Why Your Next Phone Will Include Biometric Security

An anonymous reader sends this quote from Forbes: "... it is an almost certainty that within the next few years, three biometric options will become standard features in every new phone: a fingerprint scanner built into the screen, facial recognition powered by high-definition cameras, and voice recognition based off a large collection of your vocal samples. ... We store an enormous amount of our most intimate and personal information on cell phones. Businesses today are already struggling with policies regarding bringing devices from home, and it’s only going to get more difficult. A study by Symantec highlighted the depth of the problem – around the world, all different types of companies consider enterprise mobile device security to be one of their largest challenges. ... Ever since Apple purchased Authentec Inc in July of last year, there has been an endless stream of news stories obsessing over whether Apple will include a fingerprint scanner in their next release. In reality, Apple is one among many players, and whether they include a biometric sensor in the 5S or wait till the 6 is largely irrelevant, the entire mobile industry has been headed this way for years now. ... There are separate questions as to whether these technologies are ready for such a wide-scale deployment."

Fingerprints? On a touch screen?

[Zumbs]

How can anyone consider fingerprint identification on a touch screen as anything but toy security? You handle your phone pretty much each day, so it is highly unlikely that your fingerprints will not be all over it, in particular on the screen. With just a little bit of technique, every criminal will be able to get a usable finger print and unlock your phone. Mythbusters pretty much proved how easy these things are to bypass.

Re:Fingerprints? On a touch screen?

[Jane+Q.+Public]

"Mythbusters pretty much proved how easy these things are to bypass."

The problem is that in order to prevent false negatives, the recognition has to be loose enough to allow way too many false positives.

But -- and here's the big issue, IMHO -- the same is true for facial recognition, and voice recognition.

So you have 3 "biometric security" options, all of which are ridiculously easy to circumvent.

Security theater, anybody?

The really big problem here is that it's a false sense of security. People come to rely on means that aren't secure, they they feel they are secure. This just makes them sitting ducks for malicious people who know what they're doing.

Ripe for problems

[Mitreya]

a fingerprint scanner built into the screen, facial recognition powered by high-definition cameras, and voice recognition

Oooh, and if you cut your finger/forget to shave or lose your voice temporarily -- who needs to use their phone every day?

Re:Ripe for problems

[master_kaos]

Oh shit, I cut my hand off at work, better call 911... o wait.

Great

[HalAtWork]

Now identity theft will become so much easier, trojans will be able to steal all that information too and spoofing access will be that much simpler.

Biometrics is a dead-end

[gweihir]

What all the proponents conveniently gloss over is that biometrics has not solved one fundamental problem: How to change the "password" once it gets stolen. And it will get stolen. Storing hashes does not help at all, as an attacker can just get new samples with ease. They just need to hack the sensors. Other ways exist. And once the biometric print has been compromised, there is nothing that realistically can be done.

This fundamental limitation is the cause that not real security expert takes biometrics seriously in unsupervised scenarios. There are enough wannabe security experts around that will gladly take a lot of money for biometrics that will not work.

Re:Biometrics is a dead-end

[teidou]

Yep, that's a serious issue.

There is a difference between identity and authentication, and that difference is lost when one uses biometric identity measures for authentication.

Great writeup on this from 2006 over at MSDN

Short version: identify and authentication must remain distinct if you want to have a system where users are held responsible for their actions.

Re:Biometrics is a dead-end

[swillden]

What all the proponents conveniently gloss over is that biometrics has not solved one fundamental problem: How to change the "password" once it gets stolen.

Biometrics are not passwords. They have some similarities, but also some important differences. Equating the two will just result in misunderstanding both -- as in this case; thinking that biometrics must be changeable like passwords to be useful.

