In Defense of Biometrics
There is a new iPhone and it comes with a finger print sensor! What better reason to talk a bit about biometric. In the good old days before Defcon and Wardriving, Biometrics had an ambiance of "high security". Remember the James Bond movie where they cut out a guy's eye to bypass a retina scanner? Those days are long gone. Now we have seen fingerprint and facial recognition systems being bypassed by simple printouts of the fingerprint or face, or rubber molds of fingerprints being used instead of the real thing.
So how meaningful is a fingerprint sensor these days? The right answer is of course: It depends. First on the quality of the sensor, secondly of the software used to analyze the acquired data, and finally the alternative authentication methods it replaces or suplements.
During enrollment, the sensor acquires a reference image of the fingerprint. This image is then analyzed, and certain parameters are extracted from the image. It is these parameters, not the original image, that will be used to compare later authentication attempts. Of course, no two images are quite alike. It may not be possible to identify all the parameters, or some additional characteristics may be discovered that were not visible in the reference scan. The result is that the software has to allow for some variability. For low quality sensors, this variability can be quite large, leaving you with only few distinct features. The result is the same as having a bad password: Many different users will end up with the same "fingerprint" as far as the sensor is concerned.
So what does this mean for the iPhone, or mobile device authentication in general? The problem with mobile device authentication has always been the fact that it is difficult for the user to enter complex passwords on a small keyboard. The result is that most users choose short numeric PINs. There have been a couple of other attempts, for example the Android "pattern" login and the use of cameras for facial recognition. The facial recognition usually suffers from bad sensor quality and from very variable lighting. The pattern login is a pretty neat idea, but I think it hasn't been tested sufficiently to figure out how much patterns users choose actually differ.
There is one thing Apple appears to have done right: The fingerprint data stays on the phone, and is not backed up to any cloud service. If this information got lost, an attacker could use it to reconstruct a duplicate of the finger, which in turn could be used for biometric identification even beyond the iPhone itself.
As far as the quality of the image sensor and software: We will have to wait for it to be tested once the phone is released. It probably does not include more advanced feat rues like measuring the users body temperature or observing blood flow. But I hope it will be better then a 4 digit pin.
One easy improvement: Make it "real two factor" by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.
Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user's fingerprints. It shouldn't be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Sep 11th 2013
1 decade ago
Anonymous
Sep 12th 2013
1 decade ago
Also 007 disguised his fingerprints in Diamonds are Forever, leaving fake prints on a drinking glass. He also had a rifle in License to Kill programmed with a biometric signature only his palm could activate.
The Bourne Supremacy features an HP iPaQ supposedly scanning and transmitting fingerprint collected in the field. The H5400, released about 10 years ago, did in fact have a (thermal) fingerprint scanning strip as an optional sign-in method.
Anonymous
Sep 12th 2013
1 decade ago
Here what is mentioned about the system
Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours. This feature is meant to block hackers from stalling for time as they try to find a way to circumvent the fingerprint scanner.
Apple says testing has shown that although the sensor is substantially better than fingerprint protection systems found in laptops, it will fail occasionally. In particular, Apple points out that moist fingers (such as sweat or residue from creams and lotions) do not work well with the device. The system may also have difficulty reading fingers that have scarred skin. However, as Touch ID can manage up to five fingerprint profiles at a time, Apple notes that customers can still take advantage of the feature by simply using a different finger for recognition.
Anonymous
Sep 12th 2013
1 decade ago
Anonymous
Sep 12th 2013
1 decade ago
http://www.infoworld.com/d/mobile-technology/the-iphone-5s-fingerprint-reader-what-you-need-know-226695
Anonymous
Sep 13th 2013
1 decade ago