was lost or stolen.
Someone may very well not be willing to threaten you with physical harm, but be willing to hack your device. (Not every adversary is from a Hollywood movie either!)
Law enforcement agencies may not be legally allowed to compel you to reveal your password, but legally allowed to hack your device.
Perhaps, but I feel that anyone sophisticated enough to replicate my fingerprint perfectly before it reverts to password only, and to do so before I'm able to make a remote wipe, and able to even find my fingerprints (lost phone) and to be lucky enough that the fingerprint is the one I used to secure the device, makes this a sufficiently low risk to the average user in my opinion.
If you're at odds with an American TLA, your 4 digit pin isn't going to slow them down at all.
Besides, the entropy on the average 4 digit pin is really low, it has a greater chance of using 5, 6, 8, and 9 for righties, and 4, 5, 7, 8 for lefties. Combine this with repeated finger grease blobs, and I don't feel anyone can logically argue that a pin is a sufficiently more secure option compared to a fingerprint.
Sorry, I should amend that last statement to be using the model Apple is using with it's touch ID where the fingerprint simply authenticates use of a high entropy password stored on the device, and the datum of the fingerprint is in not sent.
His argument proves too much. If he thinks fingerprints are too insecure to be allowed, then he must think the same of low-entropy passwords. Yet I don't see him advocating that Ubuntu force users to choose high-entropy passwords and rotate them regularly. If he's fine letting users choose a low level of security by picking simple passwords, why not also let them choose to auth with fingerprints?
Also, I think he misconstrues the purpose of Touch ID. It's not meant to completely replace passwords.
There are three categories of authentication methods:
1. Something you know (password, combination, challenge responses).
2. Something you have (crypto token, phone, key).
3. Something you are (fingerprint, face, DNA, etc).
Methods can be combined for added security. All three have advantages and disadvantages. Passwords are typically chosen by users, making them weak. Good crypto tokens are hard to copy, but loss or theft can mean getting locked-out. Biometrics are convenient, but can't be revoked. Also, some activities can make them hard to read.[1]
Apple uses all three authentication methods in the iPhone. Touch ID is for basic access. The passcode is for admin-level functionality like erasing or restoring the device. Lastly, physical access to the phone is required to decrypt important data such as Apple Pay's Device Access Numbers. This gives typical, non-technical users a sane combination of security and convenience. If thieves and scammers start copying fingerprints, Apple will change their auth mechanisms.
1. I love Touch ID, but it takes a while to work again after I rock climb or lift weights.
Not disagreeing with you, just going on a tangent and extrapolating the point from the article, the third method group, "something you are" might jump into the "something you have" if it can be extracted or copied from you which might be the case of fingerprints. You are the original source of fingerprint, but you leave copies of it everywhere, so then there are several sources to mimick from and they work just as well on these technologies.
I'm sure he -does- think low entropy passwords are bad. However, once compromised, those can be changed. That's the point. (Plus, passwords aren't routinely collected and shared by governmental agencies. Just throwing that out there).
As you say, with Apple's TouchID, you are actively choosing a less secure method to access your device, for convenience. But...that's also pretty close to what the author said. "Biometrics can be use used as a lightweight, convenient mechanism to establish identity, but they cannot authenticate a person or a thing alone."
His point is that for things like system access to a Linux box, or to unencrypt data (eCryptfs, the software he helps maintain), biometrics is far too insecure.
I think convenience is important in this comparison because that generates a context in which TouchID is actually more secure, because it's more likely to be used than remembering and typing a passcode/phrase. Apple have shown the usage stats. There is also the inconvenience for attackers of reproducing a fingerprint through an elaborate process, which again makes TouchID more secure (in my opinion) in practice than a password/phrase.
While theoretically less secure, I would say TouchID in practice is more secure for average users. But in the case where there is the motivation I would agree with you.
Right, and I don't think the author necessarily disagrees with the idea of including TouchID in Apple products as an alternative to 'completely unlocked'.
As the author indicates, "This isn't a knock on Apple, as Thinkpad have embedded fingerprint readers for nearly a decade. My intention is to help stop and think about the place of biometrics in security."
