Apple has recently spur some controversy with the introduction of a biometric sensor onboard its last flagship product, the iPhone. When it comes to this topic (governments stealing fingerprints…anyone?), I think that most people are overseeing some other interesting issues.
In my knowledge, available and affordable biometric sensors are known to be quite easy to bypass. Even those considering skin humidity can be bypassed and this vulnerability is known since 2002 so it comes in no surprise that Apple touch-id has been broken in a few hours after its launch by CCC .
So, if everything was just known, why manufacturers decided to insert a biometric sensor anyway. Why? There may be different reasons, some understandable, some outside the scope of this article.
– PINs and passphrase authentication schemes are showing their weakness and a suitable answer was required by market.
– biometric sensor is a great way to tie the device to the user. In a not distant future, ‘for security reasons’ it may be handy for manufacturers to tie the biometric credential to the device in an irreversible way, to ‘burn in‘ thus zeroing the second hand market (and black market as well).
Update(27.09.2013):I feel that thid will eventually come up any time soon.
– Plausible Deniability: in this not distant future, once the biometric credential is ‘burned in’ the device during initial setup, it can be difficult for the user to repudiate the device, claiming he does not own it.
As far as I know, the link between the biometric credential and the device is not so strong at the moment, and I suppose that the phone can be reset and sold without particular issues in this regard.
For normal people, the ones who fear more a violent assault by petty thieves than a government coming after them for espionage, there a are a few reason why a biometric sensor on a phone is a good thing:
- PINs, unlock schemes and pass phrase may be awkward to insert in an emergency situation. While it’s true that the emergency dialer is always accessible, an emergency situation may include a scenario where one has to call a different number from the standard one and PINs and pass phrase are difficult to remember under stress.
- an authentication scheme based on a biometric sensor is better in an hands-free situation, because it does not require the user to focus on the credential insertion.
- a biometric sensor is great for elderly people and impaired one.
- you cannot forgot a biometric credential (*hopefully*).
On the other end, there are plenty of cons regarding a credential system solely based on a biometric sensor.
- a biometric credential cannot be easily changed.
- a biometric credential, like a fingerprint, is comparably cumbersome to protect while for normal situation protecting a PIN or a pass phrase is relatively easy.
- fingerprints, in particular, are mostly exposed as unless the user is using gloves, as fingertips are always in contact with the surrounding environment. The claim that touch-id works also with other part of the body may be fun, but fingertips have a very special characteristic: they are different from person to person. I would love see people unlocking their device with the forehead, but it would be interesting to see if foreheads of other people forehead can work as well. Moreover, no more placing your forehead on the window in a cold day like Keanu Reeves would possibly do, unless you want to risk to compromise your main credential.
The use of fingerprints as a biometric credential while practical, has some real issues that people should consider. First of all, there’s a better chance of violent crimes being conducted where the thieves unlock forcibly or cut the fingertip
to obtain the biometric credential. And living without the thumbs can be at least uncomfortable.
Then there’s the aspect of privacy and data security. Everyone may find himself in a situation where a third party can forcibly try to obtain access to the device.
While a little interrogation or trying to access by forensic methods can be a viable alternative every law agency can consider, bypassing a biometric credential is easy like forcing the user to swipe a finger on the sensor. You don’t even have
to spend 5$ on a wrench .
A few points worth mentioning:
- biometric authentication means that the device is vulnerable in any situation where the user is unconscious or’unavailable’, while for classical credential like PINs and passphrase this scenario works conveniently the opposite way.
- it’s difficult to oversee a plausible deniability scheme where one can provide the adversary with a different fake credential that will reveal uninteresting data, because the user can be observed acting in normal life ( so it may, for example, be difficult to swipe a different finger under distress, as the adversary may and probably already knows what the valid finger is).
So, are we ready for biometrics? Probably not. But probably, like many innovations Apple has endorsed, this will bring some good, spurring manufacturers into developing safer biometric systems.
Update (24.09.2013): a really good article on the subject (with some first hand experience on the touch-id hack) can be found here.
Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies: http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf
Chaos Computer Club breaks Apple TouchID: http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome: https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/