Larger Attack Surface on User’s Device

3 min readOct 17, 2021

I today take up this The Register report — “Client-side content scanning as an unworkable, insecure disaster for democracy” https://www.theregister.com/2021/10/15/clientside_side_scanning/

Glancing over this worrying report, I found this paragraph especially eye-catching; “It goes on to look at all the potential problems with CSS systems. These include the possibility of abuse by authorized and unauthorized parties, as well as local adversaries — a user’s partner, ex-partner, other family member, or rival who has access to the user’s device.”

This kind of threat is supposed to be mitigated by a secure login. In this aspect, we know that Apple is shooting itself in the foot by increasing the attack surface (=increasing the vulnerability) of the login security as the result of adding a probabilistic back door of biometrics login such as TouchID and FaceID on top of the deterministic front door of a default pincode/password.

If there is nothing particularly wrong in using two authenticators in a ‘two-entrance’ deployment for convenience’s sake, it is absolutely wrong to lead the consumers to wrongly believe that the security has been improved.

Actually, it has brought down identity security, spreading a false sense of security among consumers.

Well, as for the security effect of deploying two authenticators in ‘multi-entrance’ deployment (as against ‘multi-layer’ deployment), you might well be interested in these posts -

“Biometrics is to Password what Back door is to Front door”

“Step-by-Step Analysis of Why and How Biometrics Brings Down Security”

“Get graphs to talk the nature of probabilistic biometrics”