The danger is viewing biometrics as a secure alternative to passwords; it's not. But comparatively few people are technically inclined enough to realize that; with Apple embracing it for convenience, we run the risk of people not understanding the security implications; the author saw evidence of that when asked to implement biometrics for file encryption, which is a terrible idea.
I think I remember the issues: good passwords are arbitrary, hard to guess, can be changed at any time, are used for one purpose only. Biometrics (fingerprints) are none of these things.
It took me a moment to work this out too, but they meant that the police don't ask for your passwords when they arrest you for an unrelated charge; the DMV doesn't ask you for them when you get a drivers license (do US DMVs do that?) etc.
US DMVs do not require fingerprints, no. However, they do require images to be taken of you, that are entered into a database ( http://www.washingtonpost.com/business/technology/state-phot... ). So when discussing 'biometrics' as a whole, government agencies routinely collect and share it.
Plus, let's not forget the data sharing arrangements that were highlighted by Greenwald; the US collects fingerprints from anyone entering the country ( http://en.wikipedia.org/wiki/Office_of_Biometric_Identity_Ma... ), and I'm sure they're happy to share that information with other countries, who may be prevented legally from collecting that info from their own citizens. And vice versa. So traveled overseas? It's not unreasonable to assume your home country now has access to that piece of biometric data. Certainly, the country you traveled to does.
And of course, if you are arrested, your fingerprints are entered into a DB as well (though you can fight to have them removed if you are never found guilty of anything; good luck with that).
> 3. Something you are (fingerprint, face, DNA, etc).
Add there your mom's maiden name, your parent's names and you get the point; in an authentication system "something you are" must be better used more as user names rather than passwords because users can't change them. Once they're public irrecoverable attacks may happen.
There are 3 categories of authentication inputs.
(1) Something users can not change
(2) Something users can change
(3) Something the service owners or system admins can change including time synchronized codes.
You better use 1 as usernames, 2 & 3 as passwords.
Fingerprints can be changed as easily as a username. Simply never use the "raw" fingerprint output of the device, instead XOR it with some key (like either something from factors 2 or 3, or simply a static key).
I think part this is the fact that a lower complexity password can always be changed if compromised. If your fingerprint is compromised, you can't just generate a new one.
There is indeed a high-risk way of doing fingerprint scanning - the way Estonia intends to do it for people who want to become its e-citizens. They want to collect everyone's fingerprints and store them in a centralized database. Good luck with that not being stolen. NSA will probably break into it the same same week it goes online.
Having the fingerprints hashes stored in a secure enclave on everyone's devices seems like a much more secure way to deal with fingerprints. The first method is completely unacceptable. The latter is more reasonable.
The NSA certainly already has the fingerprint of everybody they care about, and probably has of everybody else too.
Governments collect fingerprints on several occasions, as do several buildings' security, some mass transit administration, banks, workplaces, and lots of other entities. Also, you live them everywhere anyway.
Why must high entropy passwords be rotated regularly anyway? Shouldn't they only need rotating after a certain number of incorrect logins? Shouldn't that number be decently high?
Regularly changing your password reduces the impact of an undetected security breach by shortening the maximum amount of time a leaked password remains useful.
I don't think many (outside of perhaps Apple PR?) have argued that fingerprint security is great, absolutely speaking. Relatively speaking, however, it is great, as many phone owners would otherwise not have any sort of locking security on their devices at all. Yes a fingerprint unlock is hackable, but it's a lot less hackable than your phone being open from the get go.
I think Apple are pretty aware of the limitations - they don't accept TouchID on first login after a restart, for the first purchase after a restart, if it's been 48 hours since an unlock or for resets/major config changes. For that you either need the PIN or, if you've opted for more security, the password.
Overall it feels that Apple's take is for day to day login it's better than a four digit PIN and it's better than no PIN.
>they don't accept TouchID on first login after a restart
That's because the hash of the print is stored on an encrypted volume of some kind, which requires your regular password to decrypt after a cold boot. Once the hash is in memory, the fingerprint can be used instead.