The intent of a biometric isn't to provide a replaceable, short-lived secret authenticator, it's to provide a public (though not necessarily widely-distributed) authenticator permanently bound to an individual. When designing a biometric security solution you should never assume that the biometric data is secret. Instead, you need to assure that the following assumptions hold:

1. The object being scanned is actually the subject being authenticated. This is the greatest weakness of biometric authentication in most circumstances, because it's generally fairly easy to scan some other object which replicates the authorized user's characteristics. This is also where biometrics fundamentally differ from passwords, since if this assumption holds it doesn't matter if an attacker knows the characteristics of your face/fingerprint/whatever.

2. The path between scanner and matching engine is secure, otherwise replay attacks can easily subvert the authentication.

3. The template storage and matching engine are secure. This is also a problem for password authentication, but it's generally fairly easy to assure in both cases.

4. The resolution of the matching, at the selected match threshold, is sufficient. The analogous concern in the case of passwords is password length/complexity, but it's a little different because when we talk about password complexity we do it in the context of brute force attacks. The biometric analogy of a brute force attack is presenting many different people, trying to find one that coincidentally matches, which is rarely a concern (assuming the biometric isn't being misused for both identification and authentication). With biometrics, used properly, you just need to assure that the false positive rate is low enough for the threat model.

So, what does that mean for the idea of biometric security for phones? Assumptions 2 and 3 can probably be invalidated by a sophisticated attacker, but a sophisticated attacker can likely bypass the whole authentication process regardless, so biometrics are no worse than passwords. The same is basically true of assumption 4.

For cellphones, the problem is obviously assumption #1. The sensors that will be embedded in a phone will of necessity be inexpensive. Even worse, the phone's environment is completely uncontrolled. This creates an ideal environment for an attacker to spoof the sensor with gummy fingers, photographs, etc.

However, that doesn't make it useless. In particular, incidental and continuous re-authentication is idea. Rather than using your face or finger to "unlock" the phone, have the phone occasionally check the faces within view of the front-facing camera, or the print of the finger swiping. That won't make it impossible for an attacker to use the phone, but it will make it significantly more difficult and -- this is the key -- do so with zero inconvenience to the authorized user. That sort of security should be added to a password for unlock, though for some people with low personal security requirements it might be able to stand alone.

Re:How about just having whole disk encryption?

[scdeimos]

iThingies have had hardware encryption for years. That's why a device erase is so quick - it only needs to erase the master key and everything else is toast. http://support.apple.com/kb/ht4175 and http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf (page 7 onwards)

Re:Already done.

[Tapewolf]

I had a win 6 phone with a fingerprint scanner years ago from HTC. My current phone (nexus 4) uses the front camera to recognize my face. Are we talking about new to IOS phones?

They were all the rage ten years ago. HP's PocketPC 3 devices had them. I think they may even have still been Compaq at the time. Using the screen is new, but now I think about it, the scanning devices were probably the same kind of capacitive matrix we're using now.

What most of these systems did was they hashed the fingerprint anyway, since they were IIRC vectorised, measuring the size and shape of the print. If the new devices do that too, it's less of a security problem, but if there's userspace access to the capacitive grid, you might be able to grab the image of the fingerprint with a trojan.

Re:Motorola Atrix

[Jay+Carlson]

Apple buying the vendor for the fingerprint stack might have something to do with Motorola dropping the ATRIX 4G fingerprint sensor.

The ATRIX 4G was supposed to get an ICS upgrade. There was a "leak" of a partially functional version. My guess is that the licensing issues with Authentec/Apple broke down. Guess Motorola didn't negotiate any long-term contract options.

It's a shame about how AT&T handled pricing on the LXDE subsystem. The X server implemented on the NVidia framebuffer/compositing layer was pretty nice. In theory Android 4.2.2 should support non-mirrored HDMI better, so hopefully I can get a Linux desktop bigger than 1280x720 on this Galaxy S3.

Re:The Atrix had a fingerprint scanner

[Austerity+Empowers]

My phone has had facial recognition for a real long time now. Then my son realized he can open the phone by pointing it at my face while I sleep, or a picture of me in the living room, and he can get in. So now I disabled it, because he was really the one I was trying to keep out...