Demanding a password introduces more error and more room for evasion than a finger, which as I said is about the same as getting the phone in the first place. You are right that in some, maybe even most cases, it may not make a difference. But when time is of the essence, additional obstacles are often simply avoided.
You also might ask who is sticking you up. For example, I believe there is fourth amendment literature re government officials that have gotten away with using an arrested persons biometrics to unlock a phone, in a manner in which compelling the release of a password would be illegal. Put another way, I can simply grab your finger or put your phone in front of your face, whereas beating you until you surrender your password is a lot harder to accomplish without creating additional consequences.
Still depends on your threat model. Not everyone lives in a place where stick-ups and random arrests are so common place that you want to inconvenience yourself 99.999% of the happy flow.
Indeed, good point. Proper threat modeling is everything.
This also explains my original reply to the ancestor comment. As I see it, most people's personal threat model essentially already accounts for data breaches to the point that they are almost irrelevant. We hear about them all the time. More and more people are learning about credit freezes or 2fa or just getting these services baked into things they already use (more banks offer free credit monitoring, 2fa is increasingly a standard). It seems like we are in a place where data breaches just become essentially background noise to the average user.
In my view then, I would personally factor in physical theft as a higher threat than "phishing and data breaches". Even if low probability to begin with.
There is also the objective question of which occurs more or incurs more damages to individuals, the answer to which I do not know. I know companies often spend a lot of money to fix problems or deal with lawsuits, but individuals don't really get compensated by that the way they would if someone who ripped your phone away from you was tackled to the ground and your property got returned. For example.
As you say though, the threat model is everything.
Demanding a password introduces more error and more room for evasion than a finger, which as I said is about the same as getting the phone in the first place. You are right that in some, maybe even most cases, it may not make a difference. But when time is of the essence, additional obstacles are often simply avoided.
You also might ask who is sticking you up. For example, I believe there is fourth amendment literature re government officials that have gotten away with using an arrested persons biometrics to unlock a phone, in a manner in which compelling the release of a password would be illegal. Put another way, I can simply grab your finger or put your phone in front of your face, whereas beating you until you surrender your password is a lot harder to accomplish without creating additional consequences.
Still depends on your threat model. Not everyone lives in a place where stick-ups and random arrests are so common place that you want to inconvenience yourself 99.999% of the happy flow.
Indeed, good point. Proper threat modeling is everything.
This also explains my original reply to the ancestor comment. As I see it, most people's personal threat model essentially already accounts for data breaches to the point that they are almost irrelevant. We hear about them all the time. More and more people are learning about credit freezes or 2fa or just getting these services baked into things they already use (more banks offer free credit monitoring, 2fa is increasingly a standard). It seems like we are in a place where data breaches just become essentially background noise to the average user.
In my view then, I would personally factor in physical theft as a higher threat than "phishing and data breaches". Even if low probability to begin with.
There is also the objective question of which occurs more or incurs more damages to individuals, the answer to which I do not know. I know companies often spend a lot of money to fix problems or deal with lawsuits, but individuals don't really get compensated by that the way they would if someone who ripped your phone away from you was tackled to the ground and your property got returned. For example.
As you say though, the threat model is everything.