I'm not sure I'm following what you're saying a 100%, but based on this [1] i don't think the fingerprint hash is ever in memory. The TouchID camera sends the fingerprint hash directly to the secure enclave, where it is compared to the one saved there, and then the secure enclave sends a yes or no to memory, at least that's my interpretation
Is it because of that, or is it implemented that way because they wanted to ensure that TouchID couldn't be accepted after a fresh restart? I think you may have the causality backwards, since they could have easily stored things in such a way that your fingerprint worked after a fresh reboot if they wanted to.
Exactly. Touch ID (hopefully!) isn't designed to protect against a sophisticated adversary with time for preparations; it only has to hold out as long as it takes the device owner to realize that their gadget has gone missing. In the case of Apple Pay, they can then immediately disable the payment functionality.
Of course, this doesn't help against a sophisticated attacker who is interested in the data on a device; in that case, a secure passphrase would be preferable.
Unfortunately, it seems like iOS doesn't allow using different authentication methods for payments and for device unlocking; it would be really nice to be able to use Touch ID for the former, and a passphrase (or even a passphrase AND a fingerprint!) for the latter.
I used to be employed by a bank that gave me a such a system with TPM and secure BIOS with fingerprint reader.It was a dell one if i remember and used to take quite a lot of time with even simple things like booting.It was a specific project!
Everything about this article is well-intentioned — and wrong.
"much as a your email address or username identifies you, perhaps from a list."
Your email address or username may identify you, but it also may not. Your fingerprint absolutely identifies you and only you.
"For authentication, you need a password or passphrase. Something that can be independently chosen"
A password is a secret phrase. We're used to thinking about passwords in terms of strings, but anything secret that I know about would serve the definition. In fact, like a character-based string password, I can even make a copy of my fingerprint password and store it somewhere if I wanted a backup.
A fingerprint is both a username and a password. Trying to hold some analogy between Touch ID and traditional username/password combinations doesn't hold and it completely misses the point of the innovation.
That's why it's convenient, and skepticism of civil liberties aside, convenience means better security because people will use it.
> Your fingerprint absolutely identifies you and only you.
The whole point of the article is that this isn't true. Fingerprints are trivial to obtain and copy with sufficient fidelity to beat modern fingerprint readers.
A fingerprint is not a password because it can't be changed. If a database containing your password is leaked, you can just choose another one. What happens if a database containing your fingerprint is leaked?
And fingerprints will leak, as we are using them more and more.
Simplifying his post, there are 3 reasons biometrics are terrible for authentication:
1. Every piece of biometric data is inherently public. (Fingerprints, facial geometry, hand geometry, even DNA)
2. Biometrics require an error threshold as our bodies are always changing (that's like typing a 20char password and having only 15 of them be correct. That's fine! Let them in anyways with 5 incorrect characters)
3. Key revocation. I can change my passwords and locks if you get a copy of my passwords or keys... but once you have a copy of a biometric identifier I cannot use that again for the rest of my life.
My keys are plenty strong, but when I mistype a strong key (which is plausible seeing as I can't see what I'm typing) then I'm fine with sacrificing some strength to just accept it. My key is already well beyond practical attack anyway.
That said, if you WERE to use something like 2, you'd have to be much more diligent about enforcing good passwords, also you'd have to come up with some kinda scheme that could work with "close enough" and not reveal information about the password.
Even assuming 2 is a good idea, I have no idea how that could be implemented. A major desirable property of a good password hashing algorithm is that slightly differing inputs should produce wildly differing hashes, and the login authenticator should only ever know the password hash and not the password itself.
ect, then check the submitted password by testing it against these hashes by removing characters in the same fashion.
Just as an early idea.
I think it's a good idea, what if you could encourage users to use stronger passwords by telling them that "the system will forgive near misses, so don't be afraid"?
This article is from 2013. While things didn't change a lot (this years TouchID was broken as well IIRC, though I've heard it got a little better), it's hardly news.
Also, I don't think even Apple advertises its fingerprint scanner as a replacement of passwords. It is a replacement of 4-digit PINs, and for that it is far more secure. While members of CCC have the knowledge of lifting a print, most people do not have this knowledge or tools. And if you notice your phone is stolen, you can always log in to icloud.com (with your password, you cannot use TouchID there) and lock down/reset your phone immediately.
