ANSSI advices replacing mobile device biometrics with 6-digit password
Tucked into a report from French Cybersecurity Agency ANSSI amid 18 sets of recommendations is the suggestion that people should stop using biometric authentication to unlock their smartphones.
The 42-page report “Mobile Phones: Threat Landscape Since 2015” examines threats targeting consumer smartphones and how to mitigate them. It has roots in consultations launched in 2023 between France and the UK on how to respond to the proliferation of commercial cyber intrusion capabilities (CCICs).
ANSSI reviews passive and active interception and data modification attacks, carried out through communication channels including 2G, W-Fi, Bluetooth, NFC and USB connections. Some attacks are carried out as part of social engineering and phishing campaigns, some target data collection and others have a profit or revenge motive.
A section about “attacks relying on physical access to the device” describes several different attacks, including on involving spyware NoviSpy, which may have been deployed to devices belonging to Serbian activists interrogated at police stations. In this case, according to the analysis, the unlock codes of mobile phones may have been acquired by observing victims as they entered them.
The write-up does not mention biometrics, but instead tells consumers under the heading of using a strong password to implement a code for device unlocking made up of “six alphanumeric characters.” A passage below expanding on the recommendations makes explicit that biometrics are a vulnerability.
“It is also recommended to avoid using biometric authentication (facial recognition and fingerprints) to prevent the possibility of unlocking a mobile device without knowing its password,” the report says.
The other recommendations for physical device protection are to not connect the phone to unknown devices, use a trusted USB data blocker and turn off the device when leaving it unattended.
ANSSI’s recommendations appear at odds with a concerted effort by organizations around the world to deprecate passwords in favor of passkeys to protect against phishing, with Facebook and Microsoft as prominent recent examples.
Individual users “are strongly advised to read and take into account the recommendations if they recognise themselves in one of the cases described,” ANSSI says.
Related Posts
-
November 13, 2025 -
January 31, 2025 -
December 4, 2024 -
August 7, 2025 -
July 31, 2025 -
August 13, 2025
Article Topics
ANSSI | biometric authentication | cybersecurity | France | mobile biometrics | smartphones
Comments
One Reply to “ANSSI advices replacing mobile device biometrics with 6-digit password”
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
There is another consideration, at least in the United States.
In the past, some courts have held that a government law enforcement officer can compel a person to use their biometrics to unlock their cellphone, but cannot compel them to provide a passcode to unlock their phone.
A U.S. District Court judge in North California has subsequently held that forcing a person to unlock their phone with biometrics is a violation of U.S. Fifth Amendment rights, but this will presumably be litigated for some time in the future.
At present, I know of at least one biometric expert who only uses passcodes on his phone for this reason.