How about the user gets the option to add NFC pairing so strengthen the security of the fingerprint. Once the user sets both up, then he won't be able to login until both are recognized for authentication. It should be hassle free if that NFC pairing comes from a smartwatch or smart-band and he just picks up the phone with that hand. The NFC authentication should happen automatically without thinking about it.
The NFC would essentially function as an OTP 2nd factor (or FIDO U2F if that's better) to the fingerprint being the "password".
In the case of Touch ID, please consider that in order to circumvent it, you not only have to be able to fool the Touch ID sensor, you also have to have physical access to the device.
No, you couldn't. That's not how Touch ID works. Apps never get access to the fingerprint or have any way to interact with the Touch ID sensor except to ask it to authenticate the owner of the phone, ie. yourself.
As with many things, it depends heavily on what you're using it for. Not as pithy for a title though, I suppose.
No amount of information entered into a computer fully proves it's you and not someone else. A fingerprint provides some information, as does a password.
This sounds like a fairly useless distinction, but hopefully this will make sense:
If all we're doing is trying to prove we're us and not someone else, why do we need a username at all? What added bonus is gained from having a completely public bit of information?
Well that's because:
1. People are bad at picking passwords, if everyone picked a 2000 character random password and kept it secret we'd not really need anything extra
2. You can't inform people if they've picked the same authentication as someone else, so you prefix it with a per-user unique value which you let people know will be public
I don't really see fingerprints as a username or a password. They're just another hint to the system that it's probably you, and you can use any combination of those three depending on what you actually care about.
For example:
I don't have a username on my phone to unlock it, just a password.
I have a username and password for HN.
I have a username, password and physical auth device for work-related logins.
The latter two are fairly obvious as differences in how important it is that I'm verified to be me, the former is because I mostly want my phone to distinguish between me and my pocket.
> But biometrics cannot, and absolutely must not, be used to authenticate an identity.
A bad choice for what? Your fingerprint can only be used to access a particular device in the case of Touch ID. It is worthless if you don't also have physical access to the device. And it's a lot easier to tell if your device has been compromised because it means that you no longer possess it, in which case you can simply remote wipe it. To reiterate: Possession of your fingerprint alone does not allow someone to access your bank account or log into your webmail.
Your fingerprint can only be used to access a particular device in the case of Touch ID. It is worthless if you don't also have physical access to the device.
Or any previous device you might have had with Touch ID. Unless you change your fingerprints when you get a new phone.
And it's a lot easier to tell if your device has been compromised because it means that you no longer possess it, in which case you can simply remote wipe it.
Which can easily be subverted by simply disallowing the phone from connecting to the Internet. A "faraday bag" costs a few bucks. Assuming TouchID doesn't prevent you from logging in without Internet access, of course.
Or any previous device you might have had with Touch ID. Unless you change your fingerprints when you get a new phone.
Or... You could wipe your old phone when you get a new one.
Which can easily be subverted by simply disallowing the phone from connecting to the Internet.
Perhaps, but you know what they say: If a (determined) attacker gains physical access to your device, all bets are off. But at least you would know if you lost your device. A password OTOH could be compromised without you knowing.
Also, I am only saying that Touch ID is at least as secure as a username/password authentication scheme. If you want more security (perhaps because your adversary is someone who would go to the lengths of manifacturing a fake finger to fool a Touch ID sensor and also get a Faraday Bag to prevent you from wiping your device), the you should perhaps consider using 2-factor authentication.
I agree with the below comments. These types of papers are always emphasizing rigor over actual experience.
Many types of "100%" security fail because of this disconnect. Forced rotating passwords or long ones with required symbols and number? Most people choose to have easy to remember ones (e.g. pass1, pass2, pass3,) Or it's so difficult to memorize that they'll write it down somewhere nearby.
The points are important, but they're directed at consumer products. I wonder how the same person would look at bike-locks...which even with the most expensive locks are only a deterrent given the right tools.
Fingerprints are not bad for local authentication. For instance if phones become more used for payment I would expect my phone to contain a secret key for payment that is unlocked easily which a fingerprint could do. So in order to compromise this they would need to get both my private key and my fingerprint. If my private key were compromised, I could then get another key. The article is right though that fingerprints should not be used as the sole means of auth though for the sheer reason that it cannot be changed.
Fingerprints aren't passwords. They also aren't usernames. They're fingerprints, and they have different characteristics from both usernames and passwords.
Rather than try to shoehorn fingerprints into our existing terminology, let's look at what fingerprints can do and what implications they provide, and then use them accordingly. The article sadly fails to do this.
Can a fingerprint even be used as an encryption key? I'd imagine that the reader doesn't generate the exact same data on every scan, and to get a "yes/no" requires seeing if the scanned print is within a certain margin-of-error of a stored print.
Passwords are not passwords, they are usernames. It's a part from the combination to identify you, while unlike usernames, it's hidden by design. Fingerprints are like passwords, they can't be easily copied and be reused somewhere else, for now.
I think fingerprint should still require a password after a duration. I'd be fine with using my fingerprint to login if I have recently logged in in the last few hours.
Good post, this is so true. Fingerprints should only be used as id, if at all. Like 'icebraining' said: Passwords can be compromised and must be changeable.
First, a fingerprint is unique, also serves as _identification_.
Secondly, a fingerprint is secure to a very high degree - cannot be easily stolen and duplicated, always is with you and so on. Thus, it serves as _authentication_ too.
EDIT: to the downvoters and critics: what you describe is using an _excess_ of effort to get my fingerprint ( technically, using force, etc ) . If I see a password, I can use it immediatelly, if you see my finger, there is a long way ( in terms of steps) until you can use the fingerprint attached to it. And btw, I am not defending Apple here.
Fingerprints can easily be acquired, if that weren't the case they wouldn't be extensively used in crime scene investigation. When fingerprints were supposed to be used as authentication, together with an ID card, in Germany, the German Chaos Computer Club acquired the fingerprint of the minister of the interior from a used glass and spoofed a reader with it by transfering the print to some adhesive tape.
I think what op means is that if you find someone's password, you can type it into their device and you are in. Total breaking in time < 30s. If you find someone's fingerprint, you need to make a copy of it, scan it at high resolution, prepare a good printout and only then you can use it. Total breaking in time >1h.
you might want to review some of the literature around bypassing fingerprint readers before making that kind of statement... A large number of readers are easily fooled by copied prints. Also there's the False acceptance/false rejection rate tradeoff to consider.
Once of the major issues with biometrics is revocation. If compromised it can be difficult to change!
There's also the glossy fingerprint attracting screen of the iphone. Creating an artificial fingerprint from what you've left on the screen would be non trivial but far from impossible.
People have been saying this kind of thing since the 5s debuted - is there any evidence that it's actually happened outside of the fevered imaginations of Whatif Warriors?
lol. This is not Hollywood. A phone thief isn't going to be using tape and superglue to find your fingerprint. Do you really want to encourage someone to remove your index finger when they mug you for your phone?
Yes. A man had his finger ripped off by a thief stealing his iPad. It was not for the touch ID, but that is beside the point IMO. There have been plenty of incidents where muggers remove fingers to steal rings. I don't think a phone is so different.
Having looked up this iPad theft, they didn't rip his finger off - the drawstring of his bag got tightly wrapped around his little finger and the force of their grabbing the bag stripped it. An awful thing to happen, sure, but not at all "had his finger ripped off by a thief" - it was a pure accident.
Your kids screwing around with your phone? TouchID does the job.
Random people screwing around with your phone if they find it? Same thing.
Government gets ahold of it? Yeah.. notsomuch.
Considering that the primary adversaries of an average smartphone user are other mere mortals, not dedicated spy agencies, a fingerprint login strikes a very good balance between usability and security.
Consider the alternative - either requiring a standard alphanumeric password on unlock (just about zero usability), or a 4 digit pin code (less usable than the fingerprint while providing identical, maybe slightly less security than that option), or more likely than not, no password of any kind, the whole touch ID thing is a massive jump forward in the security posture of the average iOS user.
Most iOS users I know have it enabled simply because it means they don't have to keep re-keying their app store password.